Episode 20: A Discussion on Privacy Legislation with David Stauss

Transcript:

Bill Tolson:

Welcome to the Information Management 360 Podcast from Archive 360. This week's episode is titled, A Discussion on Privacy Legislation with David Stauss. Now, my name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive 360. David, who is my guest today, is a partner at the Husch Blackwell law firm and is the co-chair of the firm's data privacy and cybersecurity practice. David helps clients understand and comply with existing and emerging state, federal, and international privacy and information security laws. David, welcome and thanks again for taking the time to join me today.

David Stauss:

Yeah, thanks for having me, Bill.

Bill Tolson:

So David, you have a great podcast series called Data Privacy Unlocked, the legislating data privacy series, where you have so far interviewed eight state legislators on the topic of privacy legislation in their particular states. And I've talked to a couple of them separately, but nowhere near as many as you has, have you noticed any common driving factor from these legislators as to why they introduced their bills in their various state legislators?

David Stauss:

Yeah. In two words, federal inactivity, is essentially what it comes down. I mean, by and large, everyone that I've talked to has said the same thing. Because I asked them, it's interesting enough, I've asked them that question I think on every podcast I've done. Why is it that you've felt the need to propose this legislation? To a person, they say, "I would love it if the federal government would legislate in this area, but in the absence of that, I feel compelled to do so. These are legitimate issues that we need to get resolved. We think it should be resolved on the federal level to provide consistency, but we're not going to sit on our hands. We're going to try to solve this problem for our individual state residents."

Bill Tolson:

Well, and one of the things that in talking to organizations, as well as some of the state legislators and others, but especially big high tech firms and stuff, their hope, like you just said, and like the state representatives have said, we want federal government to take the lead in this and they haven't been doing it. But one of the questions or challenges around this is, if federal government doesn't take action soon, then you're going to have more and more slightly differing state bills, and we'll get into this a little later. They tend to be almost the same, but they do... Like California's, they do diverge a little bit, but I think I've had several people kind of mention to me the idea with a federal law would be that it would supersede all the state laws and make it so that companies had to follow one law versus 51 slightly differing laws. Have you had any discussions with the states on that?

David Stauss:

Yeah. And you've sort of nailed it on the head about what's driving the issue here is this fear of having to comply with what I guess in the Twitter-verse we call the patchwork of privacy laws, right? And the retort to that is it's not a patchwork when we're at three, right? Or far from a patchwork, especially when two, Virginia and Colorado look very similar. The buzz words you get when you talk to lawmakers is interoperability, which was not a buzzword last year, but that's essentially the concept of, should these laws go beyond? Should X state have a stronger bill than the state before it? Should we try to just match what other states have done? Should we have similar terminology, definitions, provisions? So, you could as a business operate across multiple state lines and have one compliance module versus two. That remains to be seen.

David Stauss:

As we have three states now, Virginia, Colorado, California, and we will find that happy middle ground with those bills over the next year or so, to drive compliance. But if we see a bill say like the Massachusetts Information Privacy Act get passed, that's a whole different beast, then we're going to have to put our heads together and kind of figure that out. The issue though, that you also raise, is this issue of preemption, and essentially where that ends up coming down is would a federal bill preempt stronger state bills? Or would states still be allowed to go beyond and issue stronger regulations or laws, I should say, with respect to certain issues?

David Stauss:

A reference point there would be the Gramm–Leach–Bliley Act, which regulates financial institutions. And it's privacy security measures within financial institutions, just to name a couple provisions there, but that does not preempt stronger state laws. So, for example, California has gone beyond with the California Financial Information Privacy Act and has a stronger law. But having said all that, I think there is a recognition though that if there was a federal law, the likelihood of states feeling the need to do something more, would certainly be dramatically reduced such that this patchwork issue that I mentioned before would hopefully be resolved.

