It has been three decades since the Electronic Communications Privacy Act of 1986 was enacted. Since then, federal legislation has touched upon privacy issues in a piecemeal fashion, including the Children’s Online Privacy Protection Act; however, Congress has not passed a major comprehensive privacy law in years. As a consequence, online retailers and others involved in e-commerce have little guidance relative to the connected marketplace, current consumer behavior and the advanced and ever-evolving capabilities of technology.
Though the leader in technological innovation, the United States lags behind other countries when it comes to data privacy regulation. For example, on April 13, 2000, the Canadian Parliament passed the Personal Information Protection and Electronic Documents Act “PIPEDA,” which sets the ground rules for how private-sector organizations collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. More recently, on April 27, 2016, the European Union adopted the General Data Protection Regulation (GDPR), establishing fundamental, persistent rights and freedoms of EU residents with regard to their personal data. For its part, the U.S. has no corollary law.
If you operate a commercial website and wonder, “Am I subject to CalOPPA’s requirements,” the answer is almost undoubtedly yes. The law applies to any business collecting “personally identifiable information through the Internet about individual consumers residing in California.” Those outside California must be mindful of the mandates of CalOPPA as well, as its scope extends beyond the state’s border. Indeed, a violating entity need not be a California company. Instead, all that is necessary to be subject to CalOPPA is operation of a website accessible by California residents.
As of this writing, federal lawmakers are once again dipping their toes into the data privacy waters by trying to codify nationwide standards on breach notifications and how data is handled and stored. The current bipartisan bill (the “Data Acquisition and Technology Accountability and Security Act” or “DATAS Act”), introduced by Representative Blaine Luetkemeyer, a Missouri Republican, and Carolyn Maloney, a New York Democrat, appears to be gaining some traction, but passage is certainly not guaranteed. Time and again, such as immediately following the 2013 Target breach, members of Congress have proposed national, standardized privacy and data security requirements, but to no avail.
On the federal front, all one can do is wait and see. In the meantime, California remains at the forefront of consumer privacy law. For this reason, and given its reach, companies are encouraged to pay heed to CalOPPA and its far-reaching mandates.
Robert Estrin is counsel at Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County (California), San Francisco, Chicago and New York City. He represents a range of clients, including those in the tech industry, involved in complex commercial disputes.Favorite