AMERICAN PRIVACY LAW AT THE DAWN OF A NEW DECADE (AND THE CCPA AND COVID19): OVERVIEW AND PRACTITIONER CRITIQUE.

• Author: Robins, Martin B.
• Position: California Consumer Privacy Act of 2018

1. INTRODUCTION: WHAT DO WE MEAN BY PRIVACY? II. SOURCES AND SUBJECTS OF PRIVACY LAW AND GUIDANCE III. EUROPEAN UNION GENERAL DATA PROTECTION REGULATION IV. BREACH NOTIFICATION LAWS V. AFFIRMATIVE SECURITY AND OTHER OBLIGATIONS VI. FTC RULES AND ADMONITIONS--DISCLOSURE-BASED AND OTHER VII. CHILDREN'S ONLINE PRIVACY PROTECTION ACT ("COPPA") VIII. CALIFORNIA CONSUMER PRIVACY ACT ("CCPA") IX. ROLE OF PRIVACY POLICIES X. CRITIQUE AND RECOMMENDATIONS: GENERAL AND RESPONSIVE TO COVID-19 DEVELOPMENTS A. Breach Notification Statutes B. State Substantive Regulation C. Informal FTC Regulation D. Children's Online Privacy Protection Act E. Information Collection and Usage; Present law: Opt-in; Opt-out XI. COVID-19 AND PRIVACY A. Alternative Technologies B. Voluntary vs Mandatory: Legal and Health Ramifications C. Non-US Mandatory Approach D. Need for Unified Approach XII. CONCLUSION APPENDIX I. INTRODUCTION: WHAT DO WE MEAN BY PRIVACY?

   The topic of privacy comes up very frequently today. Apart from the extensive discussion in technology and academic circles, within the political arena this is apparently the closest thing to a bipartisan concern, (1) and the popular press and business-oriented legal environment all treat the subject as a high priority. COVID-19 and a fervent desire by all to use technology to reduce the likelihood of its recurrence are justifiably major factors in current discussions, but equally justifiable concerns about the impact of such technology on Americans' privacy also demand a good deal of attention on privacy law as it stands and as some may seek to change it. For example, as this article was being finalized, the Wall Street Journal reported that in an effort to expedite employees return to work following virus-related lockdowns, "United Health and Microsoft Corp. jointly developed an app that checks worker symptoms and gives a go-ahead to report to work." (2)

   Yet, there is a good deal of disagreement as to what 'privacy' actually entails and why it should be prioritized. This article intends to explain the different objectives and authorities incorporated into this area of law and provide the authors' own views, as experienced practitioners advising technologically- oriented businesses, of what social utility is being provided, and at what operational cost, and what should be adjusted.

   A brief background to the privacy landscape in the United States starts with an illustrative juxtaposition of the US and European approaches to personal information. While the European Union's General Data Protection Regulation (GDPR) (3) is a general, comprehensive law that addresses personal information regardless of whether it is collected by a bank or a hospital, the US has, at the federal level, followed a 'sectoral' approach with laws that address in somewhat tangential fashion security and use of particular categories of data such as, but not limited to, health information (4) and financial information. (5) The US has no comprehensive federal codification of authority and, at least at this writing, (6) no generally applicable federal statute that would cover personal information not captured or preempted by existing federal legislation.

   While there are a number of definitions that exist, all of privacy law deals with 'personal information.' Until the passage of recent laws, including the California Consumer Privacy Act (or 'CCPA'), (7) the 'standard' definition of 'personal information' among the states was some variety of an individual's first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver's license number or state- issued ID card number, (iii) bank account number, credit card number, or debit card number combined with any security code, access code, PIN, or password needed to access an account and generally applies to computerized data that includes personal information. Such definitions have tended to be bundled with data breach notification provisions, with the result being that the definition of personal information flowed from a concern about identity theft and financial harm.

   With the passage of the CCPA, the US privacy landscape has undergone a sea change. The CCPA's definition of 'personal information' (8) is not linked to those elements that, if compromised, can cause tangible harm to the individual; instead, the CCPA's definition drills down to capture what was previously thought of as non-identifying data, such as device ID and IP address, and 'drills up' to capture an amorphous and highly changeable concept of 'household.' The CCPA provides that:

   'Personal information' means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. (9) Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

   (A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

   (B) Any categories of personal information described in subdivision (e) of Section 1798.80. (10)

   (C) Characteristics of protected classifications under California or federal law.

   (D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

   (E) Biometric information. (11)

   (F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.

   (G) Geolocation data.

   (H) Audio, electronic, visual, thermal, olfactory, or similar information.

   (I) Professional or employment-related information.

   (J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. [section] 1232g, 34 C.F.R. Part 99).

   (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. (12)

   To be clear, this article intends to cover only US privacy law, of which there is a great deal to discuss among state laws, (13) state and federal administrative pronouncements, (14) and limited federal statutory law. (15) However, as earlier suggested, the subject cannot be properly addressed without some understanding of the origins and influence of the GDPR, which is of great importance both of itself and as a template for US legislation and its interpretation. (16)

2. SOURCES AND SUBJECTS OF PRIVACY LAW AND GUIDANCE

   Unlike many articles, this one will not enumerate all material elements of existing statutory law. Rather, while such provisions will be summarized, the focus will be on presentation of informal but highly material authority which may be under the radar of more traditional discussions, as well as a discussion of whether the entire regimen provides substantial social value in itself and relative to the burdens imposed on private activity.

   In the authors' experience, the term privacy is frequently employed to encompass one or more of the following, all of which involve a separate set of considerations and concerns:

   * protection of consumers from financial crimes associated with wrongful access to their identity and online credentials through both requirement of prompt notice of data breaches (17) and substantive regulation of steps to prevent them, (18) as well as sporadic consideration of class action litigation pertaining to non-compliance with such legislation; (19)

   * protection of individuals from government 'spying' on their online activities or other intrusions upon their freedom, stemming from the revelations by Edward Snowden regarding such activity by the US National Security Agency (NSA); (20)

   * protection of individuals from commercial tracking and oversight of their online and physical (21) activity, whether with respect to targeted advertising or otherwise, by those authorized to possess their information;

   * protection of individuals from unknown and/or unwanted sharing of any information concerning them by those authorized to possess their information; and

   * special protection of children (typically those at or under age 13 (22)) from any third party tracking or oversight of their online activities.

   In place of federal codification of authority or generally applicable federal statute, we have the following patchwork of state and federal approaches:

   * Pursuant to its contested, but ultimately recognized authority to regulate 'unfair or deceptive trade practices' under Section 5 of the Federal Trade Commission Act of 1914, (23) the Federal Trade Commission has provided guidance and more through a series of 'consent orders' with names of allegedly offending companies, (24) formal rule making, (25) formal litigation such as the Wyndham case (26) and informal, but influential recommendations. (27) A particular focus of the FTC is the adherence of companies to the privacy policies which they post. (28)

   * Pursuant to its direct authority to enforce the Childrens' Online Privacy Protection Act, the FTC promulgates rules and brings proceedings to enforce the Act where information collection from or about children has exceeded legal limits;

   * As discussed infra, virtually every state has enacted some form of data breach notification law;

   * Several, but by no means all, states...