Bill Tolson:

Yeah. Yeah. And speaking from a commercial side, a business I'm in, we're in a high tech business, but we do business around the world. So we're looking at all the worldwide laws and the various ones that are popping up in the United States, and we're all sitting... And I'm sure many other companies are doing the same thing is, how do we do this? Do you pick like a highwater mark law and say, "Well, gee, if we meet this one, we meet everybody else's so let's not worry about it." I don't think that's possible by the way, just in some of the differences, but it is really highlighting the challenges that companies, organizations are going to have when collecting personally identifiable information for whatever reason. And my company, as well as many of the companies that we work with, we don't sell personal information. We're not in that business. It's used for sales and marketing purposes and stuff like that, and that's it.

Bill Tolson:

We never sell information. Our competitors really don't sell the information, but then you get into those businesses that actually, that's how they make money. And wow, they're going to have some big ongoing legal bills with just trying to make sure they're complying. But with these bills and you mentioned that they borrow from each other and I've been told that. I mean, the Minnesota representative as well as the Virginia representative, said, "Yeah, we do that for a couple reasons. We do it because it's easy, number one. And because if one law passed somewhere and based on the editorials and stuff, why not go that way?"

Bill Tolson:

And they all tend to have at least the same basic set of rights, the right to access personal data, the right to correct it, the right to delete it, and obtain personal copies, those kinds of things. One thing that I thought has been interesting, I'd like to get your opinion on this, is many of them, most of them, all of them, as far as I know, call out the right to op out of processing of personal data for the purposes of targeted advertising. Meaning, we don't want you to use AI or machine learning with our PII. And I think that really came from the GDPR... I may be mistaken, but I think that's the first time I actually saw it, and I think others I'm sure are adopting it. Do you understand what the worry is from individuals about utilizing machine learning and AI?

David Stauss:

Yeah. I mean, maybe it's anecdotal, but my sense of it all, is it's perhaps the most in your face aspect of the issue. And what I mean by that is it's sort of the, you're using the family computer, you're searching for shoes or something like that, and all of a sudden the advertisement for those shoes appears on other websites that you navigate on that computer, but then it also appears on your cell phone. Right? And then, maybe your significant other, it appears on their cell phone too. Or, we hear from clients all the time, "Hey, I've got Alexa and I was just talking to my significant other and a day later advertisements pop on my cell phone for whatever I was talking about."

David Stauss:

I mean, when you look at the bill sponsors, when you listen to testimony of the bill sponsors and of consumer advocates and those types of things, it's that sort of, "Well, hey, wait a second. That seems invasive to me." And so, I think that's really at its core, and maybe just sort of broken down into simplistic terms, it's that sort of what exactly is going on when I jump onto your website? Because I can't see it. I don't know that it's been tracked. But the counterpoint to it is, there's a lot of cookie disclosures out there now, and there's a lot of information and opt in and opt out and those types of things, to try to regulate that. But I don't know that Europe really has the solution with all the cookie consent banners.

David Stauss:

It becomes the issue of, do the people just tune out? And in the United States where it seems to be playing out in the United States is a different way of addressing it, which is through opt out signal preference. So, that's required in the Colorado bill. It is optional in the California Privacy Rights Act, but the Attorney General's office is interpreting it as being required, but that's essentially, you as the consumer go to one place, download the GPC signal, and that signals to all the different websites that you're going to, that you don't want to be tracked. Right? So a different solution to the problem than maybe Europe has done.

Bill Tolson:

Well, there's no doubt, like you said, you do a search for something on the internet and five minutes later, you get a targeted email from Amazon or something like that with that exact same thing. That's a little creepy. So, I tend to guard against that. But on the other side, on the corporate side, I mean, there's a lot of productivity and automation increase in utilizing machine learning, especially around that kind of stuff, but I could see a company saying, "Okay, we're going to utilize machine learning and AI to better segment our customers and contacts and stuff like that, but we're not going to do real time advertising.

Bill Tolson:

I think there's still a lot of work that needs to be done in that specific area, but I noticed all of a sudden, they all include that. And that's really not a surprise because the various state legislators that I've talked to have all said, "Oh yeah, we all look at the other guy's stuff and for ease of use, we'll take portions of it or pieces of it." And the other thing that I've been told by some of the legislators is, we sort of do this on purpose because we understand the challenges around having 50 plus, wildly differing bills, and to make these privacy bills and laws easier to comply with, they all should be somewhat the same. So, I had one of them tell me about the Uniform Law Commission that they work with to stabilize laws across the various states so they're not wildly different. Have you run across the uniform law commission?

