S2 E15: Breaking Down the American Privacy Rights Act

S2 E14: Breaking Down the American Privacy Rights Act

Transcript

Matt Cagle: Hi, everybody. Welcome to Compliance Pointers. I’m your host, Matt Cagle. I am the GM of CompliancePoint. You’re probably used to hearing our normal host, Jordan Eisner, but had some scheduling conflicts, but we just couldn’t delay much longer on the American Privacy Rights Act. So stepping in to pinch hit for Jordan, I’ll do my best to fill his big shoes.

Today, we’ve got Matt Dumiak, our Director of Privacy Services, aka the Privacy Profit, joining us. Matt’s been consulting in this space for north of 15 years, helping clients manage compliance with state privacy laws, international privacy laws, as well as marketing compliance requirements. So a wealth of information. So let’s get to it.

Matt, the American Privacy Rights Act, I think surprisingly popped up on us a couple of weeks ago. First off, can you just give us a quick breakdown of what’s in this draft bill, if you will, and some of the elements that stood out to you?

Matt Dumiak: Yeah, absolutely. Happy to do that and happy to be here. Thanks for having me.

So yeah, it did kind of come out of nowhere. A little bit of a surprise. I like to think that it was just that we were feeling a little bit short of acronyms in the privacy space these days.

But in all seriousness, yeah, it was a surprise, especially in an election year. But it does look like it’s out there. It’s available for it’s a draft, obviously. It’s not finalized. I hope, you know, just to clarify for folks who are listening to the podcast, I’m sure you know that, but this is, you know, draft legislation. There’s there’s plenty to be debated here. There was a hearing yesterday, actually, that’s quite insightful, just about kind of hearing different parties’ views on it and kind of got some good feedback on the thoughts and what needed some maybe some bolstering, what they liked about it, what they didn’t like about it. Individuals from privacy advocacy advocacy groups, individuals from partners at law firms, individuals who’ve been impacted by online bullying. It was quite an interesting hearing.

But kind of back to your question, it came out of nowhere. It’s the you know, we had the the last chance we had was in 2021 from a federal side kind of went quiet since that endowment. Now we have this going on again in an election year. It’s a busy year. We’ll see where it goes.

But some key things it has and I think that would be good to call out and then generate some good conversation around is it’s got kind of your standard requirements that you would expect in a privacy law. Some things like transparency, which are great. You know, like your privacy notice requirements that might help simplify some of the state obligations that organizations are facing. It has privacy, you know, consumer privacy rights like rights to access, right to be deleted, right to the data portability or to receive a copy of it, right to opt out of certain kinds of processing.

It has data minimization, which is data. That’s a privacy principle in some of the state laws. It’s also a privacy principle that a lot of organizations that have solved for GDPR will be familiar with. But that’s kind of interesting because when I say some privacy laws at the state level, it’s not in all the state privacy laws. So data minimization is kind of a key principle that outlines that organizations should limit the personal information they collect for the own, you know, that align with only the reasons they need that data to process. And so it really puts the onus on the organization to prove to whoever is regulating this law via the FTC, state AGs, or some others, that they collected that personal information for a valid reason. They only maintained it for a valid reason. They only used it to align with that reason they collected it. So they’re putting a lot of onus on organizations from that data minimization perspective and less on the consumer from like a consent perspective or a lawful basis perspective. So that’s kind of an interesting principle that I think will go a long way and kind of and really will resonate with both consumers and organizations to kind of think through that.

You know, some other things like targeted advertising is obviously there’s an opt-out right in that under this law to opt out of targeted advertising.

Some other things as well that we’ve seen kind of at the state level, but not so much on the international level, like you can’t discriminate against an individual who exercises their rights, data security requirements and things like that.

Matt Cagle: Well, and I think for our listeners that might have acronym fatigue, you know, to steal your your joke earlier, right? With this just constant change in terms of privacy laws at the state level. People are probably wondering, is it worth their time to even learn what’s in this and understand the implications.

I think if I was advising a client, I’d say probably so in this case, unlike with what we’ve seen in the past on the federal side, bipartisan support, bicameral support. It’s clear that there does seem to be some momentum behind this. We’ll see if they’re ultimately successful.

I just would call out that for those that are wondering, is it time to get serious about data privacy and start implementing some of these elements if you haven’t already because of the state requirements, probably so, whether it’s the American Privacy Rights Act or the next one a year or two from now, it seems like there’s a lot of commonalities that are occurring. And at some point, we’re going to get to that tipping point where this goes into effect.

Matt Dumiak: Yeah, that’s a great point. I mean, even with ADPPA, which was in 2021, and again, another acronym, apologize for that, but the last federal one was kind of roadblocked by amongst others, but Senator Cantwell. Well, she’s worked with individuals across the aisle here and brought this one forward. So you can see that to your point, Matt, like this is not something that’s going away. It’s obviously an initiative at the federal level.

