Companies Advised to 'Read the Tea Leaves' From Privacy Bills
While not every state privacy bill becomes law, it’s important to look for trends in what’s being proposed across the U.S., privacy lawyers said during the Risk Digital virtual conference Thursday. They also said to keep an eye on class actions and watch for privacy rules that might be tucked into other kinds of laws.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Drafts of possible privacy laws become available much earlier in the U.S. than they do in the EU, though companies should know that many bills from U.S. states never make it out of a legislative committee, Littler privacy attorney Michael Whitbread said. “Just be alive to the fact that you can … track trends.”
Fox Rothschild privacy attorney Odia Kagan also emphasized the importance of seeking regulatory trends in proposed legislation. “That doesn't mean that for every bill that … passes some committee you need to rechange your system, but it is important [to] read the tea leaves and figure out direction.”
For example, said Kagan, California has made it clear that it cares about automated decisions because this year two bodies -- the California Privacy Protection Agency (see 2507240070) and the state’s Civil Rights Council (see 2506300056) -- approved regulations on the subject, while the legislature just passed a bill about it (see 2509150026).
Compared to the EU’s more “overarching” approach, privacy regulation in the U.S. tends to be “issue driven” and focused on “particular issues of concern,” said Whitbread, who previously worked in Europe.
Also, he noted that in the U.S., the plaintiff bar can launch “better-resourced class actions” that “potentially can adopt quite creative, experimental interpretations that perhaps [a state] AG is not willing to.”
“A whole lot of [U.S.] privacy law” is hidden in other statutes that aren’t explicitly called privacy laws, said Whitbread. “You need to be on your toes. You need to be open to discovering laws where, perhaps, you might not expect.”
For example, the New York Shield Act is a privacy measure that’s located in the state’s general business law, he said. California’s Fair Employment Housing Act “now focuses on automated decision systems” used for employment decisions. Another law to watch “is the Illinois Human Rights Act, because it requires transparency around the use of automated decisions … making employment decisions.”
Kagan advises companies “know [their] data.” She added, “If you don't know what data you have, you can't really quantify risk" and "which of the U.S. state laws you're subject to." Moreover, without knowing one’s data, it’s hard to have the right privacy notice or fulfill people’s right to delete or opt out, she said.
Enforcers are focusing on the sale and sharing of data, as well as whether organizations are effectuating consumer privacy rights and providing transparency in their privacy notices, Kagan added.
“Regulators are looking at whether or not you're updating your notice,” she said. For example, “California has said that it is not only looking at how the notice is drafted, but also does it match reality. Is what you're saying what you're actually doing?”