In Tightening Your Belt, Don’t Loosen Your Privacy Controls
"Privacy, Unmasked" is a multi-part series that explores the impact of COVID-19 on individual privacy rights and privacy and security regulation and enforcement. New blogs will be posted in this space on Tuesdays.
As shelter-in-place orders take their toll on the economy, many organizations will no doubt face pressure to reduce operating costs, including legal spending. With CCPA compliance programs now hopefully "complete," and no federal privacy legislation on the horizon, it is tempting to think that resources can be cut in the privacy space.
But news coverage of COVID-19—and Big Tech's reaction to the virus—shows that the privacy landscape has changed dramatically in recent years, such that risk associated with collecting information about customers, potential customers, and employees is ever present. If anything, the pandemic shows why your organization needs a privacy program more than ever.
Here's why:
There Is Renewed Media Attention on Collection of Information Deemed Sensitive, Like Location Data and Health Information
The potential for use of individuals' data for public health purposes such as contact sharing has ignited debate over government access to data collected by Big Tech, individual control over their data, and transparency about use. Media attention will, in turn, put pressure on lawmakers to legislate and give fodder to class-action attorneys.
New Products and Services Will Create New Collections and Uses of Consumer Data
Working from home en masse and shelter-in-place orders are changing the types of goods and services we need and the way we purchase them. As demand changes, so will supply as organizations innovate their offerings—but with new goods and services come new ways to collect and use personal information.
Each of these collections and uses must align with the organization's privacy policy as well as applicable law. Offensive use and lack of transparency create reputational risk, not just legal risk.
CCPA Is an Ongoing Obligation, Not a One-Time Update to Your Privacy Policy
Organizations must comply with CCPA on a daily basis, including responding to consumer rights promptly, and enforcement is now only 10 weeks away. California Attorney General Xavier Becerra recently reminded residents of the state to be vigilant about protecting their privacy during the current crisis, including by submitting CCPA access and deletion requests.
Regulations are still looming, and the draft regulations include several requirements that were likely not covered by initial compliance (for example, a separate notice of collection, honoring global opt-outs in browser). Further, CCPA requires annual reviews of privacy policies, which should be more than just a rubber stamp and well documented.
Litigation Risk Is Growing
The implementation of the CCPA means that unauthorized access of information may require disclosure under state law and could lead to a class action lawsuit. And though the CCPA's private right of action only covers data breaches, the statutory damages incentive is likely to result in class action lawyers offering theories that disclosure of data that is surprising to the consumer is "unauthorized" and therefore a data breach.
Claims that violations of CCPA rights violate California's unfair and deceptive trade practices act are also likely to be asserted. Add to this the private right of action in Illinois' Biometric Information Privacy Act, which has spawned a 9th Circuit decision holding that a mere statutory violation could constitute injury-in-fact for purposes of standing. Many of these emerging lawsuits put forth theories that may not survive motions to dismiss, but such claims can still cause an organization to undergo high legal costs.
Against this backdrop and inevitable budget pressures, there are practical, low-cost solutions that organizations can consider to mitigate possible exposure:
- 1. Conduct an Enterprise Risk Assessment - NIST recently released its Privacy Framework, which provides a model for organizations to assess their maturity and identify privacy program priorities. This framework compliments NIST's existing Cybersecurity Framework, which also emphasizes the importance of self-assessments.
- 2. Form a Data Governance Council - Efficient, robust data management requires cross-collaboration between the business units that derive value from personal information, IT personnel who provide the infrastructure where data is managed, and legal counsel who can identify risks associated with data management. A formal structure that brings these stakeholders together can provide legal counsel with much-needed insight as to how data is being used on the front lines and create opportunities for alignment of data management priorities.
- 3. Set Yourself Up for Success With Limited Pilots - Creating data inventories and assessing risk associated with certain information assets is invaluable to ensuring compliance—potentially reducing your compliance burden entirely if you can identify data that the organization does not actually need. But data mapping exercises can easily fail when there are incomplete responses from business and/or lack of resources for legal counsel to chase information.
The antidote to these issues is starting small. Focus on a discrete business unit—for example, marketing or website operations—and get buy-in from a senior leader in the group who will impress upon others the importance of participation. Work with someone in the group to design a survey that works for a non-lawyer, and complement the survey with interviews and follow-up emails. Use the experience gained from the pilot to inform the process for future stages of the project.
Final Thought
The bottom line is that the EU General Data Protection Regulation and the CCPA have ushered in a new era in privacy rights. The post-COVID-19 world is going to look different for sure, but if anything it will offer more and not less privacy regulation.
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.