I think children’s privacy is also driving some of these things. They’re doing some updates and still will do some updates, you know, for the Children’s Online Privacy Protection Act. But they want to go further. And that’s why even like it was really interesting to hear through that hearing individuals that were sharing some impacts that like the lack of their privacy from a social media perspective, how that impacted them. And obviously, the legislators are really concerned about this on kind of the impact of on the youth of America.

And so that’s been kind of interesting to and to your point, like, yeah, there’s these state things, and if you haven’t done that yet, with this federal law that’s been, you know, this federal draft that’s been proposed to be something to pay attention to, I think absolutely, because it’s obviously a priority. It’s here.

Matt Cagle: I think we finally got enough momentum. For those that aren’t aware, the US is one of the lone holdouts in terms of developed countries without a national data privacy law. And so I mean, from a consumer perspective and someone that’s got to comply with all these this patchwork of state laws, the fact that this seems to be reaching the point where we’re serious about it is probably a good sign for business.

All right. So let’s say this does ultimately get passed and go into effect. Who would be enforcing it?

Matt Dumiak: So it’s going to be enforced by a few different parties. It’s going to be so the FTC will be tasked with enforcing it and drawing up some further regulations under it. Eight state AGs, state attorney generals. And then I thought this was fairly interesting. And so I’ve read this a few times now, one time when I was having some trouble sleeping. So forgive me. But they also authorize agencies that are authorized that are tasked with enforcing data privacy. And so that isn’t many on the state side just yet. But there is this one agency that continues to make the news in the privacy space, the California Privacy Protection Agency. That would still be they would still be empowered to enforce this law. And so you’ve got those three entities.

And then even beyond that, which I think is a big player here is actually consumers can enforce their own right under a private right of action. And so that’s going to get a lot of attention. That’s been a sticking point in Washington under the ADPPA in terms of any legislation, really.

If there’s a private right of action, as you know, Matt, that’s going to be a real thorn in the side of potentially some organizations, but also legislators on both sides of the aisle, because that allows both plaintiffs and consumers to take kind of the enforcement of a law that empowers them to take enforcement of a law upon themselves. And so they can make complaints, they can file class action lawsuits, see if those get certified.

That again has been a sticking point in the past. So we’ll see. Like this is still early. This law was released or this draft was released last week.

But again, to your point, it’s got support on both sides of the aisle. It’s got the private right of action that’s going to be, I think, widely debated. And so we’ll see. But that’s the big one. You know, FTC state agencies, the state agencies that have been authorized to enforce privacy and then of course, the private right of action, which again is going to be big.

Matt CagleOn the private right of action front, we’ve seen this historically with the Telephone Consumer Protection Act, the TCPA. It includes private right of action and we see thousands of lawsuits filed every year.

Just continued to grow year over year until the pandemic. And now we’re seeing that upward trend again. I would expect you would see similar activity should this go into effect.

And yeah, I did think allowing the state agencies to enforce was an interesting tactic taken by Rogers and Cantwell to basically buy favor with the CPPA. We’ve already seen them come out with a letter calling out some perceived limitations, I guess, in this draft, some of their concerns. And I think this is a smart move by Rogers and Cantwell basically to throw them a bone and say, no, you’re still going to have a part in this by being able to enforce this.

But just, you know, I don’t want to overlook that point in terms of enforcement, that private right of action compared to what we’ve seen in state privacy laws to date for companies that haven’t taken the time to focus on data privacy yet and investing in a compliance program. By the time this goes into effect, and right now you’d have six months afterwards before the private right of action, you want to make sure your I’s are dotted, your T’s are crossed. You are going to have these professional plaintiffs, as we like to call them in this space, testing your compliance, trying to figure out who the easy targets are to file those lawsuits against.

So we’ve already touched on this, but I do want to clarify for the audience if I’m an organization that’s been having all this fun tracking and complying with these quickly evolving state requirements, am I still going to have to worry about those if this goes into effect or do we have preemption?

Matt Dumiak: Yeah, so there is preemption to a point. So the majority of the, like what we would call in this space, the comprehensive privacy laws, they’ll be preempted by this law. However, there are some special exemptions, even excerpts from certain privacy laws. So as an example, there’s a biometric, there’s a law in California or in Illinois called, it goes by BIPA, another acronym. It protects biometric information and it has a proper right of action, but it really sets forth like a plan for, or sets forth requirements for organizations to collect and use biometric information about law. For example, that law would not be preempted by this law.

Another one would be any type of portion of a privacy law that protects employee information. So employee information is actually exempt from APRA, but it would not be exempt from, for example, the CCPA. So potentially CCPA, the portion of the CCPA that applies to employee data would still be applicable, could still be enforced by the CPPA, certain things like that.

