Data Privacy

Developers of privacy compliance tools may not be getting much rest any time soon. The number of international privacy laws on the table is set to grow by one in January with the launch of the California Consumer Privacy Act (CCPA), and states like Washington and New York could soon follow.

For developers, the multitude of potential privacy laws is akin to something of a catch-22: Companies on a budget may be reluctant to spend money on individualized compliance tools targeting the specific nuances of each state law, but formulating a successful "all-in-one" solution requires successfully threading many small needles.

"The one-size-fits-all program, it really cannot work in that you need a specific solution and a different solution depending on what laws you want to comply with," said Kimball Parker, president of Wilson Sonsini Goodrich & Rosati's tech subsidiary SixFifty.

Parker and SixFifty will be taking a toolbox approach to the problem, where for a flat fee costumers can gain access to all of the company's various privacy solutions as needed.

So far, SixFifty's compliance products have focused primarily on the CCPA, but the lab is in the process of building out modules geared specifically towards the European Union's General Data Protection Regulation (GDPR).

Parker compared the commonalities between the GDPR and the CCPA to a Venn diagram where there is some overlap, but with wide circles full of differences on either side. For example, the GDPR requires entities that make any kind of a change to the way they handle data to undergo an analysis as to what the impact to people's data will be. The CCPA does not.

"So if you just took your CCPA tools and applied them to the GDPR, that would be a glaring gap," Parker said.

However, that doesn't necessarily mean developers have to start completely from scratch when devising new compliance solutions to meet emerging laws. Parsons Behle Lab, the tech subsidiary of Parsons Behle & Latimer, offers both a GDPR compliance tool and a CCPA compliance tool.

Tomu Johnson, the lab's co-founder and CEO, compared the development process to an umbrella, with the GDPR providing a fairly robust cover under which layers devoted to the particulars of any subsequent privacy laws that emerge can be built.

"In that sense, you now have a product that addresses and is flexible with all of the different  privacy laws that could come out, and can adapt to the different guidance that you are going to get from the attorneys general from all the different states as well," Johnson said.

He indicated clients are already keen to make their compliance solutions a one-time expense. Still, tech companies seeking to create tools that can navigate the peculiarities of each law may have to make one fundamental change to their development process: Getting more lawyers involved.

Johnson said tech companies have traditionally been shy about delivering services that may verge on legal advice due to bar association rules prohibiting such activity from non-lawyers. However, he pointed to states such as Utah that are beginning to relax such rules in the hopes of making legal services or guidance more readily accessible to consumers.

The competition that this would present to law firm tech subsidiaries may not be such a bad thing.

"At the end of the day we need it. I think that we've had more than enough time to try and provide legal services to the community in a technologically evolved way, and I don't know if we've delivered on the promise of that," Johnson said.