Data privacy and GDPR at one year, a U.S. perspective. Part Two - U.S. challenges ahead

New York(Thomson Reuters Regulatory Intelligence) - Risks associated with data, data privacy, and the changing global regulatory landscape for such issues are some of the most complex challenges facing financial-services legal and compliance departments today.

Shoppers are pictured inside an Apple store on 5th Ave during Black Friday Sales in New York November 29, 2013.

The approaching May 25 first anniversary of the effective date of the European Union's General Data Protection Regulation{here) provides occasion to take a closer look at the rapidly evolving legal and regulatory landscape surrounding data privacy.

Part One of this two-part series offered review what has transpired in the year since GDPR took effect. The enforcement and penalties thus far have been somewhat restrained, outside of a 50 million euro fine levied on Google by French authorities. That action accounts for nearly 90% of the total GDPR fines to date.

Part Two focused on the regulatory challenges ahead for U.S. firms in data privacy, with a particular emphasis on what’s being dubbed “GDPR-lite” or “California GDPR,” the California Consumer Privacy Act, and other new data privacy regulations on the horizon


Without question, GDPR set a new standard for privacy laws and the rest of the world has taken notice. Amendments to Canada’s Personal Information Protection and Electronic Documents Act{here}, went into effect November 1, 2018 and have significant overlap with GDPR.

Australia's Privacy Act of 1988 underwent extensive updates in 2014 following a comprehensive review by the Australian Law Reform Commission. Australia published additional guidance and resources{here} in June 2018 specifically addressing similarities and differences to GDPR.

Although there have been calls for similar federal regulations on privacy in the United States, there has been little action at the federal level and a patchwork of state regulations is beginning to unfold.

A recent white paper{here} by The Centre for Information Policy Leadership (CIPL) argued that privacy "can be most effectively regulated at the federal level." CIPL is a global privacy and security think tank based in Washington, DC, Brussels and London. The white paper offered principles for a potential U.S. federal privacy law with the dual objectives of "providing appropriate privacy protections for consumers and enabling the digital economy and innovation to ensure U.S. leadership and competitiveness."

Several privacy attorneys told Regulatory Intelligence that the chance of Washington acting on such a complex issue in a highly partisan environment is unlikely. Further complicating matters is that until now, the U.S. has been a generally permissive landscape related to data collection.

Public and political emphasis on privacy so far in the United States has been focused on breaches and cybersecurity, as opposed to the European approach which has centered on personal privacy.

This permissive landscape where entire industries and some of the largest technology businesses have evolved and been built, and whose revenue models depend on the collection, use, and sale of data, will be hard to undo. This presents unique challenges for U.S. companies and U.S. regulators or lawmakers.

Therefore, the United States is likely to see a continuance of the state-by-state approach. The challenge of harmonization among the states, as well as with foreign laws such as GDPR has becomes complex.


The California Consumer Privacy Act{}(CCPA), scheduled to go into effect January 1, 2020, is currently considered the most expansive state privacy law in the United States. The law was swiftly written and passed, and signed by then-Governor Jerry Brown, in an attempt to avert a similar privacy ballot initiative which was seen by some interests in the tech-dominated state as overly harsh.

In this year alone at least six other states — Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Washington — have introduced similar privacy laws.

Many of the other states have largely mirrored the California act. The Washington bill was passed in the state Senate but died as a version supported by the technology industry and a more stringent version favored by privacy groups could not be reconciled.

According to Cynthia Cole, special counsel in the Palo Alto technology practice at the law firm Baker Botts, “GDPR and the CCPA are largely consistent with significant overlap.” Cole, said the data mapping exercises undertaken by U.S. firms in preparation of GDPR will put them in a better starting position for the preparation efforts.

Operationally one of the largest challenges faced by firms now in preparation of the California law is the review of contracts.

Another challenge with CCPA is the “carve outs” or “exceptions” such as publicly available information, certain medical and health information which is covered by other laws, or other financial information covered under the Gramm Leach Bliley Act. Service provider agreements, or vendors also must be mapped and reviewed.

With all of these challenges, compliance, legal, technology departments, and especially the data privacy lawyers will be busy preparing firms to meet these new legal obligations.


A new risk emerging from GDPR is the risk of private litigation. Under GDPR, individuals are able to claim for “material or non-material damage” as a result of a breach of the GDPR.

The CCPA and other state laws also create a private right of action similar to GDPR. Cole told Regulatory Intelligence that “longer-term, privacy could turn into a class-action nightmare.”

Cole noted that all of the preparation efforts by companies, service providers and technology departments, particularly related to mapping and inventory of data leading up to implementation of GDPR and other laws. It is likely that “none of it will be privileged, therefore all of that is discoverable and will be an enormous cost in future litigation,” she said.


— As with any significant regulatory change, planning and preparation are essential. Firms should start by evaluating their current data protection systems, identifying what personal data they hold, and bringing together their legal, compliance, and IT teams to develop a detailed implementation plan.

— Firms should consider how much data is high risk and is subject to the GDPR or CCPA or other applicable law or regulation. This includes data managed by third parties. They need to determine which data is deemed to be controlled or processed.

— Firms should also create a process to verify, and determine access rights internally and a process to address access requests.

— Firms should review data mapping performed thus far in preparation for GDPR and check it against the differing and potentially broader definition of “Personal Information” under CCPA or other laws.

— A review of all vendor agreements and contracts from both vendor and customer side, must be undertaken by legal counsel to determine whether it falls under the service provider exceptions.

— Firms should devise a plan or process for responding to deletion or opt out requests.

— All online privacy notices and customer consents must be reviewed and revised by counsel.

— Businesses should be prepared to invest more in their data security capabilities, either by hiring additional staff or upgrading existing technology. In many cases, financial firms many need to appoint a data protection officer to liaise directly with regulators.

— A good data protection program will include a framework where compliance and legal departments manage or oversee workflow with a strong accountability component, as there will be a need to evidence the privacy program to regulators.

— A consideration of GDPR and CCPA, or other laws is now essential in developing a regulatory compliance framework for dealing with the vast amounts of personal data created and shared every day within a firm.

— Firms should create a unified compliance regime that accommodates all regulatory obligations. Since GDPR is more extensive than U.S. requirements, it will require organizations to determine which is more applicable, GDPR or CCPA. Identifying gaps and overlap between regulations is critical.

— A compliance program will include the maintenance of records on data processing activities. A detailed records retention plan is a necessity under the laws and will be helpful in future litigation discovery.

— GDPR and CCPA will not be the last data privacy regulations businesses will have to address. A detailed strategy related to how a firm will overlay new regulations or laws in other jurisdictions will be helpful when new laws surface.

— Companies must be cognizant of the rapidly changing landscape when it comes to privacy data. Many do not understand the complexities of data and the potential misuses. Therefore, training and education of these new evolving risks are critical.

*To read more by the Thomson Reuters Regulatory Intelligence team click here: http//

(Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence based in New York.)

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on May 17. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters