Greetings from Portsmouth, New Hampshire!
With Labor Day in the rearview mirror, the busy fall season is upon us, though I'm not sure anything in the privacy world slowed down this summer.
To wit: The California legislature late last week passed a set of technical amendments to the California Consumer Privacy Act of 2018. After sharing a Privacy Tracker post on the proposed amendments last week, Michael Lamb provided an update Tuesday, including four new amendments. These amendments — which include the removal of the "gatekeeping" function of the attorney general with regard to establishing a private right of action, extended HIPAA and CMIA exemptions, clarification of the AG's enforcement authority, and deletion of language involving deadlines — now await Gov. Jerry Brown's signature. Lamb also notes the legislature effectively pushed other proposed changes to CaCPA until next year.
It has been fascinating to watch the evolution of what is now CaCPA. From a state ballot initiative to a game-changing law that may well precipitate a nationwide regulation, this has been a unique legal development to behold. If you haven't done so already, I highly recommend that you read Angelique Carson's Privacy Advisor article on CaCPA's originators. She spent hours talking with two of CaCPA's architects — Alastair Mactaggart and Mary Stone Ross — as well as some of the key California lawmakers who shepherded CaCPA through the legislature. Angelique's reporting shines light on the history of this initiative and the nuances behind it. You might be surprised to find out that Mactaggart and Ross take different views on the law and that the bill itself may not have been as rushed as was previously reported.
In what appears to be a reaction to CaCPA, the U.S. Chamber of Commerce this week published a 10-point set of privacy principals that it believes should undergird a national privacy framework.
"The Fourth Industrial Revolution, relying on data and technology," the principles state, "requires policies that promote innovation, regulatory certainty, and respect for individual privacy and choice." A nationwide privacy framework, according to the Chamber, should apply to all industries and pre-empt state law (they're looking at you, CaCPA), focus on risk, and be technology neutral. Enforcement should be harm-focused and promote collaboration between companies and regulators. "In order to facilitate this collaboration, a federal privacy framework should not create a private right of action for privacy enforcement, which would divert company resources to litigation that does not protect consumers" — this point, if you read Angelique's article was a major sticking point during the CaCPA negotiations.
The Chamber also wants such a framework to serve as an international beacon, encourage companies to innovate around privacy, and bolster data security. And, of course, companies should be transparent and clear about their data processing.
Clearly, there's a lot to process here and tons of uncertainty remains. To help you navigate and keep up with these rapidly changing developments, we're offering a host of workshops and sessions at next month's Privacy. Security. Risk. conference in Austin, Texas. In addition to a daylong workshop on CaCPA, Mactaggart will also keynote. And that's just the tip of the iceberg.
If you want to comment on this post, you need to login.