And then there are some other, we talked about earlier, but wouldn’t like override anything under COPPA or requirements under GLBA or HIPAA. So they’re trying to, I think, find a balance of like, there are a lot of, we’ve traditionally taken a sectoral approach towards privacy in the United States in terms of credit card data or financial data or healthcare data. We’ve talked about marketing compliance a little bit with the TCPA. Any of those things that have a lens of privacy, they’re still going to stand. So this is not going to just wipe out anything that you might be seeing, that might be seen or you might consider assisting with or protecting a consumer’s privacy in that space.

And so if we’re talking about comprehensive privacy laws, yes, it’s going to, it’s going to preempt the majority of those. And so this will kind of be the law of the land, basically.

Matt Cagle: So if I’m a company that got my privacy program started back when the OG, the GDPR came about, should I be feeling good? Are there nuances that I need to be worried about with APRA?

Matt Dumiak: So you should be feeling good. I think that’s a fair question.

You know, GDPR, they’ve done a great job in designing that. They have a lot of requirements under it. This law, however, does have some nuances in terms of if you’re a large organization under it, that you have to designate a chief private data privacy officer as well as a data security officer. That is not a, that is a requirement in certain circumstances under GDPR as an example, but it is not, it is something that you need to undertake an analysis of. Whereas with this law, you, if you’re a large data processor, you would have to apply that type of thing.

And then as well, and it is, you can crosswalk it certainly, but they’re going to have, as always, specific nuances in terms of notice or exemptions under the privacy rights, the opt out of certain algorithms. They have an executive responsibility section that’s pretty interesting that I think they can use a lot under.

And then of course, we talked about it. The primary right of action is going to be huge. I mean, you can think about a consumer that can go and sue a company while you can do that under GDPR, it’s not as readily available in the EU as a little more challenging to do than here in the US and make it a little easier for consumers in my opinion.

So yeah, I mean, I think organizations will feel good about that initiative they’ve undertaken, but certainly there will be a priority to align your program with this. Absolutely.

Matt Cagle: If I’m an organization that’s been less concerned with the GDPR and some of the other international data privacy requirements, but more focused on the states, you spoke to the preemption piece, this goes into effect. What changes do you think I would need to make to my privacy program?

Obviously, that’s going to vary by organization, but just in general, what’s top of mind for you?

Matt Dumiak: A good consulting answer there, right? It varies by organization.

Certainly you would lose the 50-page privacy policy, which is great, be a little more transparent for consumers, easy to understand, which will be excellent. But we talked about a little bit, there’s this officer requirement that is not required at the state level typically. Beyond that, there’s going to be some PIA requirements or privacy impact requirements for certain organizations that you may need to undergo kind of at an organizational level on an annual basis, which is kind of an interesting tidbit there.

And then there’s kind of nuances throughout that would likely be fleshed out, I think, as this thing kind of continues to mature really. So right now, I think that’s kind of how that’s looking.

Matt Cagle: Well, and I do just to go back to that private right of action, but also the executive responsibility piece, basically attesting to the privacy program. And I think it’s a big step forward, where companies actually have to back it up. The executives may have something on the line, right? If they’re not buying that.

Matt Dumiak: That’s going to get attention with the board, obviously, and the executive team. And that’s a lot of times what it’s going to take to have sometimes these types of initiatives, executive buy-in, but also some skin in the game and say, okay, we have some ownership of this too. We’re going to have some accountability. We’re going to need to answer for this. Let’s make sure that we’re all on the same page about how we can afford this and how we can program in place.

Matt Cagle: So now that you’ve had some time to digest this a whole week and a half and listening in on a hearing, any initial surprises? We’ve touched on a few things, but what stood out that’s either in there or not in there?

Matt Dumiak: Yeah, a couple of things that I thought were interesting. And we didn’t talk about it yet, because it’s somewhat narrow, but there are over close to a thousand organizations that would be considered a data broker. And there is under this law, there’s a requirement to create a data broker registry where these data brokers would need to register. And then there’s going to be kind of a one-stop shop for consumers to opt out of their data being shared and processed with these data brokers.

And so that was somewhat interesting and kind of a surprise because under standard privacy laws that we’ve seen, we have seen data broker registry requirements at the state level outside of data privacy, even though it can kind of fall under scope, it’s not within their comprehensive privacy law. So that was kind of interesting.

And then the fact that it’s all over the place, right? But I thought it was funny that artificial intelligence only mentioned twice, kind of relieved to see that. That was pretty funny. But they follow that under certain algorithmic decision making. So that’ll be interesting to see how that gets bolstered or matured. I would assume that at the end of the day, artificial intelligence might be mentioned more than twice.

And then kind of on the international side, and we’ll see where this goes, but I haven’t heard too many conversations around whether or not this law would assist the United States in becoming or being seen as having an adequate data privacy law by the European Commission. And that means a lot for international organizations who are transferring information from the EA to the United States, because currently in the United States, we have not been seen or deemed by the European Commission to have an adequate data protection law outside of the data privacy framework, which is a self-certification you have to go under. Organizations can take that initiative. It’s been challenged in court by Max Schrennens a few times now. But the lack of at least it’s the way you can have it. But I would expect to see that there might be some more conversations around that, because if it is framed in a way that we would have an adequate data protection law in the United States as deemed that by the European Commission, that would be, I think, a huge burden lifted off of organizations that are transferring data from the EA to the US in terms of implementing safeguards, doing transfer impact assessments, a whole host of things that are very time consuming and cost a ton of money, frankly, just to be candid. It’s a long and arduous process. So I would assume that organizations are very, from the lobbyist side, I would assume businesses are really interested in how can we make this adequate if it’s going to pass. So I think that would be interesting. But I haven’t heard anything about that yet. We’ll see where that goes.

Matt Cagle: It would be a huge win for business to get that adequacy. And you mentioned AI and basically the lack of focus on AI in the draft. From what I’ve been able to gather, it sounds like the momentum behind this part of that could be the impetus to actually then getting some AI regulation in place. I know that’s a concern for a lot of people with the rapid advancement there. And it sounds like this is the first step in that direction. So just maybe another factor when we look at the likelihood of this ultimately getting passed and getting into effect.

Matt Dumiak: Certainly it could be a crawl, walk, run kind of approach. Absolutely.

Matt Cagle: So 50-50 maybe that this ultimately gets the necessary support and gets passed. If it does, when would it go into effect?

Matt Dumiak: So it’ll go into effect 180 days after enactment. And then that private right of action that we continue to bring up just because it is kind of a real risk for organizations would be six months after that. So there’s a little bit of a safe, not a safe harbor, but a little bit of a period of time for organizations to get a little more ready for that. As before with ADPPA, it was actually two years. So they’ve shortened that significantly from two years to six months.

Matt Cagle: So while we’ve got you, and we don’t want to forget about the states, I want to pick your brain for a few minutes. It’s still been a pretty active first quarter on the state front. Any movement there, any changes at the state level that you’d want to call out for the audience?

Matt Dumiak: I would call out that it’s been a really busy first quarter, Q1 into Q2. I’d have to look at the pace from last year to this year, but I believe we’re on pace to pass more privacy laws this year than we did last year. And last year was pretty significant. We’re already at five that have been passed with a couple out there waiting to be signed, which those are likely going to be signed. I don’t think any governor is going to veto a privacy law. That’s somewhat of a bad look, I think. But yeah, it’s just moving really quickly. We’ll see.

I think federal law could potentially pass, and if that’s the case, I think attention kind of changes pretty rapidly to the federal law. But if not, we’re up to 17 state privacy laws at the moment. So that’s where I think organizations are starting to juggle, like, how do they make this a meaningful program that can be sustainable and also so that it makes sense for consumers?

Because I joked about the privacy policy being shorter. You look at some of these notices and some of the obligations that consumers and organizations are facing alike, and it can get a little bit convoluted. So it doesn’t seem to be slowing down right now. I think that is some of the states are absolutely forcing Washington to take a real look at this and say, we’ll pass our own law, then we’ll make it an absolute path we’re going to mess and give you some incentive to pass a federal law. And I think that’s working.

Matt Cagle: So far, so good. So they’re getting their mission accomplished.

Well, Matt, thank you for taking the time to chat with us.

For those of you that have liked what you’ve heard, we’re actually going to be doing a version of this in person in Orlando, October 8th and 9th of this year at CompliancePoint Exchange 24. We will have sessions focused on both data privacy and marketing compliance. And so we’ll be touching on, I’m sure, the status of APRA at that point, as well as other state privacy requirements.

But it won’t just be the Compliance Point experts. We will have a number of our customers there sharing their lessons learned from complying with all these requirements we’ve talked about today, as well as several others. So hope everyone can make it.

Thanks everyone for listening. We produce content like this on a regular basis. If you’ve liked what you’ve heard, please subscribe on whatever podcast platform you prefer.

At Compliance Point, this is what we do. We help companies with data privacy, data security and compliance, and Matt and his team know how to operationalize everything we’ve talked about today to hopefully make your lives a lot easier navigating, again, this current patchwork in perhaps federal tidal wave that could be coming.

If you’d like to learn more about Compliance Point, visit CompliancePoint.com or you can contact us directly at connect@CompliancePoint.com.

Thanks for listening.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.