Emma Maconick is a partner in the Intellectual Property Transactions Group at Shearman & Sterling.

What were key themes for your business in 2019?

The U.S. takes a “patchwork” approach to privacy and data protection laws, with a mixture of various state and federal laws, each directed to specific business sectors or types of personal information. In 2019, we saw significant increases to requirements and the complexity of that patchwork, with new laws passed and coming into effect at the state level.

One key theme of 2019 was state efforts toward more comprehensive consumer privacy protections, and many businesses have been busy preparing for the first U.S. comprehensive consumer privacy protection law, the California Consumer Protection Act (CCPA), which comes into effect January 1, 2020. In addition, numerous states strengthened their data breach notification laws, and New York added general data security requirements for businesses under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

While laws such as CCPA and the SHIELD Act carve out allowances for companies to comply with existing laws (such as GLBA, HIPAA or FCRA), little has been done to unify or simplify the U.S. legal framework for privacy and data security.

What are your expectations for 2020?
In 2020, we will see how the CCPA works in practice, and there is particular interest in learning how the California Attorney General may enforce the CCPA. Yet, even as businesses and consumers adjust to the CCPA, an update and strengthening of consumer privacy protections will appear as an initiative on California’s November ballot, in the proposed California Privacy Rights Act.

We also expect to see further state efforts to pass comprehensive consumer privacy laws, particularly New York and Washington, which may be similar in scope to the CCPA but differ in approach and specific requirements. Companies will need to devote, and in many cases increase, resources committed to privacy and data protection compliance in 2020.

If state privacy laws continue to increase in fragmented complexity, we expect to see more calls for a unified framework to be adopted at the federal level. While there appears to be bipartisan Congressional support for some action in this area, including several proposed approaches in 2019, it is difficult to say whether any significant federal legislation will be passed in 2020.

What trends are getting underway that people may not know about but will be important?
The next few years will be crucial in the development of U.S. privacy and data protection laws. While privacy activists push for stronger laws and increased individual rights, many businesses will lobby for simpler laws that can be practically implemented and do not conflict with existing business models.

We may also experience a sea change in consumer privacy protections if Congress enacts a federal law with preemptive effect. However, since there is currently no consensus around a federal approach to consumer privacy, we cannot say what kind of framework may result. Or, if the lack of federal action continues, we may see early state laws begin to function as de facto national standards in the U.S.

In the meantime, businesses will need to grapple with the uncertainty inherent in a fractured and developing legal landscape.