Last week, the IAPP hosted its annual Global Privacy Summit in Washington, D.C. This year’s summit was the IAPP’s largest event, with more than 4,000 attendees from around the world. From day 1, it was clear that the summit was heavily focused on the California Consumer Privacy Act of 2018 (CCPA), with many of the conferences covering the CCPA’s nuances, and tech vendors, legal professionals, and consultants offering compliance solutions for this new law.
At the conferences, some panelists believed that passage of the CCPA will be a catalyst for Congress to work on passing a federal privacy law, although most believed that under the current political climate, passage of a federal law in the short term is unlikely. Without a federal privacy law, panelists noted that companies are left in a precarious state because they will have to offer different levels of privacy rights for consumers depending on their state of domicile. Perhaps the most surprising observation shared by some panelists, but one that makes a lot of sense, is that privacy laws should not be drafted to only apply to larger companies because smaller businesses have an easier time adopting new laws than larger ones. The panelists explained that it is very difficult for large companies to adopt new privacy laws because they have old legacy systems with massive amounts of data, which will need to be reconfigured and reorganized to be able to respond to consumer requests. Smaller businesses, and especially startups, do not face the same burdens as larger companies because their systems are not as large or old, which makes them nimble enough to quickly ensure compliance with new privacy laws. For this reason, some panelists criticized the CCPA’s $25 million gross annual revenue standard as a threshold for requiring a business to comply with the Act.
One highlight of the event was an interview with Joseph Simons, Chairman of the Federal Trade Commission (FTC). Chairman Simons said that the FTC is in favor of a federal privacy law, and envisioned it having a broad preemption provision that would cover the substantive provisions of states’ data privacy laws, like the CCPA. He also said that it is possible that states’ attorneys general will be delegated the task of enforcing the federal privacy law. When asked if the FTC plans on exercising its rule-making authority to circumvent Congress’s failure to pass a federal privacy law, Chairman Simons said no. He believes that the FTC does not have adequate statutory authority to issue broad substantive privacy rules. Chairman Simons said that a federal privacy law is the only option.
Lastly, Chairman Simons said that the FTC plans on pursuing higher (and perhaps record breaking) penalties in the near future, involve third party assessors to ensure that companies are complying with consent orders, and even go after individual officers of small businesses who personally ratify unlawful activities. In short, the FTC plans on being more aggressive in enforcing consumer privacy rights.
In sum, the 2019 IAPP Global Privacy Summit was once again a great event, and provided valuable insight regarding the data privacy world’s concern regarding piecemeal passage of state data privacy laws (especially the CCPA) and the FTC’s perspective on data privacy enforcement actions.