Nearly 30 years ago, three major meteorological forces combined in a dramatic and unanticipated way. A barometric low-pressure system, a high-pressure system and the fading Hurricane Grace collided over the Atlantic Ocean to create havoc on the coast of the Northeast, with Gloucester, Massachusetts, at its epicenter. The National Weather Service dubbed this “the Perfect Storm” to convey the unusual and powerful nature of the confluence of these forces.
Since then, this phrase has become part of our lexicon. In a colloquial sense, it now applies to any combination of major forces that overlap at a moment in time to create a reality that is far greater than if the individual forces just played out in an individual way.
The European Union’s General Data Protection Regulation (GDPR) turned 1 year old in May 2019. U.S. companies are directly in the crosshairs. Whether based in the EU or not, a company is potentially subject to the GDPR (and its stiff fines up to 4 percent of annual global revenue) if it offers goods or services to data subjects in the EU, or monitors individuals’ online behavior or personal information in the EU. This means that a U.S. company engaged in the common business practice of collecting digital data from its EU customers must assess and implement business practices to ensure GDPR compliance.
The most prominent U.S. law in place is the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020. It creates rights for California’s 40 million residents to access, correct, delete and opt out of the sale of personal information. It applies to all businesses that operate in California but exempts those that do not meet minimum revenue or size requirements. The implementing regulations for this law took hold on July 1, and a more stringent version now will be a ballot initiative in the 2020 elections in November.
The CCPA has another and potentially more complicated effect — not only does it induce compliance costs in California, but it also has influenced other states to consider similar or competing privacy legislation, with Maine and Nevada also now having their own laws in place. And the next five most populated states — New York, Texas, Florida, Illinois and Pennsylvania — have assembled privacy taskforces, introduced bills and initiated legislative committee reviews already under way, as well.
The GDPR and CCPA have helped shape both the interest in, and the scope of, potential privacy legislation. So too has the COVID-19 pandemic, as much of the U.S. workforce, public and private education, and personal communications have gone online. This has created greater possibilities for hacking and an increased anxiety regarding digital data collection undertaken for contact tracing and other methods of tracking based on personally-identifiable information.
The GDPR, the CCPA, and the “new normal” are sure to be part of the aftermath of the global COVID-19 pandemic. These forces now represent our nation’s critical moment in time for digital privacy. They are “Privacy’s Perfect Storm.”
There can be no doubt now that digital privacy protection deserves more focus as a national policy priority. Our nation needs to chart a way forward in a brave new, post-pandemic world that will increasingly be experienced online, both at work and at home.