Privacy Plus+: What happened at the IAPP Global Privacy Summit in Washington DC
Privacy, Technology and Perspective
This week in privacy and technology revolved around the IAPP Global Privacy Summit in Washington DC. Here are the highlights —
Discussions of the California Consumer Privacy Act (CCPA):
The CCPA takes effect on January 1, 2020, with enforcement to begin July 1, 2020. Don’t count on major amendments. What we see (now) is probably what we will get.
Begin now to adjust, if you haven’t already. The CCPA has sweeping definitions that complicate how regulated information is shared, notice/consent requirements, and access and deletion rights. They are similar to those of the General Data Protection Act (GDPR), but are notably different and often difficult. You’ll want time to prepare.
Statutory damages mean suits over breach are now a near certainty. The CCPA provides a private right of action for security breach, with statutory damages – thus clearing away many of the hurdles that advocates had faced in certifying classes, showing harm, etc. This is one more reason to strengthen your cybersecurity now.
Irish Data Commission. Because the principal European offices of so many major tech companies are in Ireland, its data protection commission will be the lead GDPR enforcement authority for many of the most important actions. Commissioner Helen Dixon says to expect the first results of investigations this summer. Sanctions are expected to be significant.
Don’t Forget “Conventional” Trade Secrets. Maybe 1 in every 20,000 words at the Summit was an occasional, almost offhand, and unpursued query whether businesses might somehow leverage the “reasonable precautions” they already take regarding their trade secrets, in order to protect their regulated personal information as well.
Our take: Of course! Obviously, there are important differences between how personal and “non-personal” information must be treated and may be used, but to over-emphasize personal-data “compliance,” and take your eyes away from conventional trade secrets, is to raise your risk of losing both. Beware of “compliance myopia” to the exclusion of practical and effective management of all of your valuable information.
Revisit Your Transaction DPAs. The GDPR led many businesses to enter into special Data Processing Agreements (DPAs) with their technology vendors. Some of the CCPA’s definitions are notably broader than the GDPR’s, however. Are your DPAs broad enough to stretch from Europe to California?
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.