During a recent webinar hosted by The Chicago Bar Association, some other panelists and I made some predictions about the future of data privacy.
What is on the horizon?
- The TADPF may sound like a combination on drums and cymbals after a comedian’s punchline, but in reality it is not fully baked and just “in principle”. We can either get pre-mad at it and at the fact that an executive order may not be good enough (like noyb.eu’s Max Schrems), or we can focus on making sure that we are compliant with the existing requirements of the Privacy Shield Principles because: (1) they will at least be the basis for a TADPF certification; (2) they will likely be interpreted in view of the enforcement developments we have seen under GDPR and (3) they are already being enforced substantively.
- Don’t let the long tail of state privacy law compliance intricacy wag the dog of substantive compliance. Compliance with the burgeoning U.S. State privacy laws is hard because they are not exactly the same. But, focus on the key issues like data minimization, disclosure, third-party management and consumer rights.
- Cookie consent is cookie fatigue. Are we losing the consent trees for the RTB forest? RTB is being investigated; TCF is being revised; “Reject All” buttons are here to stay (and coming to CA), and cookie sweeps are getting strong compliance results.
- What’s old is new again. BIPA lawsuits are here and they are varied: toothbrushes, clothes fitting, makeup try-on, video insurance claims, ADAS systems, drive through voice recognition and good old biometric attendance clocks. Pay attention to data minimization, but for now: Do you have your notice/consent/data retention policy? Also, wiretapping. And please, mind your precise geolocation.
What does the privacy crystal ball say?
- Don’t expect a federal privacy law just yet. Congress is split over preemption, private right of action and who will enforce.
- CCPA regs are here to slap us into a waking state:
- Data minimize seriously at GDPR-grade.
- Avoid dark patterns like the plague (or the FTC or the CPPA will for you).
- Disclose like you really mean it (and want people to understand it).
- Purpose limitation walks into a bar and meets explicit consent. Unexpected twist: It’s a bar in Sacramento.
- Get those third party/service provider agreements in place.
- If you are a vendor and you know it then you really got to show it, with third-party vendor management and diligence and contracts and audits and actually exercising the audits.
It was a pleasure discussing all of this with Matt Loar, Kimberly Houser, Mark Webber and Amelia Vance.