10 Privacy Predictions for 2020

In the last two years, businesses have been catapulted into a dizzying new world, with privacy expectations and requirements that were unheard of just two years ago.

As soon as the law seemed settled in in the European Union with the General Data Protection Regulation (GDPR) taking effect on May 25, 2018, California hurtled into the spotlight with its California Consumer Privacy Act (CCPA) which took effect on January 1, 2020.

The CCPA is the first privacy law in the nation to give consumers broad rights to control (and in some instances delete) the personal information that businesses collect about them. Since then, a number of states have followed suit by passing or proposing CCPA-like privacy laws that give consumers at least some rights over their data.

If all of the state privacy laws currently under consideration pass into law, 34% of the people living in the United States will have at least some rights to control their data.

10 privacy predictions for the year ahead…

And it’s not over yet: 2020 is on pace to deliver more change at warp speed. Some of these changes will be driven by consumer demand, others by business competition, and still others by legal mandates. Here are 10 predictions for where privacy is headed in 2020:

More state-specific privacy laws

More states will follow California’s lead and will enact privacy laws that will look like the CCPA, but with some local differences. Businesses that operate in multiple states are going to find it difficult to manage all of the state-specific requirements. Demand for privacy professionals and comprehensive compliance programs will increase.

Voluntary compliance with the CCPA as a competitive advantage

Even companies that are not strictly subject to the CCPA will begin to voluntarily comply with some of its principles, such as transparency about data collection and use practices, and allowing customers to know and delete certain information that the business has collected about them. Businesses will move from seeing transparency and privacy as compliance burdens and will begin seeing them as competitive advantages.

A Constitutional challenge awaits

There will be a Constitutional challenge to the CCPA. Opponents will argue that the law violates the dormant Commerce Clause of the United States Constitution because the CCPA imposes excessive burdens on interstate commerce without congressional approval.

This challenge most likely will fail. The CCPA does not treat in-state and out-of-state economic interests differently and in a way that benefits California businesses and burdens out-of-state businesses. Rather, the CCPA imposes obligations on all businesses that meet the threshold requirements of the CCPA.

Finally, a federal privacy law?

In response to increased calls for national uniformity, Congress will continue working on a federal privacy law that will incorporate principles of the CCPA. Preemption and a private right of action will continue to be hotly contested and will delay what should be otherwise easy passage of a federal privacy bill.

We won’t see a federal privacy law in 2020 (primarily because Congressional leaders will be preoccupied first by impeachment proceedings and then by the 2020 election), but maybe in 2021 or 2022.

CCPA 2.0 will be born

California privacy law will continue to evolve. Alastair Mactaggart’s new California privacy initiative, the California Privacy Enforcement Act (CPEA) will be on the ballot in November 2020, and it will pass. This development will heighten the need for national uniformity and federal preemption.

Eyes on the Attorney General

Businesses across the nation are going to watch the California Attorney General’s office to see how quickly it moves to enforce the CCPA, who will be in the AG’s crosshairs, and the severity of sanctions. In December 2019, Attorney General Xavier Becerra announced that if companies are not operating properly, his office “will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”

Although the Attorney General will not begin enforcement actions before July 1, 2020, regulatory actions and fines of $2,500-$7,500 can be based on conduct that took place as early as January 2020.

Class actions and increased security

Now that the California Consumer Privacy Act is the first law in the country that provides for statutory damages in data breach cases, two things will happen. First, California will become a hot spot for data breach class actions. Second, businesses will invest significantly more resources in security infrastructure, encryption, technology and training to ensure that they have robust (not just “reasonable”) security procedures and practices in place.

“Delete me” apps

Because the CCPA allows consumers to designate “authorized agents” to access and delete information on their behalf, app builders will create apps that allow consumers to authorize the app to submit deletion requests on their behalf to hundreds of retail stores, websites, online operators, social media platforms, and other institutions with a single “submit” button.

This will create a cottage industry for app developers and will be burdensome for businesses to respond to, because many consumers may not even have an account with the retailer or website. And yet, the CCPA will require the business to confirm receipt of the request, look for responsive data, and ultimately deny the request because there is no data to delete.

Manual responses will give way to automated processes

Businesses will continue to try to manually respond to consumer requests to access and delete data, but for some companies and industries the effort will be too time-consuming and prone to error. Businesses will see the benefit of automated, scalable response programs and will be incentivized to build for the future.

Website ADA compliance

As part of their privacy compliance efforts, companies also will focus on making their websites accessible to persons with disabilities. The CCPA requires that businesses publish required notices and their privacy policy on their websites so that they are accessible to consumers with disabilities. But it won’t do much good if the privacy policy is accessible but the rest of the website is not.

Several United States Courts of Appeal have now held that websites that have a connection to a physical place of accommodation must comply with Title II of the Americans with Disabilities Act. In California, the violations of the ADA also are violations of the California Unruh Civil Rights Act, which allows plaintiffs to recover damages of up to three times actual damages but no less than $4,000 per violation, along with attorneys’ fees. (There currently is no legal prescription for web accessibility, but the Web Content Accessibility Guidelines (“WCAG”) 2.1 level AA are frequently referenced by courts as being the appropriate standard.)