United States: Key Trends In Commercial Litigation - Data Protection

With the forced distribution of workers as a result of the COVID-19 pandemic, as well as the natural evolution of the "information age", data and data protection have acquired a significant amount of attention across all levels of society.

Businesses, regulators, consumers, employees, investors, and even lawyers are all looking at data protection as a critical path to success. To this end, there are a number of issues  which will likely come to the forefront in 2021 and beyond

State Privacy Laws

While California was the first state to pass a (reasonably) comprehensive privacy law (as opposed to a cybersecurity law) it was not the only state to try. Since 2018, multiple  states have tried and failed to pass California Consumer  Privacy Act (CCPA)-style statutes. However, we are now  seeing not just momentum, but actual progress in these  state initiatives. Virginia passed its version of the CCPA  (the Consumer Data Protection Act, or CDPA) on March  2, 2021. Washington State looks to be poised to pass their version of the CCPA. Additionally, Florida and New York have strong momentum in their legislatures to pass CCPA-style laws.

The big factors in these state initiatives are: 1) who gets to enforce the law, 2) scope of application, and 3) preemption by other laws. So far, we haven't seen a law permitting a  private right of action pass out of a state house. However,  proposals permitting such private rights of action have  been included in the drafting process for all of the state  bills. Should a private right of action appear, we can expect  significant litigation under these statutes as the practices  that these laws regulate are central to most of how  commerce happens.

The scope of who the law applies to, and what constitutes  personal data are also evolving. The CCPA originally applied to everyone, and any data about everyone. The trend we  are seeing now is the narrowing of the scope of individuals  the law applies to (generally just “consumers”) but the  expansion of the scope of data covered. Biometric data,  event data recorder data (vehicle “black box” data), wellness data (non-health care data), “wearable” data, and even  “Internet of Things” device data is now all subject to the  requirements and restrictions of the expanding universe of  state privacy laws.

One of the challenges with these new laws is that they are  designed to limit the scope and uses of data. However,  there are a number of existing state and federal laws which  implicate the data handing practices addressed in the  privacy laws. While each of the state privacy laws attempt  to carve-out exemptions for existing regulations, these  exemptions (e.g. HIPAA, Gramm-Leach-Bliley, Fair Credit  Reporting Act (FCRA), etc.) are not always consistently  drafted. The exemptions can even be drafted in different  ways in the same act. For example, the CCPA exempts “any activity” governed by the FCRA, but only exempts  “entities” governed by HIPAA. This type of drafting at  a minimum creates confusion as to the scope of the  exemptions. It is quite possible that such confusion will also create litigation when the enforcement actions start to pick up steam.

Privacy Is Everywhere

As the world becomes a smaller and smaller place, with  the ever increasing expansion of interconnectivity across  geopolitical boundaries, data protection becomes a  much more significant issue. Whether it is workforce  management, M&A activity, or entering into new markets, all “first” and “second world” countries have data  protection laws. Many of these are modeled off of the EU's  General Data Protection Regulation. As such, while the US  is currently struggling to birth its own approach to data  protection, almost all of our international trading partners  have strong data protection laws. This is not limited just  to the European continent. It includes places like Mexico,  Argentina, Colombia, Israel, Japan, and Egypt. As a result,  businesses which deal in data (and that is all of them – see  third point below) are now having to take data protection  regulation into consideration across all of their operations. Otherwise, they run the risk of significant fines and costly  litigation. Even in those jurisdictions where litigation isn't as common as in the US, the functional regulators are  seeing data protection fines as a means to self-fund their offices. There is a very real financial incentive for enforcement actions under the various data protection laws.

Data Is a Capital Asset

With the increasing number of privacy laws which are  being proposed and passed at the state level, as well as  the implication of international data protection laws in  many modern businesses, there is a tension between the  ability of a business to leverage and monetize data as an  asset. This is becoming more important as well, as most  businesses recognize that the traditional way of operating  is limited in terms of growth. All businesses are becoming  “data businesses”. Retail is looking at how on-line marketing,  retargeting, and related data-heavy practices can improve  their profitability. In fact, with the pandemic, retailers are  facing a reality where on-line property is more valuable  than brick-and-mortar properties. Retail isn't the only market to start to understand how “virtualization” is the wave  of the future. Health care (telehealth), auto dealerships  (Vroom and Carvana), banking, manufacturing, and utilities are all industries which are looking to improve their profitability via the use of data. As is the case with any valuable capital asset, disputes arise, regulation is developed, and “reasonable protections” are necessary to ensure that the appropriate  parties have their rights protected.

Unlike traditional capital assets, data as a capital asset  will always have at least one additional stakeholder in the  equation–the individual data subject. As a consequence,  businesses need to develop not just an understanding of  how to monetize data, but also how to benefit the data  subjects who make up a critical part of the ecosystem. This includes implementing “reasonable” information  security – an obligation which is being included in all  the various privacy laws at the state and federal level. Additionally, we expect to see management and owners  of businesses start to view information security the  same way they do financial reporting and other asset  management and control systems. This will likely lead to increased scrutiny by lawyers for the various  stakeholders to ensure that the asset isn't being abused. As part of this scrutiny, we predict that new and novel  legal theories will start to show up in litigation, contract  negotiation, and even insurance policies which address  the needs for businesses (and their vendors) to consider  information security and privacy in the same manner that quality is addressed. Theories like breach of fiduciary  duties, waste, negligence, fraud, unfair or deceptive trade  practices, may be used to impose liability on data supply chain participants who don't take proper precautions in  ensuring a proper legal basis for processing, or in securing  data. All of the existing legal risks associated with asset  management will start to get applied to data protection. It won't be just about “privacy” any more. It will be about  “responsible information management” or “data governance”.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.