Tune in to the latest episode of Ropes & Gray's podcast series The Data Day, brought to you by the firm's data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Washington, D.C., and Edward Machin, counsel in London, discuss the latest developments keeping the data team busy, including the drive to build AI governance programs in Europe and the U.S. and the launch of a new state privacy law microsite. The microsite features an interactive map of the U.S. that captures the rapidly developing privacy laws emerging from each state.
Transcript:
Edward Machin: Welcome, and thank you for joining us on the latest installment of The Data Day from Ropes & Gray, a podcast series brought to you by the data, privacy & cybersecurity practice here at Ropes. In this podcast, we'll discuss exciting and interesting developments in the world of data. We feature attorneys at Ropes as well as clients, regulators, and other industry leaders in conversations about what's new in the world of data. My name's Edward Machin—I'm counsel in Ropes's data, privacy & cybersecurity practice, and I'm based in our London office. I'm joined by my colleague and co-host, Fran Faircloth, a partner in our Washington, D.C. office.
Fran Faircloth: Thanks, Edward. On this installment, we're going to be discussing some of the latest developments that have been keeping us busy day in and day out, especially as we go into the summer. So, Edward, what has that looked like for you in our London office?
Edward Machin: Predictably, a lot of focus is on AI currently in Europe, both in the U.K. and the EU. As we get closer to the EU AI Act taking effect, companies are increasingly looking at and starting to formalize their governance processes and structures, thinking about how their products and services will use and be used by AI, as well as the types of external services and products and services that they are looking to bring into their organization. Companies are at all stages of their development here, from haven't really taken any steps, know about AI and are thinking about it and wanting to know more, all the way to those who are much more sophisticated and been thinking about these types of technologies and uses of data for some time. We've been speaking to companies at all ends of the spectrum, big and small, about their AI challenges and opportunities, so that has been very interesting.
Relatedly, obviously AI is industry agnostic and sector agnostic, but it's worth noting that the EU Commission recently put out a consultation on AI in financial services—that's banks, insurers, private equity firms, asset managers. Companies have until the 13th of September to respond to the questionnaire and the consultation, so if you want your chance to potentially influence European AI policy, that is a good opportunity to do so. Even if your firm or your company does not want to do that, if you don't want to discuss with the Commission the progress that you're making on AI, I would urge listeners to at least read the consultation—it provides actually quite a nice framework for thinking about AI, both the risks and the opportunities, and what it is that you need to be thinking about when building the governance framework that you need to put in place. Once again, companies have until the 13th of September this year to respond. The link is on the European Commission website, or feel free to get in touch with Fran and me, and we can send that to you.
Closer to home in the U.K., we saw a really important decision come out from the High Court in a case called Harrison v. Cameron. This case concerned a fairly niche aspect of subject access requests under the U.K. GDPR, but one that will potentially affect most companies in actually quite a significant way. And what the judgment confirmed and aligned U.K. case law with at the position currently in the EU is that an individual making a subject access request in addition to receiving copies of their personal data, can ask companies (i.e., data controllers) to provide them with categories of third parties to which their data was sent or specifically to list those third parties, and that is at the choice of the requester. Today, requesters have typically asked for categories of third parties to be provided, which can generally be met by controllers by providing a copy of their privacy notice. Now, companies may have to provide specific and individualized names of third parties to whom the requester's personal data was sent, which, as you can imagine, might be challenging—there could be dozens or potentially hundreds of third parties that need to be named—so that's something for companies to look out for. I suspect we will start to see these types of more targeted requests coming through as requesters and their lawyers become aware of the judgment, and so, it's something for companies to understand that they will probably have to deal with more frequently going down the track.
How about you, Fran—what's been going on in the U.S.?
Fran Faircloth: It's really interesting, Edward, because the issue of what data subjects are requesting is something that's becoming more and more important to my clients here in the U.S. as we've seen more state laws passing similar requirements. Just a couple weeks ago, in Rhode Island, their legislature passed a new privacy act. The act contains a really unique privacy notice requirement in line with just what you're describing that would require entities to disclose not just categories of third parties but the actual third parties to whom they sell or may sell personally identifiable information. So, there are a lot of questions and uncertainties to be defined there, but an issue that we're watching closely.
On the whole, we've been extremely busy tracking these various state privacy laws that have been coming into effect. We're six months into 2024 and we have six new state privacy laws, which is a 50% increase in states that have now passed those laws and put them into effect. Just this year, it started with New Jersey, but New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, and most recently Minnesota have all passed—and the governor has signed—their own versions of data privacy laws. They largely follow the models that have been set by previous states, starting with California and the CCPA, but then going to Colorado, Virginia, and Utah—they all have their variations, but there are a lot of similarities between them as well. Because this area is moving so very quickly, and our clients were constantly requesting, "What's new? How do we keep up with this?" we have made available on our website a State Privacy Law Tracker, an interactive map where you can filter by comprehensive privacy laws, consumer health privacy laws, including the more specific ones that have passed recently, like the Washington and Nevada laws. They're color-coded, which is always fun, but it will also show you comprehensive inspired laws, so the laws that are similar to these fully comprehensive privacy laws that have passed in states like California, Virginia, and Colorado, but that cover a more narrow scope of businesses. Nevada and Florida are the laws that fall into that category, where many clients don't fall within their scope because they are so focused on particular types of businesses, but they do provide for similar provisions.