David Stauss:

Yeah. So, the Uniform Law Commission released its draft data privacy bill, I want to say it was in the spring. I could be off a little bit on that, but the committee had worked together to draft the bill, released it, had publicized it, did a webinar on it. That bill, to my knowledge, having canvased... I mean, I think just to set the stage, it's legislatures have reopened or reconvened. In January, we're sitting here, it's late January now, we're recording this. We've got about 20 states who either have bills proposed or have told us that they're going to propose bills. Lawmakers have told us of those only one bill in the district of Columbia is using that Uniform Law Commission model, state privacy bill. And listen, I always tell people when I'm talking state privacy law, what I say, it has a shelf life of plus of minus 10 minutes. Right?

David Stauss:

A bill could get proposed any second now that is using that draft bill, but that's the only place I've seen it so far, is in the district of Columbia. And there, if you look at the legislative website, it says that, that bill was proposed at the request of the chairman of the Uniform Law Commission. Yeah, but it remains to be seen if we'd see something along those lines, but I think to your larger point of, yeah, lawmakers are by and large, either grabbing Reuven Carlyle's Washington Privacy Act, which is what Virginia and Colorado passed. Virginia passed a watered down version of it and Colorado passed a more robust version of it with more privacy tweaks there, or they are picking the California Consumer Privacy Act, or they're picking some sort of amalgamation between the two.

David Stauss:

I think when we get those blended bills, they become particularly difficult because the definitions don't quite work. Right? But lawmakers are saying, "Hey, I like how the CCPA or the CPRA handles X issue better than I like that in the Colorado bill. Throw that in there." But for guys like me, that creates consistency issues. To the point you made before about being able to talk to clients and explain bills and explain concepts, it makes it very difficult. I would say we haven't had a bill pass yet where we're thinking... At least between Colorado and Virginia, where we're thinking, "Oh my." Right? We saw it with the CCPA. I mean, the CCPA, the original draft was a mess. But setting that aside, we haven't seen a bill since then to be something that's not workable.

Bill Tolson:

Yeah. Yeah. That's interesting. You're probably much, much more familiar with these various draft bills as well as the laws than I am. Of all the ones... I'm just talking about in the States right now, but are there any additional... I mentioned kind of a compression of rights, the right to be forgotten, those kinds of things. Is there any additional rights that the majority of the privacy bills you're familiar with have not included that you think should be there? And I bring up the CCPA, and some of the other ones mention a private right of action. Some of them, California is creating a new office, but one that I thought was really interesting and I forget whether it was in 2019 or 2020, but the draft New York law included the concept of companies must access data [inaudible 00:14:41]. Obviously that bill didn't make it out, but I'm wondering with your expertise and background in this, is there anything that's missing?

David Stauss:

Yeah. So, I mean, let's just kind of talk through what we've seen so far that's gotten filed. You mentioned Private Right of Action. In California, that involves data breaches, statutory damages. What we saw was Representative McFarland in Florida... Florida got very close last year. Both chambers passed the bill, but the bill was not the same, so it didn't pass by the time the legislature closed. Bills have been proposed in the Senate and the House. McFarland's bill in the house does have a private right of action, but it is a limited private right of action that is centered around privacy rights. So, for example, you tell a company, "Delete my information," and they don't delete it, you could sue. So, that's a different way of going about enforcement than what we have in California, Colorado and Virginia. Washington has a slew of bills now. One of those bills would also create a data protection authority as well as was created in California and would also create a private right of action that was proposed in House.

David Stauss:

It's now the third, in addition to Carlyle and Representative Kloba's bills, it is now the third type of broad consumer privacy legislation introduced in Washington. Washington's on a short legislative schedule. They only have 60 days this year; same thing in Florida, only 60 days as well, which is something we're tracking, right? Because I think people don't... You think, okay, a bill got proposed, we're off to the races. 60 days is a really short time, to be able to try to get something across the finish line. And what you're looking for at that point in time is whether there's been a robust stakeholder process that's taken place before the bill was introduced. So, a lot of those disagreements have been resolved by the time the bill was introduced. The other bill I sort of throw out there as sort of a game changer is... I mean, you mentioned New York, so I won't mention that one on the fiduciary responsibilities, but the Massachusetts information privacy act as well as Representative Kloba's bill in Washington, the people's privacy act, is based on the ACLU version of a privacy law.

