First, on June 28, 2018 the California legislature unanimously approved the California Consumer Privacy Act of 2018 ("CCPA"); hours later Governor Jerry Brown signed the CCPA into law. Bearing many unmistakable similarities to the European Union's General Data Protection Regulation ("GDPR"), which took effect in May 2018 in EU nation‑states, the newly-enacted California law is the first of its kind in the United States. The CCPA is set to take effect in 2020 and in the interim is sure to be the target of both business lobbyists and privacy advocates who will seek legislative changes to either contract or expand the scope and coverage of the new privacy mandate.
Previous visitors to the Faruki+ blog site will recall this author's prior commentaries about the European Union's GDPR and its coverage and impact on U.S. businesses and citizens doing business in or with personnel operating in the EU nation-states. Many of the consumer privacy considerations that were prominent in the multi-year run up to the GDPR's May 25 effective date, now are echoed in the new California law including consumer's right to control their personal data, the right to know what information companies are collecting and why, and with whom businesses are sharing that information. U.S. businesses that paid only passing interest to the GDPR (often with disregard for whether it applied to them or not) cannot afford to have a cavalier attitude towards the CCPA requirements. As predicted with the advent of the GDPR, the CCPA, even with anticipated modifications over the next twelve months, is likely to serve as a template for other U.S. states seeking to assure the privacy rights of their citizens are being protected.
The impetus for the hastily-enacted CCPA was the California legislature's stop‑gap effort to avoid a November 2018 statewide ballot initiative, which would have included an even more restrictive set of privacy rules. In the wake of the CCPA's enactment, the ballot initiative was withdrawn and won't be put to voters; nevertheless, the support for that grass-roots measure is noteworthy, with over 600,000 persons endorsing the ballot petition. That groundswell of support, which some commentators attribute to consumer hostility over data breaches, and most recently, Facebook's use and management of user data (recall the continuing revelations and heartburn over Cambridge Analytica's curation and use of Facebook data), caught the attention of Big Tech. Indeed, long before the petition-driven initiative qualified for the ballot, Silicon Valley and other large tech interests spent millions seeking to thwart the ballot measure.
While Big Tech support the legislation passed hurriedly in California over the more aggressive set of measures that would have been put to voters in November, the business and tech communities harbor grave reservations about the CCPA's restrictions on data-gathering and use ranging from retail operations (think behavioral advertising, personal marketing campaigns, customer loyalty programs and the like) to large tech firms, like Google and Facebook and Amazon, who use and deploy personal data in a myriad of ways. Fearful that other states now may follow California's lead, some large information technology and telecom companies are urging Congress to entertain federal legislation to normalize privacy obligations across the country rather than face a patchwork quilt of data privacy mandates being enforced in an uneven manner by state attorneys general. Regardless whether subject to state or federal law, the cost to U.S. companies to comply with new, more expansive data privacy protections will carry considerable compliance challenges and expense. Meanwhile . . .
The second significant development of late June 2018 has generated a great deal of attention, but at least initially, not so much from a privacy perspective. While there is a lot of hand‑wringing going on over the impact of California's new consumer privacy law, Amazon's acquisition of Pill-Pack, an innovative on‑line pharmacy, provides an interesting counterpoint, and is expected to have a significant impact on the prescription drug industry, in both the existing on‑line marketplace as well as the still highly competitive bricks‑and‑mortar pharmacy segment. While mail-order pharmacies have been around for years and the pharmaceutical and drugstore markets have competed effectively in that landscape for patient traffic, Amazon's technology and logistics platform are a game‑changer for the industry, and the competition on service and price among the existing market leaders (including but not limited to CVS Caremark, Express Scripts, United Health, and more recently Target and Walmart), with the addition of Amazon, should be welcomed by consumers.
What is of less immediate impression, is the privacy impact of Amazon's recent Pill-Pack acquisition. Of course, the privacy concerns over personal health and medical information are already subject to tight controls under HIPAA, the federal Health Insurance Portability and Accountability Act, and Amazon will be required to abide HIPAA's stringent rules like all other pharmaceutical providers. The differentiator for Amazon, though, is that none of its new competitors in the pharmaceutical marketplace has the phenomenal depth of access to consumer data, shopping habits and lifestyle and behavioral information that Amazon has amassed.
While the federal privacy laws strictly control what (and how) personal health data or patient information can be used or shared, individuals may give consent to the sharing of this information, and many people will do so, either consciously or unwittingly, with an eye towards the convenience of using Amazon's service to receive prescription medications. When combined with Amazon's data analytics regarding a consumer's purchasing habits and activities, it is easy to see just how complete a profile of an individual is compiled once personal health data is baked into the data subject's record.
At a time when California, the nation's most populous state is passing into law the country's most stringent data privacy law -- a clear shot across the bow of the tech sector and much of the U.S. business community -- Amazon's deep dive into the most highly‑regulated industry -- involving the most personal of personal data -- presents a sharp juxtaposition. It is a contrast and conflict that seems difficult to reconcile.
On the one hand, governments both here and abroad hear from constituencies that privacy rights are important, almost on an organic level, and that desire for privacy or the ability to control the disclosure and availability of one's own data deserves zealous protection. Thus, the emergence of comprehensive data privacy laws like the EU's GDPR and now, California's CCPA. On the other hand, the rapid acceptance and reliance on digital devices, be they hand‑held, wearable, bluetooth, wireless, house devices (like Alexa) and the like, when paired with an individual's ready (and frequently uninformed) agreement to "terms and conditions" or ignorance of "privacy policies" strongly suggests a more laissez-faire attitude to personal privacy in favor of immediate access to information and personal convenience.
What is becoming increasingly clear is that governments are taking aggressive steps to assure that individual data subjects (like you and me) can enjoy institutional controls to protect the privacy of our personal data, and that we may, on an individual basis, exercise control over access to our own data. But, when given the choice of convenience or protecting our personal information, the (subconscious?) risk/benefit analysis people undertake appears more and more to default to convenience. It is this juxtaposition of privacy versus personal convenience, as reflected in these two significant developments in June 2018 -- passage of the CCPA, and Amazon's nearly $1 Billion entry into the world of personal health information, that will serve as catalysts for a continued robust discussion over data privacy expectations, duties, responsibilities, and attendant costs, in the months and year ahead.