American Privacy Law at the Dawn of a New Decade (and the CCPA and COVID-19): Overview and Practitioner Critique (pdf)

Article PDF cannot be displayed. You can download it here:

https://scholarship.law.marquette.edu/cgi/viewcontent.cgi?article=1363&context=iplr

American Privacy Law at the Dawn of a New Decade (and the CCPA and COVID-19): Overview and Practitioner Critique

Marquette Intellectual Property Law Review Volume 24 Issue 2 Article 4 Summer 2020 American Privacy Law at the Dawn of a New Decade (and the CCPA and COVID-19): Overview and Practitioner Critique Kimberly Dempsey Booher Martin B. Robins Follow this and additional works at: https://scholarship.law.marquette.edu/iplr Part of the Intellectual Property Law Commons, International Law Commons, Privacy Law Commons, and the Science and Technology Law Commons Recommended Citation Kimberly D. Booher & Martin B. Robins, American Privacy Law at the Dawn of a New Decade (and the CCPA and COVID-19): Overview and Practitioner Critique, 24 Marq. Intellectual Property L. Rev. 169 (2020). This Article is brought to you for free and open access by the Journals at Marquette Law Scholarly Commons. It has been accepted for inclusion in Marquette Intellectual Property Law Review by an authorized editor of Marquette Law Scholarly Commons. For more information, please contact . ROBINS_BOOHER_MACRO.DOCX (DO NOT DELETE) 2/8/21 2:57 PM AMERICAN PRIVACY LAW AT THE DAWN OF A NEW DECADE (AND THE CCPA AND COVID19): OVERVIEW AND PRACTITIONER CRITIQUE Note: This article was finalized by the authors and editors on November 10, 2020 and does not discuss any developments which may have occurred thereafter. In light of the extraordinarily rapid evolution of law and practice in this area, readers are urged to take into account the possibility of intervening developments, including potential action regarding legislation pending at that date. KIMBERLY DEMPSEY BOOHER MARTIN B. ROBINS* I. INTRODUCTION: WHAT DO WE MEAN BY PRIVACY? ............................... 170 II. SOURCES AND SUBJECTS OF PRIVACY LAW AND GUIDANCE .................. 174 III. EUROPEAN UNION GENERAL DATA PROTECTION REGULATION............ 177 IV. BREACH NOTIFICATION LAWS ............................................................... 179 V. AFFIRMATIVE SECURITY AND OTHER OBLIGATIONS .............................. 180 VI. FTC RULES AND ADMONITIONS—DISCLOSURE–BASED AND OTHER ... 183 VII. CHILDREN’S ONLINE PRIVACY PROTECTION ACT (“COPPA”) ............ 186 VIII. CALIFORNIA CONSUMER PRIVACY ACT (“CCPA”) ............................. 189 IX. ROLE OF PRIVACY POLICIES ................................................................... 193 X. CRITIQUE AND RECOMMENDATIONS: GENERAL AND RESPONSIVE TO COVID-19 DEVELOPMENTS ............................................................... 195 * Both authors are partners practicing in the Privacy and Corporate Practice Groups at the international law firm of FisherBroyles, LLP, Ms. Booher in the Palo Alto, California office and Mr. Robins in the Chicago, Illinois office. Both hold J.D. degrees (cum laude) from Harvard Law School, 1998 for Ms. Booher and 1980 for Mr. Robins. Ms. Booher holds a B.A. degree (summa cum laude) from Boston University while Mr. Robins holds a B.S. degree (summa cum laude) from the Wharton School of the University of Pennsylvania. Feedback is encouraged: the authors may be reached at and . The views expressed herein are solely those of the authors and not those of FisherBroyles, LLP. ROBINS_BOOHER_MACRO.DOCX (DO NOT DELETE) 2/8/21 2:57 PM 170 [Vol. 24:2 MARQ. INTELL. PROP. L. REV. A. Breach Notification Statutes ......................................................... 195 B. State Substantive Regulation ........................................................ 197 C. Informal FTC Regulation ............................................................. 197 D. Children’s Online Privacy Protection Act .................................... 198 E. Information Collection and Usage; Present law: Opt-in; Opt-out 199 XI. COVID-19 AND PRIVACY....................................................................... 202 A. Alternative Technologies.............................................................. 203 B. Voluntary vs Mandatory: Legal and Health Ramifications .......... 203 C. Non-US Mandatory Approach ...................................................... 206 D. Need for Unified Approach .......................................................... 207 XII. CONCLUSION ......................................................................................... 208 APPENDIX ................................................................................................... 209 I. INTRODUCTION: WHAT DO WE MEAN BY PRIVACY? The topic of privacy comes up very frequently today. Apart from the extensive discussion in technology and academic circles, within the political arena this is apparently the closest thing to a bipartisan concern,1 and the popular press and business-oriented legal environment all treat the subject as a high priority. COVID-19 and a fervent desire by all to use technology to reduce the likelihood of its recurrence are justifiably major factors in current discussions, but equally justifiable concerns about the impact of such technology on Americans’ privacy also demand a good deal of attention on privacy law as it stands and as some may seek to change it. For example, as this article was being finalized, the Wall Street Journal reported that in an effort to expedite employees return to work following virus-related lockdowns, “United Health and Microsoft Corp. jointly developed an app that checks worker symptoms and gives a go-ahead to report to work.”2 1. For example, when commenting on pending legislation, Republican Sen. Josh Hawley stated: “I hope once more that the perfect won’t be the enemy of the good. . . . I hope that in the next year — still in this Congress — that [the] Commerce [Committee] and others will say, ‘You know what? We can get some things done.’” Jessica Smith, Will 2020 be the year of a federal privacy law?, YAHOO FIN., (Dec. 23, 2019), https://finance.yahoo.com/news/will-2020-be-the-year-of-a-federal-data-privacy-law-185226703.html. Of course, this was the view prior to the COVID-19 outbreak. 2. Sarah Krouse, Bosses Begin Testing Workers for COVID-19, WALL ST. J., (May 25, 2020), https://www.wsj.com/articles/covid-19-tests-come-to-work-11590399001?mod=hp_lead_pos3. In the same article, a human resources executive stated that ‘health questions once deemed too intrusive are now necessary for workplace safety.’ This may be medically correct but ignores the fact that applicable privacy laws did not change during the pandemic. Several bills are pending in Congress to regulate the use of such apps. For example, Sens. Cantwell, Klobuchar, and Cassidy introduced the Exposure Notification Act. See note 165 and accompanying discussion. ROBINS_BOOHER_MACRO.DOCX (DO NOT DELETE) 2020] AMERICAN PRIVACY LAW 2/8/21 2:57 PM 171 Yet, there is a good deal of disagreement as to what ‘privacy’ actually entails and why it should be prioritized. This article intends to explain the different objectives and authorities incorporated into this area of law and provide the authors’ own views, as experienced practitioners advising technologically-oriented busines (...truncated)