Earlier this year, after Facebook was sued in a securities class action following news that it had given access to personal user information to Cambridge Analytica, I questioned whether privacy issues might represent the next big corporate liability exposure. Among other things, in making this suggestion, I was taking into consideration that fact that the EU’s General Data Protection Regulation (GDPR) was about to go into effect. More recent developments confirm my view that privacy issues likely will represent an area of specific and growing concern and potential liability for companies, their management, and their boards.
Of greatest significance among recent events is the passage of the California Consumer Privacy Act of 2018, the first comprehensive privacy regime in the U.S., which California Governor Jerry Brown signed into law on June 28, 2018. As discussed below, the Act imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement. The Act’s passage arguably represents a significant step toward making privacy issues a prominent part of the liability landscape in the months and years ahead.
The Act’s content is in part a reflection of the process that led to its enactment. Privacy advocates in California had recently completed all of the requirements in order to place a privacy initiative on the California ballot this November. This development led to what the Morrison & Foerster law firm described in its June 29, 2018 memo about the Act as “backroom wrangling between legislators, industry, and the primary sponsor” of the ballot initiative. The Act, which was introduced just a week before its passage, is now law, and the initiative has been withdrawn.
The legislation as enacted contains a number of features reflecting the speed with which it was introduced and passed; the Morrison & Foerster memo notes that the Act contains “drafting errors and ambiguities that are by-products of the speed with which the legislation made its way to the governor’s desk.” The Act is effective on January 1, 2020 and required the Attorney General to adopt implementing regulations before that date on a number of issues.
The Act is sweeping and complex, and summarizing it briefly here runs the risk of over-simplifying the Act’s provisions. Readers are encouraged to review the Act itself, in detail and in full. For descriptive purposes, a brief summary of the Act follows.
The Act protects “personal information” of California residents. It applies to any entity doing business in California, subject to certain revenue and data collection thresholds. The Act defines “personal information” broadly as any information that is “capable of being associated … with a particular consumer or household.”
The Act creates four “core” individual privacy rights, including: the right to request that a business delete any personal information that it has collected about the consumer; the right of a consumer to request that the disclosure of the categories of personal information that the business collected, including among other things the categories of third parties to whom the business sold the information; the right of consumers to “opt out” of the sale of personal information, with the added requirement that consumers under the age of 16 (or for consumers under the age of 13, their parent or guardian) must affirmatively consent; the right to be free from discrimination (such as through charging different prices) for consumers exercising their rights under the Act. There are a number of enumerated exceptions, such as, for example, where the Act’s requirements would conflict with existing privileges or legal requirements.
In a June 29, 2018 memo about the Act (here), the McGlinchey Stafford law firm describes the Act’s requirements as “very similar to the GDPR,” although the Act by contrast to the GDPR generally adopts an opt-out regime with respect to collecting and handling consumers’ personal information. The Act requires business to make disclosures about personal information collected and the purposes for which the information is collected; gives consumers the right to request that a business disclose the categories and specific pieces of personal information the business collects; the right for consumers to request the deletion of personal information; the right to opt out of the sale of personal information; authorizes businesses to offer financial incentives for collection of personal information.
The Act provides for enforcement both through private rights of actions for consumers and through administrative enforcement by the state’s Attorney General. Under the Act, consumers may sue if their unencrypted information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’ violation of the duty to implement and maintain reasonable security procedures. (The Morrison & Foester memo notes that these consumer action rights are subject to procedural prerequisites that, as described in the Act, are unclear.) The Act also provides the California Attorney General exclusive jurisdiction to sue for civil penalties.
The upshot of this hastily enacted legislation is that California now has a privacy regime that is, as the Morrison & Foerster memo puts it, “complex – and messy.” The process of putting into place the implementing regulations will be an important part of putting structure and perhaps clarifications around the Act’s provisions. While the Act will not go into effect for 18 months, the business processes that the Act will require may prove to be both burdensome and difficult to implement. Many businesses will have to begin now to put compliance processes in place. As the Morrison & Foerster memo notes, “compliance with the Act will far outweigh what many U.S. consumers will have previously experienced.”
The Act’s enactment is just the latest development highlighting the growing importance of privacy issues in the U.S. legal environment. In making this statement, it is important to recognize that these privacy issues, while related to data breach and data security concerns, are also distinct. By way of illustration, the Facebook debacle with Cambridge Analytica did not involve a data breach; rather, the user data was transferred as part of a business arrangement between the two firms. The issues surrounding privacy have to do with the way businesses collect and use consumer data, not just whether or not the businesses keep the data secure.
California’s enactment of the Act significantly elevates these issues. I suspect strongly that California will not be the only state to enact this kind of legislation, and there is always the possibility of federal legislation as well. In the current environment, legislators may feel pressure to appear proactive in this area, which could mean additional burdens and responsibilities for companies.
The legislative requirements not only create burdens and responsibilities; they also create potential liability exposures. As the McGlinchey Stafford law firm notes in its memo about the Act, “the efforts to increase consumer protections will lead to increased litigation.” If other states jump on the bandwagon, this dynamic will only be increased.
In noting this potential litigation risk here, I am not concerned just with consumer litigation or related enforcement procedures alone; given this blog’s purposes and focus, I am more concerned here with litigation directed against company management and company boards for the alleged failure to bring companies into compliance with this privacy requirements or for failing to protect the company from liability for privacy issues. Here I am thinking of litigation along the lines of the securities class action lawsuit recently filed against Facebook as a result of the Cambridge Analytica privacy revelations; yes, there were consumer lawsuits involved in the Cambridge Analytica situation, but there was also the management liability lawsuit. My point is that in the months and years ahead, companies will not only increasingly have to be concerned with privacy law compliance, but also with the possibility of management liability litigation arising out of alleged violations of privacy requirements.
In making these conjectures about future liability, I am relying more than just the dynamic that led to the enactment of the GDPR and the new California Act; I am also thinking about larger dynamics in the legal arena that underscore the increasing importance of privacy issues. The best recent example of these larger dynamics is the U.S. Supreme Court’s June 23, 2018 decision in Carpenter v. United States. In that case, a 5-4 majority ruled that a consumer’s cell phone location data, collected and held by third-party cell phone service providers, is protected against unreasonable searches and seizures by the Fourth Amendment to the U.S. Constitution. The government’s access to this data without first obtaining a search warrant “invaded Carpenter’s reasonable expectation of privacy in the whole of his physical movements.” Amy Davidson Sorkin’s interesting June 22, 2018 essay in The New Yorker about the Carpenter case can be found here.
The Court’s consideration of Carpenter’s reasonable expectation of privacy is, for me, representative of the absolute crux of an active debate that will be playing out in courts and legislatures for some time to come. Rapid technological changes and the increasing ability of businesses to track, gather, and collect personal information mean entirely new areas of privacy concern. The vast number of issues and questions that will have to be sorted out mean not just that there will be significant areas of dispute; it also means that increasingly mobilized users will seek to hold businesses accountable for perceived violations of privacy concerns. This accountability will include not only consumer actions but also management liability actions, as investors and others seek to hold company officials accountable for harm the company encounters for failure to adequately respect and protect consumer privacy.