On the whole, we're now up to 18 states with a fully comprehensive privacy law—20 if you count Nevada and Florida. There are about five or six more that currently have legislation being debated in their state legislatures, along with Rhode Island, which as I said, their legislature recently passed theirs. Pennsylvania has something in cross committee, so they're also very close—we're watching that closely. These are things that we update regularly on our State Privacy Law Tracker, and we will put the website for that in the notes for the podcast. But also, if people want to find the privacy law tracker easily, you can go to our blog, RopesDataPhiles.com—there is a link to the State Privacy Law Tracker there on our blog as well. We also frequently there publish summaries of the new state laws that have passed and the various requirements, how they differ from others, and when people should be watching for them to come into effect.
One thing that we're watching closely is the variation between these state laws, because we're seeing a lot of similarities but some pretty significant variability. So, for example, earlier this year, the Vermont legislature passed its own version of a state privacy law with one very notable difference. It was the first state legislature to pass a privacy law with a robust private right of action—that's something that we haven't seen in any of the other states to date. All of the other states' privacy laws, for the most part, only have enforceability by the AG, or in the case of California, the specific agency. California does have a limited private right of action in the case of a data breach, but for violation of just the pure state comprehensive privacy law, those are enforced only by state officials. But the Vermont bill, which was passed by its legislature, was ultimately vetoed by the governor, so they are back to the drawing board on that one. We still do not have a state privacy law that includes such a private right of action, and this private right of action is frequently the thing that causes significant debate in the U.S. when legislatures are trying to pass these types of laws. It's one of the main sticking points along with preemption of state laws that has held up federal privacy law from being passed in the U.S.—we are watching that incredibly closely as well.
Just today, legislators are convening to mark up a landmark federal privacy proposal, one of the closest we've gotten so far, but there is significant pressure from business groups that have raised objections to this latest version. We're watching this closely, along with the state bills, but there have been many of these federal proposals over the past decade or more, and so far, none have made it all the way through—so, we'll see if it does this time. Until then, we're relying on the various patchwork of state laws. So far, only a handful of those are actually enforced: California, of course, Colorado, Connecticut, Virginia, and Utah have already come into effect. As of July 1 (before this podcast ever airs), we'll have at least two more, Oregon and Texas—three if you count Florida. And then, later this fall in October, we're looking forward to the Montana state privacy law coming into effect. I said probably a year or two ago that as we got closer and closer to half of the states having some pretty consistent state privacy laws, maybe that would tip the scale on federal privacy legislation. So far, we haven't seen that happen, but we're still watching for it. So, that's what we're looking at here in the States.
Edward Machin: That's really interesting, Fran. It sounds like, if nothing else, legislators and regulators on both sides of the pond are working incredibly hard to push forward various pieces of law that will keep us and our clients busy for the foreseeable future.
Fran Faircloth: Absolutely. Some really interesting legislation out there and some developments that have been frankly surprising.
Edward Machin: I had read an article recently that I think speaks to the different attitudes to privacy and data protection generally between generations. The article was in the Financial Times, a paper of record in the U.K., and the gist of it is that, unlike older generations, youngsters and those in Gen Z are more willing and comfortable with being tracked and tracking each other on their smartphones, and this is through certain apps and the gamification of location data in certain ways. I found it really interesting in that, as an older generation and user of early smartphones, that that was the type of thing that you might shy away from or be concerned about. I thought that the punchline to the article was also quite amusing, in that actually, teenagers and other young people don't mind being tracked on their phones, but the most creepy or cringy thing that they could do would be to call one another on their phones, which sounds about right in my family. So, it's just an interesting insight into the way that smartphones and technology have been increasingly used, and attitudes to that type of tracking and so on are shifting amongst generations.
Fran Faircloth: That is really fascinating, and I've definitely seen that ring true in attitudes of myself and my parents, or myself and my kids—whereas I'm comfortable with some forms of tracking or targeted advertising that my parents maybe aren't comfortable with, and then my kids just think nothing of it. Definitely a lot of food for thought, though.
A big thank you to everyone who tuned in to this episode of The Data Day from Ropes & Gray. If you would like to join us, we'd love to have you to discuss some of these fascinating issues, or if you know someone we need to talk to on the show, please reach out to Edward or me by email or alternatively, we're both on LinkedIn. If you enjoyed the show, please do subscribe. You can listen to the series wherever you regularly get your podcasts, including on Apple and Spotify. Thanks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.