INTERVIEW: Data-privacy compliance timeline is 'yesterday,' leading tech lawyer says

The regulatory and legal landscape surrounding the use of data, and data privacy, is rapidly becoming more complex. As state and even city regulations and laws are being retooled, proposed or enacted, a proverbial patchwork or regulations is becoming at best a headache, or at worst, a legal and regulatory minefield for compliance and legal departments.

Cynthia Cole, special counsel, Baker Botts L.L.P.

Cynthia Cole, special counsel in the Palo Alto technology practice at law firm Baker Botts, discussed in an interview with Regulatory Intelligence the challenges of the complex data-privacy landscape. Cole warned that the timeline for compliance with the new data privacy laws is “yesterday” and there are basic principles firms must be undertaking to be prepared for the onslaught of new regulations.

(To view a video of the full interview, please click on this link: here )


U.S. companies trying to manage regulations and guidance on data protection and cyber security from multiple jurisdictions met an enormous challenge last year when strict new EU rules governing the use of personal information took effect. The European Union's General Data Protection Regulation{here} laid the groundwork for others to follow in passing their own versions of stricter data privacy laws.

“GDPR was pretty well written, and mapping, segregation, and planning efforts in preparation by firms was largely successful and beneficial,” Cole told Regulatory Intelligence. However, she said, “even now a year later, most companies are still nowhere near compliant.”

GDPR is designed to protect the privacy rights of EU individuals but applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation took effect May 25, 2018.

The regulation was created with a deliberate global reach and set a new level of obligations and expectations regarding data protection, security, and management. It was also more restrictive than its predecessor — the EU’s 1995 Data Protection Directive — and any U.S. or state laws.

GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and a “right to be forgotten” — or removed from the record — which is one of the more problematic challenges from a U.S. perspective.

Preparing for GDPR came with myriad implications for U.S. firms. A key principle of the regulation is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. This is a distinctly different legal view and approach from the United States, where there are countless businesses whose commercial models are based on the use and sale of data. This presents unique challenges for U.S. companies and U.S. regulators or lawmakers.


A global trend toward stricter or new data privacy laws gathered momentum after GDPR took effect last year. Most noteworthy of these laws is the California Consumer Privacy Act (CCPA), which is scheduled to go into effect January 1, 2020.

The CCPA is currently considered the most expansive state privacy law in the United States. The law was swiftly written and passed, and signed by then-Governor Jerry Brown, in an effort to avert a similar privacy ballot initiative which was seen by some interests in the tech-dominated state as overly harsh. Several amendments to the law now are awaiting Governor Gavin Newsom’s signature, and there are rumblings of yet another ballot initiative to further strengthen the laws.

In 2019 alone, at least six other states — Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington — introduced similar privacy laws. Several other states have amended existing laws to include or strengthen data privacy, the use of data, and cybersecurity regulations. Nevada’s was one of the first to go into effect on October 1, 2019.

The New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") was signed into law in July 2019 and takes effect on March 21, 2020{here}. The Shield Act expands New York’s breach notification requirements and imposes heightened data security requirements to prevent a breach.

Expectations that the U.S. Congress might pass federal legislation to preempt state rules have faded despite bipartisan support, and Congress is considered unlikely to deliver a privacy bill this year.

Therefore, Cole said, firms must proceed quickly with compliance efforts primarily focusing on general principles, then later understand which laws apply, as there are many jurisdictions with rules tailored to specific industries or companies.

California’s data privacy law will affect any major company with an online presence and requires companies with data on more than 50,000 people to allow consumers to view the data they have collected on them.

It also lets consumers request deletion of data and opt out of having the data sold to third parties. Each violation carries a $7,500 fine.


The enforcement powers associated with GDPR are significant. Fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue, per violation, whichever is larger.

With the potential for such stiff penalties, there was great concern of heavy-handed enforcement from data protection authorities in the EU. However, violation penalties imposed so far under GDPR have been low, totaling approximately 56 million Euros for the first nine months.

The biggest penalty — 50 million euros — was issued by the French Data Protection Authority (CNIL) in January against Google. The fine was related to a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

A new risk emerging from GDPR is the risk of private litigation. Under GDPR, individuals are able to claim for “material or non-material damage” as a result of a breach of the GDPR.

The same is true with the CCPA, and some other state laws, as they also create a private right of action, like GDPR. Cole told Regulatory Intelligence that “longer-term, privacy could turn into a class-action nightmare.”

“The largest penalty in the U.S. is the cost of private litigation” as well as the reputational cost, Cole said.

She noted that all of the preparation efforts by companies, service providers and technology departments, particularly related to mapping and inventory of data leading up to implementation of GDPR and other laws, could be open to legal review. It is likely that “none of it will be privileged, therefore all of that is discoverable and will be an enormous cost in future litigation,” she said.


— As with any significant regulatory change, planning and preparation are essential. Firms should start by evaluating their current data protection systems, identifying what personal data they hold, and take a cross functional approach by bringing together their legal, compliance, and IT teams to develop a detailed implementation plan.

— Firms should consider how much data is high risk and is subject to the GDPR or CCPA or other applicable law or regulation. This includes data managed by third parties. They need to determine which data is deemed to be controlled or processed.

— Firms should also create a process to verify, and determine access rights internally and a process to address access requests.

— Firms should review data mapping performed thus far in preparation for GDPR and check it against the differing and potentially broader definition of “Personal Information” under CCPA or other laws.

— A review of all vendor agreements and contracts from both vendor and customer side must be undertaken by legal counsel to determine whether it falls under the service provider exceptions.

— Firms should devise a plan or process for responding to deletion or opt out requests.

— All online privacy notices and customer consents must be reviewed and revised by counsel.

— Businesses should be prepared to invest more in their data security capabilities, either by hiring additional staff or upgrading existing technology. In many cases, financial firms many need to appoint a data protection officer to liaise directly with regulators.

— A good data protection program will include a framework where compliance and legal departments manage or oversee workflow with a strong accountability component, as there will be a need to evidence the privacy program to regulators.

— A consideration of GDPR and CCPA, or other laws is now essential in developing a regulatory compliance framework for dealing with the vast amounts of personal data created and shared every day within a firm.

— Firms should create a unified compliance regime that accommodates all regulatory obligations. Since GDPR is more extensive than U.S. requirements, it will require organizations to determine which is more applicable, GDPR or CCPA. Identifying gaps and overlap between regulations is critical.

— Companies must be cognizant of the rapidly changing landscape when it comes to privacy data. Many do not understand the complexities of data and the potential misuses. Therefore, training and education of these new evolving risks are critical.

(Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence based in New York.)

*To read more by the Thomson Reuters Regulatory Intelligence team click here:

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on Oct. 4. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters