Legal Tech's Predictions for the CCPA in 2020
The California Consumer Privacy Act (CCPA) has officially arrived. Here's how lawyers and technologists think it will affect your practice this next year.
December 31, 2019 at 07:00 AM
9 minute read
Tomorrow, the California Consumer Privacy Act (CCPA) is officially enacted, with full compliance expected by July 1. If you have California customers, are you ready? Maybe, maybe not, but either way it's clear that it's going to have an effect on your how organizations hold its data.
When I solicited opinions for privacy predictions in 2020, it's little surprise that a large number of them had to do with the CCPA's impact on the law. So, with CCPA Day less than 24 hours away, I decided to put all of those predictions in one place. Here's what attorneys and technologists alike see for the CCPA this upcoming year, which could be one of the more turbulent for privacy in the U.S. in a while.
This is the second in a six-part series of 2020 predictions from Legaltech News. Yesterday, we ran experts' predictions for e-discovery in 2020. Check back on Thursday for the rest of our predictions for privacy in 2020, Friday for cybersecurity, and next week for artificial intelligence and other innovative technologies. The quotes below are in alphabetical order by name, and some have been edited for length.
David Carns, chief revenue officer, Casepoint: "In the wake of GDPR, 2020 will usher in a new and complicated world of data privacy. The California Consumer Privacy Act (CCPA), which goes into effect in January, will have a major impact in the U.S., and organizations will have to be ready to respond to additional privacy legislation and regulations in other states and possibly at the federal level. Organizations that regularly litigate in other countries and deal with data sources from multiple jurisdictions will need to pay close attention to ensure compliance and avoid hefty penalties. Flexible, proactive and efficient data management technologies will become absolutely essential. Because 2020 is an election year, the chances are next to zero that we'll see national cybersecurity or privacy regulation in 2020, but just wait for 2021."
Adrienne Ehrhardt, Privacy and Cybersecurity practice group chair, Michael Best: "As we turn the corner into 2020, the year of visionary clarity, businesses will increase their focus on cybersecurity risk mitigation by strengthening their written plans and policies to clearly demonstrate a business commitment to strong information security programs. The much hyped California Consumer Privacy Act, which goes into effect January 1, 2020, will drive this focus because those that do not shore up their information security programs face the high probability of a class action lawsuit that provides each consumer $100 to $750 in the event of a breach involving California resident personal information."
Amanda Fennell, CSO, Relativity: "GDPR & CCPA were just the beginning of the age of privacy taking center stage. Many security programs will build out an amazing program but neglect the foundations and maturation of privacy. Best practices should include a thorough review of a vendor to ensure they are in accordance with these regulations and a concerted focus on this area with devoted resources to ensure they stay abreast of changes."
Chris Lyon, partner, Morrison & Foerster: "We will ring in 2020 with the landmark California Consumer Privacy Act, which I predict will set the pace for rapid development of new state privacy laws across the U.S. in 2020. Some of these laws will be broad-sweeping consumer privacy laws like the CCPA, while others will more narrowly target technology-related privacy concerns, such as connected devices/internet of things (IoT), location tracking, and biometric data. Hopes will be dashed that a federal consumer privacy law will simplify privacy compliance. Globally, other countries will continue expanding their privacy laws, favoring the more expansive approach of laws like GDPR."
Darrell Mervau, CEO, FileTrail: "Many firms have taken a 'wait and see' approach to CCPA compliance to date. In 2020, however, more privacy-conscious firms will act quickly to close gaps between their GDPR and CCPA compliance measures before they find themselves flooded with queries about how they are handling personal data. More work will be done to audit firm-wide information repositories and assets. As the saying goes, you can't govern what you can't see. Firms will also re-evaluate how they are currently classifying and tracking data, and invest even more in automating processes to enable better, more proactive information governance—or run the risk of costly fire drills to prove their competence and commitment to data protection."
Chris O'Connor, director of e-discovery strategy, CDS: "The legislation and imminent kick off of laws such as the California Consumer Privacy Act is the dawn of privacy in the United States. Though in comparison to GDPR, CCPA is not as encompassing, that this law exists shows that privacy in the United States will be an increasing issue. Ten states other than California have adopted or have pending legislation related to privacy. While no holistic privacy legislation has been enacted, it is a matter of time. This means the ability to adapt to these as soon as they are online will be of great import for all data processors. CCPA already envisions scenarios such as DSAR [data subject access requests] in the European Union (EU), and this means processors need to be able to identify individuals' records quickly and accurately and make that data available to the requestor."
Kimball Parker, president, SixFifty: "In 2020, several states are expected to revamp their privacy laws, following in the footsteps of the California Consumer Protection Act (CCPA). With a half-million businesses expected to be impacted by the CCPA alone, more and more U.S. companies—even those outside California and the tech industry—need to take consumer privacy more seriously. A critical first step is data mapping—understanding what kinds of data a company collects, how it is stored and secured, who can access it, how it is used, with whom it is shared, etc. In addition to being an exercise in good data governance, data mapping is a foundational step for complying with the recent wave in privacy laws: GDPR, CCPA, and the new laws to come."
Rebecca Perry, director of strategic partnerships at Jordan Lawrence, an Exterro company: "January 1, 2020, is by no means the finish line; it's when the real race begins. As companies struggle to comply with subject access rights, we will see the convergence of e-discovery and data privacy into a single discipline. Considering all of the moving parts in correctly operationalizing a data rights request, it's no wonder this process is the most ripe for compliance failure. Savvy plaintiffs' attorneys will no doubt exploit companies' weaknesses and private rights and spark a wave of litigation, sweeping up companies that were never before targets of any sort of class action."
Brian Powers, CEO, PactSafe: "Data privacy regulations are becoming more of a pain point to legal teams. I think we will see a surge of privacy policy related litigation as CCPA comes into effect and the courts are called in to resolve some ambiguity surrounding CCPA requirements. With CCPA coming into effect, and as GDPR continues to be fleshed out, we may see more of a push for easy third-party solutions for things like consent tracking as well as a push for federal regulation over privacy."
David Shonka, partner, Redgrave: "Between the CCPA and a new draft initiative to further restrict data-collecting companies, California will continue to lead the charge in privacy in 2020, and other states will likely follow California's lead. The heightened state activity will undoubtedly raise pressure for a national privacy law, but the divisions in Congress and the 2020 election cycle make the odds of any comprehensive privacy legislation miniscule at best. At least through 2020, the action will be at the state level. At the federal level, all the real action in this area will continue to originate with the FTC as it continues to enforce its authority under Section 5 and a few other statutes and strives to straighten out a couple of adverse court decisions regarding its authority. Any federal legislative action will likely to limited to keeping that agency fully functioning."
Dominique Shelton Leipzig, chair of AdTech Privacy & Cybersecurity group, Perkins Coie: "It's clear that the CCPA is going to generate litigation outside of the data breach context. The 27 cases already filed before the CCPA even takes effect, some related to social media and e-commerce; the preparation taken by Judges on the topic, such as the summit held by the California Supreme Court's Chief Justice to train state court trial and appellate judges on the CCPA; and the statements by plaintiffs' groups like the ACLU, EFF and California Consumer Attorneys that they intend to pursue litigation are all harbingers of the consumer-protection focused environment to come. Litigation avoidance compliance is prudent."
Michael Warren, VP, CRM practice, Wilson Allen: "There is a general consensus that the privacy legislation in California will start a domino effect across the states. However, whether or not other states introduce similar legislation is not really the point. The experience in Europe and Canada, which has had data privacy legislation for some time, is that clients expect you to respect their data in terms of how you protect it and use it. So good business practice is to apply the rules outlined in CCPA to your business, whether or not you're required to do so."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250