Hello from Portsmouth, NH!

You may have noticed that I am not, in fact, the IAPP publications editor. I am guest-starring this week, as Jed Bracy (the real editor) is in Toronto covering the IAPP’s Canada Privacy Symposium.

While most of the privacy world is understandably focused on today’s big moment — the beginning of the EU General Data Protection Regulation enforcement era — there have been other privacy events worthy of note. Personally, I have noticed an increasing public awareness of, and interest in, how consumer data is used after collection. In particular, there have been a number of recent stories that cover various third-party transfers of information — perhaps inspired by the widespread outrage over the sharing of scraped Facebook data initially obtained by academic Aleksandr Kogan. Just this week, Slate has reported on the widespread tracking, storage and resale of cell phone location data by U.S. wireless carriers; also, several tech industry publications have recently reported on Amazon’s cooperation with law enforcement to deploy its AI-driven facial recognition software, a system capable of analyzing footage provided by the clients’ cameras in real time.

I mention these incidents not to join a crowd of hysterical doomsayers predicting our imminent descent into Orwellian mass-surveillance, but to suggest that some legal changes may be on the horizon in the United States, as well. The degree to which private actors not only capture, use, and store our data, but also transfer it onwards in the information ecosystem (to both public and private partners) seems to have only recently reached the public consciousness in a serious way. The GDPR is the EU’s attempt to create a regulatory framework that covers at least part of the new personal data economy, and it is likely that changes are coming to both criminal and civil laws governing personal data in the United States, as well, either at the state or federal level. Or both.

Some changes are no longer merely in the realm of speculation. For example, before its term ends in June, the Supreme Court will issue its opinion in Carpenter v. United States, which will determine whether U.S. law enforcement needs a warrant to access cell site location information. The passage of the CLOUD Act and the enforceability of the GDPR mean that Congress will have more work to do regarding data privacy, whether it wants to or not — stable mechanisms for transferring data (both commercially and for security purposes) must be worked out with the EU. Some commentators have suggested that this necessity, and public pressure generated by repeated scandals like last year’s Equifax breach, could prompt a new comprehensive privacy bill.

New things are happening at the state level, too; the California State Senate is set to consider a new consumer protection bill that would give consumers a statutory right of action against companies that fail to adequately safeguard personal information. The California bill would represent a notable expansion of liability for consumer data aggregators, as it would allow any consumer affected (not just a business’ customers) to potentially sue in the event of a data breach and includes a statutory damages provision, rather than limiting recovery for plaintiffs who can show a violation to actual damages.

All in all, while the world is understandably fixated on the GDPR at the moment, I think it will be very exciting to see where the United States goes in response. At this point, we’re in uncharted waters, and if Equifax and Cambridge Analytica have taught us anything, here there be dragons.