blog listThe American Privacy Law Landscape is a Minefield for US Employers

All 50 of the states comprising the U.S.A. have their own constitutions, their own executives, legislatures and court systems.  All 50 have extensive bodies of statutory, regulatory, and common law.  All 50 have their own attorneys general and police forces.  And all 50 jealously guard their rights and their powers, even to the point at times of defying federal law.         The best modern example may be the federal Controlled Substances Act, which expressly lists marijuana (cannabis) as an illegal drug.  Nonetheless, more than three dozen states have legalized medical marijuana, while about 20 of those have also legitimized the recreational use of cannabis.  Although periodically grumbling, the U.S. Department of Justice essentially has ceased enforcement activity with regard to “pot” and de facto has ceded jurisdiction to those states where it is legal.

Perhaps on no other major topic is the debate, regarding the respective powers and prerogatives of the central government versus those of the 50 states, currently more intense than on the subject of privacy.  An unhealed wound in this controversy was Roe v. Wade (410 U.S. 113), the 1973 U.S. Supreme Court decision which divested the states of their traditional prerogative to regulate, indeed to outlaw, abortions in early pregnancies.  Briefly, the decision declared that a woman’s right to abort her unwanted fetus trumped the states’ interest in the matter during the first trimester of the pregnancy.  (In June 2022, the Court, now staffed with six conservative Justices, abrogated the Court’s half-century precedent.) 

All this is by way of illustrating the significance of privacy in the pantheon of values which tend to breed controversy, generate friction, and sow division in the U.S.  Add to this that the word “privacy” appears nowhere in the United States Constitution, and it should be no surprise that the states have taken it upon themselves to legislate privacy-law regimes, rather than pressing that responsibility upon the central government.  In fact, the right of privacy in the United States is primarily the child of common – that is, judge-made – law, rather than statute, almost all of it at the level of the individual states.  Statutory codification, by and large, came late to the party.

Don’t imagine that the U.S. Congress doesn’t recognize the need for a national privacy regime.  Most Senators and Representatives do, and several have sponsored bills.  The problem is that --- as with so much in Washington these days --- there’s a sharp split.  In this instance, some legislators want a robust privacy regime, modeled after the European GDPR and California’s rigorous privacy laws. But others want a business-friendly, relatively-lax privacy law that actually would preempt such rigorous statutes as those in place in the Golden State.  Thus, we continue to see nothing but stalemate at the federal level, albeit in some areas ---e.g., HIPAA in the healthcare industry --- there are robust and rigorously enforced statutes and regulations at the federal level. 

State-level privacy laws are a confusing mosaic

In the age of the Internet and digital data that is accessible ubiquitously from “the Cloud,” individuals and advocacy groups are increasingly pressuring the federal and state governments to address their data-privacy problems.  The federal government being generally slow to move, especially on topics such as privacy, frustration is inevitable.  Conversely, privacy advocates are having more success at the state level.  All 50 U.S. states have now enacted some form of legislation that imposes breach notification obligations, including corresponding penalties and fines, on organizations that experience data breaches, especially when the breached data includes personally identifiable information (“PII”) and/or personal health information (“PHI”).  However, only a few states have passed comprehensive data privacy laws, such as the California Consumer Privacy Act.  

These comprehensive state schemes, while unique in some ways, share a common cluster of definitions and concepts:

Personally Identifiable Information (PII) 

Two of the newest pieces of state data-privacy legislation, the California Consumer Privacy Act and the Washington Privacy Act take two equally broad but distinct views on the definition of PII. California’s definition covers not only typical personal information, but also other potential links to individuals and/or households. The CCPA’s inclusion of “households” broadens the scope of the data covered in that the data need not be related to a person, but alternatively could be related to a household, including the devices therein and data that the household produces.  By way of contrast, the Washington statute speaks to identified or identifiable natural persons, closely mirroring the language of the European Union’s GDPR. 

Covered Entities

Similar to the definitions of PII, some are broad in scope, using “person(s)” or “individual(s)” to capture a wide range of entities that may possess data. Other states limit the scope of jurisdiction to “business(es),” which own or license personal information. Revenue thresholds and data-collection-quantity requirements also come into play with some state statutes, adding an additional layer to qualification as a covered entity. Some state statutes with broad PII definitions have narrower covered-entity provisions, adding to the unpredictability for consumers and companies alike.

Notification Requirements

Other discrepancies among state statutes lie in breach notification timelines. Can consumers count on a notification of a data breach within thirty, forty-five, or sixty days of the time when the covered entity becomes aware of it? Or must consumers simply wait for an entity to notify them according to an open-ended, subjective timeframe? The answer, of course, depends on the state. In Illinois and New York, breach notifications must be within the “most expedient time possible,” while Colorado’s privacy law sets a hard timeline of no later than 30 days after a breach has been discovered. With no federal maximum number of days, in states without hard timelines such as Illinois and New York, covered entities are left with a more flexible standard which they can bend without increasing their exposure to liability.

Enforcement 

The provisions of state statutes governing enforcement and penalties for violations are likewise important to highlight for comparison. While most state statutes authorize the attorneys general to act to enforce and penalize entities after a breach, some statutes expand consumer rights by providing private rights of action. The Illinois Personal Information Protection Act, for instance, ensures an avenue for a private right of action by expressly stating that a violation of this act constitutes a violation of the Consumer Fraud and Deceptive Business Practices regulations. California’s legislation allows for a limited private right of action, while the New York SHIELD Act expressly prohibits a private right of action. Limiting penalties to actions through the attorney general may impede consumers from meaningful recovery if there is unauthorized access to their data. 

Federal Regulations: FTC tries to fill the federal void When the legislative branch is unwilling to act to address a particular issue, the executive branch of the federal government will often step in and attempt, within the confines of its authority, to affect some of the desired changes.  This can be seen in the privacy context through the actions of the Federal Trade Commission (“FTC”).

The FTC is the primary federal enforcement agency for data-privacy-related practices. Section 5 of the Federal Trade Commission Act empowers the FTC to regulate and prohibit “unfair or deceptive acts or practices in commerce.” The FTC uses this provision to take action against companies which do not properly safeguard the personal information of consumers. Additionally, the FTC enforces the Fair Credit Reporting Act.  Employers often get caught in the agency’s enforcement net when they misuse applicant and employee background checks that qualify as credit reports under FCRA.

In 2023, employers can expect the FTC to be more active than ever on employee-privacy.  On January 6th, the agency came out swinging with a batch of proposed regulations aimed at ending non-competition agreements nationwide.  This is a top Biden Administration regulatory priority.  Beefing up employees’ privacy right  cannot be far behind on the FTC’s agenda for the new year.  With at least two more years of Democrat occupancy of the White House, there’s plenty of time and high incentive for an activist FTC to fashion a national employee-privacy regime that trumps the state-by-state crazy quilt.

Like what you just read?  Then you won’t want to miss the Assent Global/Portum Group four-hour bootcamp on 

• Data Privacy
• Compliance
• Cybersecurity
• Enterprise Risk Management

When:  Friday, March 10  1:00-5:00 PM EST

Kindly use the below link for the registration

https://assentglobal.us/webinar/1929/The-Four-Pillars-of-Organizational-Resilience--Data-Privacy,-Compliance,--Cybersecurity,-and-Enterprise-Risk-Management