US privacy update what UK and EU businesses need to know

It’s been a dramatic recent period for privacy regulation in the US.

Act 1 saw the first comprehensive privacy law in the nation, the California Consumer Privacy Act (CCPA), hurriedly enacted to avoid Alastair Mactaggart’s original proposal appearing as a California ballot initiative.

In Act 2, the drama continued for those ‘doing business’ in California. Whilst still scrambling to understand and comply with the rushed CCPA, enforcement came alive in July 2020, only a month after essential interpretive regulations were filed by California’s attorney general.

And for Act 3 (the term ‘finale’ is inappropriate as there are likely to be more acts that follow), California voters approved the November 2020 California Privacy Rights Act (CPRA) ballot measure. When it comes into effect on 1 January 2023 (with look-back provisions that cover data collected from 1 January 2022), the CPRA will amend and build on the CCPA by (among other things):

• creating a new dedicated California Privacy Protection Agency (CPPA);
• imposing additional ‘GDPR Style’ data collection and handling requirements on businesses; and
• arming consumers with an expanded set of rights somewhat akin to data subject rights under the GDPR.

A more in depth look at the CPRA

Below we have looked in a little more depth at some of the changes the CPRA will bring.

Bigger carve outs for smaller businesses

More businesses will be excluded from coverage of the CCPA and CPRA as the threshold number of consumer or households of whom a business buys, sells or shares personal information will increase from 50,000 to 100,000. Unlike under the CCPA, “devices” are now excluded from the threshold calculation.

California’s Privacy Protection Agency

The CPPA will be the first US agency dedicated exclusively to privacy. Currently enforcement of the CCPA is undertaken by the busy Californian attorney general. The CPPA will be tasked with implementing and enforcing the CCPA and CPRA along with increasing awareness of the new laws and providing guidance to those with obligations under the CCPA and CPRA.

“GDPR style” rights and obligations

Aspects of the new CPRA are more akin to the GDPR than the CCPA currently is:

• A new category of personal information is introduced called “sensitive personal information” and consumers are provided with new rights to require businesses to limit its use. Sensitive personal information is somewhat broader than “special category data” under the GDPR as it extends to government issued identifiers, account login credentials and precise geo-location, along with some of the other categories we are familiar with under the GDPR (health data, data relating to racial and ethnic origin, sexual orientation or sex life, etc).
• A right to correction will give consumers the right to have inaccurate information rectified.
• A data minimisation principle requires businesses not to collect more personal information than reasonably necessary and proportionate to achieve the purposes for which the personal information was collected. There are also new necessity-based limitations on personal information retention.
• Additional requirements for businesses and service providers to enter into contracts that will bind recipients of information to the same standards of protection as provided in the CPRA (similar to the requirements for engaging processors under the GDPR).

What should UK and EU companies be doing for CCPA and CPRA compliance?

For those ‘doing business’ in California and meeting one of three thresholds, the CCPA and CPRA will apply to UK and EU headquartered businesses particularly where they transact with Californian residents, employ people in California, have assets in California or have other connections to the state, such as sharing branding with a Californian business meeting one of the thresholds.

Whilst any business meeting the above criteria will be impacted by the CCPA and CPRA, our view is that, generally, the stronger the connection a business has to the state of California, the more likely the exposure to enforcement action under those laws and the more imperative it is to take some level of compliance action. It is also worth noting if you have a US presence or are doing business in other US states this would also raise the risk of enforcement due to the ‘full faith and credit’ clause in the US Constitution as this makes it much easier to enforce one state’s laws, here the CCPA and the CPRA, in another state.

Privacy compliance always begins with auditing and understanding your data flows and processing operations. However, as with compliance under the GDPR, there are many smaller and more cost-effective changes that can be implemented that can go a long way towards compliance. For example, UK or EU Californian consumer facing websites incorporating a ‘Do not sell my personal information’ and/or other new links required under the CPRA will be less likely to end up on the radar of regulators or consumers who are deliberately seeking out non-compliance.

Are there any other US state privacy laws in the works?

Several US states look to be trending away from legislation based on the traditional model of simply giving consumers ‘notice’ and ‘choice’ about privacy matters and are instead moving towards more powerful regimes requiring genuine privacy transparency and actually giving consumers access to their data. These apparent trends show that legislators are keen for consumers to regain control of their personal information and is strikingly similar to the basis for the GDPR which is to put control of personal data back into the hands of the data subject (see GDPR Recital 7). 

Whilst Washington State and New York State are each at different stages of attempting to pass major new privacy laws, Virginia has taken the prize as the second US state to enact a major and comprehensive privacy law. It borrows concepts from the CCPA but also imposes significant internal data security requirements and will take effect from 1 January 2023.

What about a US federal privacy law?

Whilst there have been repeated calls and many proposals for a comprehensive federal privacy law in the US so far no proposals have made it out of the committee stage of the legislative process. It is often asked whether the recent change of administration will give new impetus and focus to such a law. This is an interesting question but two key issues remain unresolved, and as yet undebated.

First, whether any such law would allow individuals to have a private right of action or if such a right would be for regulators only. Giving an individual a right of action is often cited as a positive development and one that would lead to real enforcement (and redress for wrongs). However, there is the other side of the coin where such a right may be exploited by class action lawyers.

The second, and perhaps more thorny issue, is whether a federal law would pre-empt any existing state laws. It would be easier and would create a clearer legislative landscape were this to be the case. However, the legislature has a strong Californian contingent, who have made it clear they will only welcome a federal privacy law if it doesn’t pre-empt the CCPA and CPRA.

It seems that we are some way off seeing a US federal privacy law, but it is certainly something to keep an eye on in the next year or so.

The future of Privacy Shield

The EU-U.S. Privacy Shield Framework was invalidated by the Court of Justice of the European Union in the July 2020 Schrems II decision.

Despite the invalidation, we are aware that for the most part US businesses have continued to renew their Privacy Shield registration. This is likely:

• to demonstrate to their partner UK and EU businesses, and to UK and EU data subjects themselves, that they have good data practices and can continue to be trusted with UK/EU personal data; and/or
• in the hopes of the Privacy Shield (or a variant thereof) being revived in the near future.

With the appointment of a new chairperson to the US Department of Commerce, the prospects of successfully negotiating a replacement Privacy Shield framework looks increasingly promising.

Conclusion

As ever, it is important for UK and EU businesses to keep monitoring US developments to ensure they are prepared for upcoming changes – and new legislation - and can put relevant and proportionate compliance measures in place.

If you do have any questions or we can be of any assistance please do not hesitate to contact Alexander Milner-Smith, Ben Favaro or your usual Lewis Silkin contact.