David Stauss:

And that would be much closer to a GDPR type concept with private rights of action and also biometric information privacy provisions in line with the Illinois Biometric Information Privacy Act. So that's essentially, you need to get consent for the collection of biometric information, and if you don't get consent properly, you can face a class action. And then maybe just to throw one more out there, because I think it's on my radar, at least, is Oklahoma. You have Representative Collin Walke down there. And last year he was able to get his bill through the house. And then it got stalled in the Senate judiciary committee. That bill has carried over and Representative Walke has filed a second bill as well, and that bill is consent-based, which is even stricter than GDPR, straight up consent for collection of personal information.

David Stauss:

So, there are, I mean, to your original point, Bill, I mean, there are some bills floating out there that could be game changers, I guess. I mean, I hate to just throw that term around, but there are some bills that if they passed, they would really create some issues for guys like me to try to drive compliance for companies.

Bill Tolson:

Yeah. I mean, one thing, and I'm not 100% on this and you probably know it, but I think at one point, didn't California's CCPA include the idea of presumed damages?

David Stauss:

This might be what you're referring to, I mean, two things come to mind. One is the private right of action involving data breaches is in the law now. And that is, if you have a data breach and it involves the type of personal, not all personal information covered by the law. We're not talking like IP addresses and those types of things, but if it's that core PI that's covered under state breach notification statutes, and you have... So you have a data breach, it involves that type of personal information, then there are statutory damages between $100 and $750 per consumer per incident. Now, when Alastair Mactaggart had run the ballot measure initially... And this is pre legislative process, there was a private right to action. He relented on that as a concession to business to essentially get it across the finish line.

David Stauss:

And that private right of action did not creep up in the California privacy rights act proposition 24. Mactaggart has said that he felt like he had made a deal with business, and because of that deal, he didn't feel like he could go back on it. But I think, reading [inaudible 00:19:09], I think he'd like to see a private right of action and many privacy advocates would like to see a private right of action. There's no doubt about that.

Bill Tolson:

Yeah. I mean, it was... I agree, and I appreciate you explaining that. It was explained to me by a GC, that what I termed as presumed damages, if a breach occurred and the PI could have been viewed, then especially with private right of action, you don't have to show actual damages. You can go after the company based on the fact that there could be damages. Does that make sense?

David Stauss:

There is case law and maybe this is what the GC was referring to. There is case law that got litigated out on a basis of Article III Standing, which is essentially companies that had been breached were pushing back on lawsuits saying, "Well, hey, I mean, there's no real damage here. I mean, we were breached, but we gave the credit monitoring, a year of free credit monitoring. Nobody's been able to demonstrate actual harm." That took years to kind of play out in the court system. And I think the prevailing wisdom has become more consumer friendly in that regard, which sounds like might be what the general council was referring to.

Bill Tolson:

Okay. Okay. On another topic having to do with these state privacy bills, and because they tend to, to a certain extent follow and copy each other, and so forth, one of the things that I've asked people, attorneys as well as the various legislators is eventually, are you going to look at maybe making the bills more prescriptive versus... For example, most of the bills I've read, they all use almost exactly the same language around the duty to secure PI. And they say things like, "Must maintain reasonable administrative technical and physical data security practice." Now, I'm told by attorneys that, "Must use reasonable security practices," just is basically not an issue. Anybody could get by that. Now, I'm not an attorney, so I don't know that for a fact, but my question to various of the state legislators is, don't you think we're reaching the point where, in these state laws, instead of saying reasonable security practice, you could say, "All PII must be encrypted while in transit or while at rest?"

Bill Tolson:

I mean, that's not a new technology. That's been around for 50 years or more. You probably know that better than me, you're a cybersecurity expert, but some of these simple things like, "Data must be encrypted. Encryption keys must be kept separately from the database of the PII." Even things like, gosh, I remember years and years and years ago constantly getting emails from various companies that I was doing business with saying, "Here's your free year of credit monitoring." And I'd do some research and it turns out that some junior admin had downloaded the database with all the PII in it, on their laptop to work on it over the weekend, threw it in their trunk, and their car was stolen, and it's all unencrypted.

Bill Tolson:

So, in the tech side, there are some basic, possibly prescriptive requirements that could start to be added to these bills to say, "Yeah, data needs to be encrypted." Why wouldn't you encrypt it? In fact, I'm even told by cybersecurity insurance providers that, "Yeah, if our customers encrypted their data, their premiums would be less." I'm sorry, my long winded way of saying, do you think there's any push by the states and the people writing these bills to maybe start getting a little more prescriptive? Because by the way I asked the question of the various [inaudible 00:22:32] I've talked to, and Minnesota Representative Elkins basically said, "Yes. Yeah, originally we just wanted get something going, so we just copied." He said, "Now this year..." Meaning 2022, his plan is to start adding some more prescriptive requirements around the security.

David Stauss:

Yeah, listen, it's a great question. It's been as you know, full well, it's been a question that's been debated for years. I know back in 2018, when Colorado implemented its Information Security Statute... This is different than the Colorado privacy act. This is just you need to have reasonable security measures in place statute, that exact issue was debated with the Attorney General's office. And their point of view was, "Hey, we're concerned that technology is going to change so rapidly that anything we put on paper will become outdated." Now, the counterpoint that you make is well, encryption has been around for a long time. Right? You do see some regulations in place that have that type of prescriptive requirements. The New York cybersecurity regulations that govern financial institutions have that requirement for encryption and encryption at rest, alternative compensating measures, those types of things.

David Stauss:

What I suspect is what we could see happen... It is tough for lawmakers, I think, in the sense that state lawmakers in particular are trying to get this issue right. By and large, they're going to tell you, "Hey, we're not experts in information security, we're leaning on other people." And because of that, I think they're more inclined to pass bills that are broad concepts; reasonable security measures. What I think though, to predict in the future, what I think you're going to see is rule making in that regard. So for example, in Colorado, the Colorado Privacy Act, the Attorney General's office has permissive rule making to implement the statute. There are a number of times in the Colorado Privacy Act where it refers to technical and organizational measures; reasonable security measures, those types. So you could see the Attorney General's office in a rule making process take that issue.

David Stauss:

And I think the benefit of that is it would be more readily updated over time. Rather than getting a legislature to go back and tinker with a bill and all the stakeholder process that happens with that, you can imagine on the rule making, it could be still a stakeholder process don't get me wrong, but an easier methodology because it's basically, "Hey, we are going to do rule making." This is going to happen. So, I would just suggest to you, I think your day will come on that one. It's just maybe through the regulations, and we have models out there, like I said. Massachusetts and Alabama have done things in that regard, but yeah, I think to be determined.

Bill Tolson:

Well, that's a great explanation and one that I have not heard nor thought of myself, and I think that makes an awful lot of sense. I really appreciate that. It does kind of hit it where I was looking, and the fact that, "Yeah, you don't want to have to redo a law every two years or every year based on new technology." I just hope that the departments writing the regulations are keeping up and they're asking for input... In fact, that's one of the other questions. I believe, and I don't think I'm wrong on here, but I believe the common practice for especially the state legislators is to solicit help from industry sources. Big companies in the space, such as Google, Microsoft, Amazon, to help write various bills that they're working on. Depending on how much they depend on these outside kind of corporate entities, do you think this is a helpful practice for the legislative process? Or do you think it gives those companies a little too much power?

David Stauss:

Oh, well, that's another great question. So, you mentioned at the beginning of the podcast, I've talked with a bunch of state lawmakers on my podcast, and I basically had asked, I said, "I don't want you to name names. Tell me what type of entities are coming to you in this process?" And by and large, surprise, surprise, I mean, big tech is obviously certainly interested and very interested in the contours of these bills. There are organizations, consumer or privacy organizations, consumer reports being one of them, that is very active in this space. They're trying to weigh in on bills on the other side. I think where the law makers have done it right, is robust stakeholder process. That's kind of how I'll refer to it. Listen, I mean, this is a complicated issue.

David Stauss:

It's one of the reasons why the federal government is kind of stalled on it. It's an incredibly complicated issue, passionate issue. You can see that with Europe and the cross border data transfer issues that they're running into now. I mean, just a lot of passion behind this issue. This is company's business model for a lot of companies. And so, they're fighting for those issues. I think it's up to each individual state lawmaker to know where to draw the line with these stakeholders and by that same token, I think when you talk to them, they'd say, "Hey, if I wanted to get a bill passed, you're going to have to make concessions." No bill is going to go from draft to final, without tweaks. And I think a lot of the bill makers... I say a lot, there's only been two that have passed it voluntarily, California was an involuntary process with the ballot measure.

David Stauss:

But I think there's also that concept when you talk to lawmakers about, we get something on the books and we can always tinker with it. We can always add a category of data. We can always come back to it. I mean, for example, in Colorado, there's no definition of biometric data. And I think that's because of the stakeholder process and not wanting to concede, and it was easier to delete something than it was to concede an exclusion from that definition. You can look to the rule making process and say, "Well, the Attorney General's office can come up with a definition or we can rely upon definitions of other statutes in Colorado law, inference there." But yeah, I may have gone far field from your initial question, but I think the ultimate answer is, there's a lot of people in the room, and how much leverage that they are able to exert is I think up to each individual lawmaker, because the bill drafters also need the bill coalitions to pass their bills.

Bill Tolson:

Yeah. Good point.

David Stauss:

And satisfy their own constituents.

Bill Tolson:

Yeah. No, that's a good point. I mean, the conversations around the water cooler type thing around this is, there's just a slight fear that obviously a large high tech company that have interest in this and they're writing bills, they're obviously going cater to the bill, but they do best in those kinds of things, and or may not actually be the best requirements for the individual public. But like you say, I mean, hopefully a state legislator is pulling in others beside a single high tech firm and they could level the stuff out so it does make more sense. But the big high tech firms, I mean these guys have thousands upon thousands of experts on this stuff, and it would be ridiculous to ignore them. I deal with them on a daily basis as well, and these guys are excellent, but they're all following the company culture and everything else. So I think like you say, the state legislators need to know enough to say, "Yeah, thanks for your input and we're going to pacify other folks as well."

David Stauss:

Bill, if I may, I think as well, I think where those experts who work for companies and other think tanks provide extreme value to state lawmakers is to try to walk them through the issue we raised at the beginning, which is interoperability. And to say, "Listen, if you pull this lever, what does that mean for this company that needs to comply with GDPR, for example? And understand guys, it's fine, if you want to provide this right, that's fine, but let's do it in the context of... We're not starting from zero. We have privacy laws in this world." I mean, I had a lawmaker ask me, "Hey, we're using these concepts of controller versus processor in the Colorado and the Virginia bill." And they said, "We have a paragraph in each of those bills that talks about the difference between the two. Do you think that's enough?"

David Stauss:

And I said, "Well, the European data protection board is issued 25 pages of guidance on that issue." So you're not starting from scratch. I mean, we all conceptualize these ideas based upon years of having worked with laws like GDPR and as privacy attorneys, if something upsets... Or, I should say privacy professionals, if something sort of comes in and shakes that, there's a different paradigm, then yeah. I mean, I think that's fair to go to a lawmaker and say, "You can get to the same end game, but for sanity's sake, let's just use some phraseology that we all understand, and we can interpret within that prior understanding."

Bill Tolson:

Yeah. Good point. On the federal side, what do you think the chances are of these federal people getting their act together? I know in 2021, there were, I don't know, six or eight bills that were introduced in the Senate and the House, that had something to do with privacy or security. I looked at two of them and one of them was from Senator Gillibrand in New York and another was from Senator Moran in Kansas, that introduced privacy bills that seemed to follow relatively closely what the states were doing. They weren't too far off of each other to tell you the truth. Do you know anything about any of the federal bills that may pass and what do you think the chances are?

