By Michael Bahar, Frank Nolan and Ali Jessani
Europe’s General Data Protection Regulation (GDPR) fell like a meteor, sending waves of enhanced privacy legislation to distant shores. The tidal wave first came ashore in the US when, in June 2018, the California Consumer Privacy Act (CCPA) was passed. The CCPA’s sweeping privacy protections borrow heavily from GDPR principles and, like its European counterpart, have an ambitious extraterritorial reach which will cause companies around the world to undertake significant compliance efforts.
Three months later, California threw another stone into the water. In September, California passed cybersecurity legislation for manufacturers of Internet of Things (IoT) devices, indicating its desire to lead the field in cybersecurity beyond the protection of only private information. Likewise, the ripple effects of this law are expected to be felt far beyond California’s picturesque coastline.
What California Learned from Europe Regarding Privacy
Arguably the most influential element of the GDPR, including for the California Legislature that passed the CCPA, was the shift towards creating an overall right to privacy with respect to data. Previous US data privacy laws focused on protecting specific types of information in specific contexts, like offering protections for a patient’s personal health information in the hands of medical providers or non-public personal information held by financial institutions. With the CCPA, California takes a page out of the EU’s book and provides privacy protections across the board and more firmly empowers consumers with choices about what happens to their data. The CCPA and the GDPR both define personal information broadly (although not identically), and their protections apply outside the borders of California and Europe, respectively.
Despite the overlap, compliance with the CCPA does not necessarily mean compliance with the GDPR since there are significant differences beyond the definition of personal information. For example, the CCPA requires businesses to provide consumers with the ability to opt out of the sale of their personal information. Where GDPR-compliant businesses collect personal data and rely on consent to sell their information to third parties, the GDPR requires specific opt-in consent, which the CCPA does not. Providing GDPR opt-in consent, therefore, should suffice for California but, absent some other lawful basis, providing opt-out consent to comply with California’s law would not suffice for Europe.
How California Can Set the Standard for Cybersecurity Going Forward
While the GDPR has a cybersecurity aspect, as does the CCPA, California took cybersecurity a step further and extended regulation beyond the mere protection of private data.
Businesses that manufacture, or that contract with another person to manufacture on the person’s behalf, connected devices sold or offered for sale in California now also need to be aware of the state’s new cybersecurity law regarding those devices. Starting on January 1, 2020, manufacturers of connected devices will be required to equip those devices with “reasonable security features.” This focus on “reasonableness” is consistent with the GDPR and other cybersecurity legislation (like the New York State Department of Financial Services Cybersecurity Regulation), which largely do not prescribe specific measures that are in violation of the law, but instead mandate that protections be reasonable, risk-based and appropriate. This approach is designed to “future proof” the legislation against rapidly evolving technology and threats, as well as to acknowledge that there is no one-size-fits-all approach equally applicable to large and small companies.
Unlike the CCPA, the IoT law does not provide a private right of action for a violation, but a breach of connected devices which impacts private information could provide the basis for a private right of action under the CCPA. In addition, regulators in the US and Europe (and perhaps beyond) can be expected to emulate California’s IoT law, especially as connected devices become more prevalent and integrated into more and more products.
Ultimately, privacy and cybersecurity legislation passed by one jurisdiction tends to spread quickly to others. In this environment, companies should strongly consider getting ahead of the coming tidal waves by stepping up their privacy protections, as well as their cybersecurity practices beyond the protection of privacy.
Michael Bahar is a partner and co-lead of Eversheds Sutherland’s global cybersecurity and privacy practice and a member of the firm’s Litigation practice. As former Deputy Legal Advisor to the National Security Council at the White House, former Minority Staff Director and General Counsel for the US House Intelligence Committee, and as a former Active Duty Navy JAG, Michael provides advice on cybersecurity and privacy, international law and national security law. While with the House Intelligence Committee, he was lead drafter and negotiator for the Cybersecurity Act of 2015, the USA Freedom Act (which reformed certain key surveillance authorities) and four annual Intelligence Authorization Acts.
Frank Nolan, Counsel, defends class action lawsuits and complex business litigation matters in federal and state courts throughout the country. He advises financial services and insurance clients on issues affecting their core business practices. His cases involve claims of unfair trade practices, consumer fraud, antitrust and violations of data privacy laws. Frank also litigates and arbitrates business-to-business disputes, counsels clients on pre-litigation and compliance matters, and advises on contractual issues.
*Ali Jessani is an associate based in the Washington DC office and previously served as an Extern within the Voting Rights Section of the US Department of Justice. Mr. Jessani is a 2018 graduate of Duke University School of Law.
*Not admitted to practice. Application submitted to the New York Bar.
Compliments of Eversheds Sutherland, a member of the EACCNY