The turn of the calendar to 2022 presumably offers a chance for privacy professionals to re-focus their work. That's easier said than done in the privacy space, which continues to spawn unique challenges on top of ongoing long-term concerns.
Loeb & Loeb Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, is as dialed in as anyone across the privacy spectrum. Lee's background includes advising clients on leveraging data in connection with advertising technology, voice technology, location-based tracking, smart devices and wearables. She also as well as takes on matters related to artificial intelligence and facial recognition.
In this Member Spotlight, Lee discusses her take on some of the most pressing issues facing the privacy space as 2022 gets under way, including state and federal privacy regulation, and international data flows.
The Privacy Advisor: State privacy law debates are back in focus with state legislatures reopening for 2022 sessions. What’s your take on the concept of this growing patchwork? Is it really a patchwork or is there enough alignment around provisions to have a sort of de facto national standard?
Lee: There is certainly some alignment around a core set of principles. Most of the laws have a baseline of consumer rights (access, deletion, correction) and obligations on businesses regarding transparency, data governance and vendor management. However, there are a few areas where the differences may have a material impact on businesses and where it becomes harder to escape the patchwork.
First, there are varying standards for sensitive information — we see opt-in requirements in some states, opt-out in others, and the definitions vary. Second, the treatment of "sell, share” and opt-outs of profiling and targeted advertising vary. In some cases the requirement is an opt-out of sharing with a third party when that sharing is deemed a "sale" or "share" and in some cases the opt-out is from the targeted advertising itself, regardless of whether the data is being shared in the process. Again, for activities that are core to certain business models, these nuances matter and companies may be cautious about taking a national approach. Third, many of the bills attempt to address automated decision-making in very different ways. In Indiana, there is a bill that would impose obligations specifically on "social media providers," while other bills take a GDPR-like approach and focus on ADM that has significant or legal effects.
Beyond these three areas, we also have states like New York that are proposing a fiduciary duty for on companies and states like Colorado, Washington and California that are requiring companies to honor browser-based opt-outs. There is a lot of variation in the details that makes it hard to land on a de facto standard yet. We may have a de facto baseline, but in the areas that are core to many businesses, the patchwork problem remains.
The Privacy Advisor: What do you make of the separate arguments being made for privacy law at the state versus the federal level? States seem focused on consumer protections while U.S. Congress has its eye toward standing up international data flows and crippling Big Tech. Is this a bigger problem/divide than we think?
Lee: I think there is a good amount of overlap between the arguments. The language may be different, but the target still seems to be reigning in the impact of Big Tech. States may talk about these issues in terms of consumer protection, but between the federal hearings and the recently announced attorneys general actions, it is clear that Big Tech is a focus at every level of government. A comprehensive federal privacy bill could in theory address the consumer protection concerns and the international data flow challenges in one bill. Big Tech is another issue. I think the singular focus on Big Tech has clouded our ability to create a sustainable framework through which privacy issues can be regulated. Regulators have wildly varying motivates driving their ire against Big Tech, which is code for a set of problems that involve but aren’t limited to privacy. If legislation is driven by a desire to cripple Big Tech, I do think that it risks missing the mark in the other areas of concern.
The Privacy Advisor: On an international level, what’s your take on a Privacy Shield solution? Seems the EU is waiting on the U.S. to budge on surveillance laws. Is it as easy as that or do both sides need to make concessions?
Lee: U.S. surveillance laws and the lack of a comprehensive privacy framework in the U. S. remain the key issues here. This was the core of the "Schrems II" decision. I am concerned about the feedback we have heard that the EU is looking for legislative changes in the U.S. I don’t have high hopes for comprehensive federal privacy legislation this year. Without it, the Biden administration may look to executive orders or a more narrowly tailored bill that gives EU citizens more certainty about challenging U.S. access in courts. I see this piece as the biggest hurdle and one without a clear path forward — at least not one that has been made publicly available.
The Privacy Advisor: There have been calls to tighten Illinois’ Biometric Information Privacy Act and others for other states to adopt the current model of the law. Where do you fall on the effectiveness of BIPA?
Lee: BIPA has some good elements, but I agree with the calls to revise some elements. The good parts of BIPA come from its emphasis on transparency and data governance. I think it has raised awareness among consumers about how and when biometric information may be collected and has given more control over those activities. That said, I think it may have an unintended chilling effect. Between the requirement for a “written release,” which is challenging depending on the context in which the information is collected, and the private right of action with no cure period that has resulted in a wave of litigation, it may be easier to avoid biometric collection in Illinois rather than risk the potential liability.
There is a lot of uncertainly right now in how broadly BIPA could be applied and debate over what constitutes biometric information in some cases. For example, courts are considering cases right now that will decide the line between a voiceprint and voice data, and those decisions may not be consistent. Collection of biometric information on its face is not a bad thing and I don’t think the goal should be to curtail it completely, but just to regulate its use so that consumer’s privacy and security is protected. I appreciate the calls to allow for electronic releases and narrowing the private right of action, at least until there is more clarity or certainty around its application.
The Privacy Advisor: What’s one overarching global privacy issue that professionals are going to need to pay more attention to as we move through 2022 and how can it be best addressed?
Lee: I think that professionals will need to move away from an EU-U.S.-centric mindset. Privacy is a global concern and there are frameworks outside of the EU and the U.S. that we will need to focus on. The real patchwork is the growing global patchwork of privacy laws, and issues of data localization and cross-border data flows have and will continue to be some of the more challenging and overarching issues to address. I don’t have a solution, but I think that companies need to have a solid privacy program that includes systems for maintaining a data inventory that provides the company to have a clear picture of the lifecycle of its data so that it can create a program that addresses all of the relevant privacy regimes, not just the EU and U.S.
Photo by Keagan Henman on Unsplash