David Stauss::

Yeah. Obviously this question comes up daily.

Bill Tolson:

Yeah, yeah.

David Stauss::

[crosstalk 00:32:00] Right? And so, it's a concept that I've obviously given a lot of thought too. And I'd start my answer by saying, I'd love a federal bill. I think a lot of us would love a federal bill. The state law making process is fascinating to me. Obviously I track it, obnoxiously, track all these bills and everything like that. But I think for long term, for business sake, for consumers' sake, for all those things, I think a federal privacy bill makes all the sense in the world. Do I think we are close to getting one passed? I don't. I just don't. You should know, we've had a number of bills introduced to my knowledge, and I think I would know, we haven't had a hearing on a bill. We've had some hearings on concepts, but I think it's important to distinguish concepts versus bills.

David Stauss:

Child privacy as a concept, a bill that actually we're debating about the provisions of the bill, is a different thing. Bringing in someone from a Facebook or other types of tech companies to explain their practices is one thing, arguing a bill that would regulate that is a different thing. So for whatever reason, and maybe tomorrow that changes, we just haven't done it yet. I think there was a lot of optimism when the Democrats took all three branches of government of like, "Hey, we've got single party control. We're going to get a privacy bill." And then, for my money, and I'm certainly not the only guy with opinion on this, but I thought when Virginia lost the governorship, that went to the Republican party, I thought it was done. I thought the chances of federal privacy legislation were done for a number of years, unless we have one of these state bills that really is a needle mover.

David Stauss:

Like a widespread private right of action, something that would just reflexively tell us we need to solve this on a federal level. And the reason being, why I bring up the Virginia governorship is historically the party out of power, no matter which that party is, in the midterm election, historically they gain seats. And I think the Democrats are concerned about that. I don't think I'm breaking any news. And I think that it was basically, "Hey, we need to concentrate on high ticket items, voting rights bill and all those types of things." And then, the kind of played out bill is, if the Republicans take the Senate or the House, then you've got divided government again. Right?

Bill Tolson:

Yeah.

David Stauss:

And do we pass things like data privacy with divided government? I don't know. I mean... So anyway, I would just, for my money, again, I'd love to see a federal bill. I think it would solve so many problems, but it's just not there yet right now. Not to say it can't be there tomorrow, but it's just not there yet.

Bill Tolson:

Well, and the people, the experts that I've talked to like yourself, I haven't found anybody who thinks we're going to get a federal privacy bill this year, or probably next year either. Everybody's going to be fighting who's going to get elected president in 2024. That's a shame, but I did you... I saw last month in December of 2021, I saw an announcement from the FTC, and it said that the FTC filed an advanced notice proposed rule making the office management budget, that initiates consideration of rule making process on privacy and artificial intelligence. And they go further in with the announcement. They say the FDC filing lays out that the FTC's intent as seeking to curb the lack of security, limit privacy abuse, and ensure that algorithmic decision making does not result in unlawful discrimination. But it sounds like a part of the federal government and agency is saying, "Well, we don't expect the Congress to do much either in the foreseeable future. We're going to do it."

David Stauss:

Yeah. And certainly in the privacy world, that announcement from the FTC was highly watched. And the FTC chair, every time that she goes on to a program, I think she went on to CNBC a couple days ago. It's sort of like the privacy professionals hold their breath to see what they're going to say. It is... Yeah. I mean, we're sort of in a, "Okay, that's your concept. So what does that mean?" What's the breadth of that? What's the time timeframe for something like that? Are we talking something large scale? 20 pages? Are we talking something... We're just looking to address a single harm, type of an issue? I think two, what could play into it as well is, we're sitting here with three states right now. We have many states that are considering bills.

David Stauss:

If more states pass... We haven't thought about this concept yet, but on this issue, if more states pass laws, and if those laws are similar enough, the contrarian point of view that started talking about six months ago is, does that end up making federal privacy regulations or laws less like? Right? Because would the states be creating a de facto national standard. Say if you've got 10 states jumping in, the bills look similar, I don't necessarily need all the rest of the states because smart businesses are going to say, "Whatever. Let's do one module." And so, I think, to go back to the FTC, there's just so much to be determined. And that's why when you get to a privacy professional, and they're just like, "I just wish we would get a federal statute." Right?

