State Enforcers Seek to Apply Privacy Laws Broadly
States are seeking to build a foundation of privacy enforcement by taking action against a broad range of companies, state enforcement officials said Wednesday on a panel at the IAPP Global Privacy Summit. An increasing number of privacy regulations around the world present a big challenge for companies that operate in many global markets, said another IAPP panel earlier Wednesday.
Sign up for a free preview to unlock the rest of this article
A priority for the California Privacy Protection Agency is to build a “foundational precedent” and collaborate with other states that have similar privacy law frameworks, said Michael Macko, CPPA enforcement head. Don’t expect to see the agency pursuing just one industry or one particular business practice, nor just the biggest tech companies, said Macko: The CPPA will apply the California Consumer Privacy Act "holistically across industries" and "build that precedent as broadly as possible."
Same for Colorado, said Stevie McGroff, first assistant attorney general in the privacy unit of the state AG's office. "There's not one particular industry" or type of company it's targeting under the Colorado Privacy Act, she said. She noted that the state’s right-to-cure period recently ended. "We're out of the cure period. We're expecting compliance."
Oregon is required to provide a 30-day right to cure until January, so it’s still focused on outreach and education, said Kristen Hilton, the state’s senior assistant AG for consumer privacy and data security. It’s also focusing on issues that can be fixed, she said. Hilton reminded the IAPP audience that on July 1, the Oregon privacy law will also take effect for nonprofits, after taking effect for others last July.
Hilton recommended keeping an eye on two amendments to the Oregon privacy law under consideration in the legislature, which would ban the sale of precise location data and the data of children under 16. The changes received unanimous support in the House last week, she said.
While there are “veneers of difference" among the 20 state privacy laws, there's no inconsistency in how different states are enforcing them, Macko said. He challenged the IAPP audience to find one example of California enforcing its privacy law in a way that's inconsistent with other states. Last week's announcement about a consortium of state enforcers (see 2504160037) formalized what states were already doing, he added.
Red Flags
The state enforcers listed some common mistakes made by companies in response to their inquiries about possible privacy issues.
Respond to the Colorado AG office’s emails, McGroff said, adding that it’s a "huge red flag" if a company is not replying to emails sent to its privacy inbox. But don't respond defensively, she added. "If you lie, you make it worse." Also, McGroff advised sharing information proactively, directly and honestly.
"Do what you say, say what you do" with consumer data, Hilton said. "Transparency is paramount to us." Also, while companies don’t need an Oregon-specific privacy rights page, it shouldn’t make it seem like Oregonians lack privacy rights that other states have, for example by listing several states but not Oregon in the privacy notice, she said.
Oregon’s cure letters are "very specific" about potential violations, noted Hilton: The worst is when the AG's office gets a defensively worded response on the day that the cure is due. Oregon is more likely to send a subpoena if a company doesn’t respond to an inquiry letter, she said.
The California and Colorado officials agreed. Sometimes the CPPA sends letters, other times subpoenas, said Macko, but the important thing is to be responsive, regardless of the form. McGroff noted that her state considers whether a company made an effort to comply.
Connecticut prefers to start with an inquiry letter, rather than a civil investigative demand (CID), said Connecticut Deputy Associate Attorney General Michele Lucan on an earlier panel Wednesday. A letter is "more nimble" and less formal than a CID, but it's not something companies should ignore, she said. "It's something we expect cooperation and compliance with." Letters are often spurred by consumer complaints and media reports, and they don't always result in formal enforcement action, she said.
Lucan addressed issues with companies trying to claim confidentiality when withholding information. They might try to block enforcers, but the AG needs the information to "put a matter into context and complete an investigation," she said. "Our goal across the board is to be thorough and fair in these matters." When companies come into initial meetings and try to flag material as confidential "when we know" it isn't, that might start "things off on the wrong foot."
Companies Take Global Approach
For years, global companies like Ford focused on complying with Europe’s General Data Protection Regulation (GDPR), said Stephanie Westfield, the automaker’s senior privacy counsel. However, that approach “just doesn’t cut it anymore with all the laws popping up in all the countries,” she said, highlighting Africa and the Middle East in particular. “Now is the time to think about how” to take a “global approach” and find “the highest watermark.”
While Ford may have local counsel in many different parts of the world, the lawyers may be generalists or commercial attorneys rather than privacy lawyers, Westfield said, adding that Ford has EU counsel that focuses on the European approach. She said it's been a challenge to train local counsel who don’t have the specialty focus and to educate EU “regional counsel to think more globally.”
New state laws in the U.S. have also created challenges. Westfield noted that Maryland’s privacy law, which takes effect in October, is “one of the strictest in terms of secondary use of data.”
In Europe, everyone focused on GDPR when it arrived in 2018, agreed Jenny Le, senior manager at Ernst & Young in Munich. “And slowly but surely over the last … almost seven years, people are realizing that those requirements aren't satisfying all the different locations that their organizations exist.” Especially with the many new U.S. requirements, “a lot of our client organizations are … trying to manage that by not so much decentralizing, but in some ways, not having everything centralized on one framework or one standard,” which used to be GDPR, Le said.
Caleb Mabe, nCino's global head of privacy and data responsibility, agreed that it’s important to look into local requirements and find a knowledgeable counsel to assist with compliance in that location.
When preparing for potential interactions with enforcers, Mabe advised thinking about the “worst-case scenario” and what story one’s company will tell. “Does your privacy program effectively help your business manage risk and compliance in a way that, were regulators to look at it … would they see a story of an organization that was attempting to do the right thing?”