Joey Seeber is CEO of Level Legal, an eDiscovery, managed review, and consulting company dedicated to delighting corporations and law firms through concierge service. Views are the author’s own.
When it comes to evolving privacy restrictions, corporations should be careful what they wish for.
Digital technology inherently develops fast; the federal government, also inherently, tends to move slow. This inertia stifled consumer privacy concerns. So as corporations sought clarity on privacy issues, various states stepped in to fill the regulatory vacuum. The result: vexing confusion.
For example, California, New Mexico, Maine, and Virginia already have significant consumer privacy laws. New York, Massachusetts, Maryland, and Hawaii have new laws in the works. Nearly 25 states are at various stages of the legislative process, ranging from holding out altogether to playing the waiting game.
This patchwork approach creates a daunting challenge for any organization with a nationwide footprint to navigate. It’s already making a significant impact on the administrative and financial overhead of compliance professionals, as well as their organizations’ potential exposure.
Recently, as corporations sought additional clarity on privacy issues, the feds stepped in. The result: more vexing confusion.
The Situation (for Now)
For starters, the Biden administration made its changes through an executive order instead of through the legislative process. Such orders work through federal agencies rather than court-enforced legislation. This gives regulators the authority to enforce policy goals. But if the past is any guide, if the White House switches parties, the next two paragraphs would vanish with the stroke of a pen.
Still, President Biden’s executive order issued last July, “Promoting Competition in the American Economy,” is currently in force, and it does link anti-competition inquiries in merger situations to data privacy.
The order’s stated aim: “…to enforce the antitrust laws to meet the challenges posed by new industries and technologies, including the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors, the aggregation of data, unfair competition in attention markets, the surveillance of users, and the presence of network effects.”
Biden’s appointments of “tech foe” Jonathan Kanter as antitrust chief at the Department of Justice and of Lina Khan as chair of the Federal Trade Commission underscore this more aggressive posture.
As a result, pre-merger due diligence and second requests will involve far more regulatory scrutiny. We expect acquiring entities will be forced to undertake more effort to ensure they don’t run afoul of the additional regulatory oversight.
What to do now (No matter what)
As regulatory enforcement increases, seminal cases are litigated, and even more states enact privacy regulations, a federal standard will become more likely. The implications of any federal legislation for businesses, especially those for whom personal data is a significant asset, could be enormous for the unprepared.
Given the uncertainty created by this collision of unknowns, companies should protect themselves on the privacy front. Specifically, organizations should assess their data management processes, workflows, and controls to ensure their compliance protocols stay robust.
Let’s start with companies preparing for mergers and acquisitions. Regulators are increasingly observant about compliance infringements, while acquiring companies are under pressure to ensure they do not inherit historical privacy issues and liabilities.
Federal Trade Commission (FTC) oversight in merger enforcement has been intense in recent months. Describing 2020 as “a fiscal year like no other,” the FTC recorded its busiest merger enforcement year since FY 2001; multiple actions were amended or abandoned even before the second request stage.
As pre-M&A due diligence grows more intense, privacy compliance will inevitably move closer to center stage in transactions. Failures in compliance can lead to collapsed deals or substantial reductions in purchase prices. Also, as more states customize their privacy legislation, we can expect even more compliance challenges.
Not expecting any M&A activity? There’s still work to do:
- Start with rigorous data retention policies dealing with employee data in case of Data Subject Access Requests (DSARs). These will inevitably become more common due to compliance with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCCA).
- Expand your focus. Now is the time to put workflows, processes, and data management in order and ensure they are built to accommodate future changes.
- Monitor regulations on the state level. Though juggling state-by-state privacy compliance laws is not impossible, companies working in more than one jurisdiction will need to pay particularly close attention to their data to maintain compliance. While large companies have the capacity to devote resources to the problem, they will need to allocate additional resources as more states introduce their own privacy legislation.
- Keep up with the debate in Washington. The professional and organizational implications of a federal privacy law could also have direct implications for companies’ technology and security requirements, since it will necessitate intensive collaboration between IT, data management, information governance, compliance, marketing, and legal teams. The intensity of the impact will depend on whether there is a size-of-business threshold regarding the imposition of these requirements – and whether the organizations affected are ready.
- Ask for help when needed. Since the privacy compliance field will remain challenging, if in doubt bring in expert help. For example, by enlisting law firms or alternative legal services providers like Level Legal that specialize in data privacy restrictions, organizations can anticipate whether those matters will in fact lead to litigation or fines and can brace for the inevitable shifts to come in this most complex of environments.
- Hire a chief privacy officer. CPOs help organizations foster a culture of privacy, in which privacy truly becomes a prime focal point of the company’s mission and daily operations.
While the present is confusing and the future uncertain, the more corporations address privacy restrictions proactively today, the less risk they will be forced to respond reactively tomorrow.