Bill Tolson:

Yeah.

David Stauss:

And we're not even debating the merit of the federal statute yet, which is very interesting. We're just debating the concept of, let's have something progress. Because as you know, there are many, many bills, and it seems like there's new bills and rehash bills reintroduced and this amendment and this senator or that senator... It seems like once a month we get some sort of noise out of them. And it just seems like everyone, the FTC, state lawmakers, regulators, they're all saying, "In the absence of the federal government, the Congress doing something, we just feel like we cannot wait." We are so far behind in this country in data privacy, it is remarkable.

Bill Tolson:

Yeah.

David Stauss:

It really is.

Bill Tolson:

Yeah, it's scary. And it's scary to imagine how much time it's going to take to actually get to the point where we think our data is actually safe anymore. Even to the point where, with GDPR, for example, and maybe this would relate to it, a federal law, but they limit the ability to move data out of a specific geographic location. All of the privacy shield and things like that have caused lots of problems. I mean, I would think that would be a consideration for a federal bill; maybe that and the need to conduct privacy impact assessments on a regular basis by third parties to ensure that somebody is using enough care to protect the data.

Bill Tolson:

But I think like you said, and what I've heard, we're still in the States here, we're still quite a ways off of taking it as seriously as a country that others have. I mean, the various country privacy regulations that have been popping up in Brazil and China and India and Canada, we talked about before the call, they're all going full steam ahead and we don't seem to be doing that. But that's just my opinion.

David Stauss:

Well, no, I mean, to your point though, not to cut you off, but I mean, come on, reasonable people. I don't think there's any dispute between Democrats and Republicans that these basic rights around your data, right to access, portability, deletion, correct, these are not offensive concepts. Right?

Bill Tolson:

Right.

David Stauss:

Everybody gets it. It's like nobody's anti-education. Nobody runs against education on a platform. "I don't want to educated our kids." Right? Nobody runs on that. This is concepts that are really, "Yeah, I think we should have this. I think we should be able to do X, Y, and Z." And we haven't rung that bell as a country yet. And you see other jurisdictions that are going beyond... I mean, you mentioned AI before. I mean, when you think about the things that AI is doing already and what it's going to do in the next five to 10 years, other countries are moving on. They're trying to regulate those issues, and we're still debating what I would consider to be some really just no brainer issues. Shouldn't we know what information you're collecting about us? Is that really offensive? A privacy policy, is that... We do them anyway.

Bill Tolson:

Or making sure that you know what you have and are taking reasonable security measures to ensure that it's not stolen through ransomware, extortion ware, privilege escalation, whatever it happens to be. I know David, we're almost out of time here. There's there's one quick question I wanted to ask to get your opinion on, because I don't think there is an answer. Maybe there is an answer to it. And this stems from my being kind of immersed in GDPR for a long time. The right to be forgotten, the right to erasure, does that imply an unrecoverable deletion?

David Stauss:

Yeah. That's a great question.

Bill Tolson:

I've asked this of lawyers in the EU and in the United States and compliance people and you know, as well as most IT people know as well, a computer delete is a computer soft delete and any third grader can recover those files in 10 seconds using Norton or something else. And I've always argued that the right to be forgotten, the right to erasure, implies an unrecoverable deletion.

David Stauss:

Yeah. And I think to your point, I think it ends up depending upon which jurisdiction you're in and their view of it. So California, for example, the regulations that got issued on this really softened that and provided some contours about, well, what if it's a backup tape?

Bill Tolson:

Well, that was the other question. And I'm sorry... Go ahead. That was really interesting.

David Stauss:

[crosstalk 00:41:27] No, no. No, we're hitting on the same issues. And trying to address these issues because there's that sort of give and take between the consumer right and also... At least the backup tapes, the argument there is being like, "Well, if it's a backup tape then it should not be changed." Right?

Bill Tolson:

Well, and I... By the way on that, I've been told by European privacy people that the GDPR authorities haven't published it, but they've basically said, "As long as you put a process in place that says the next time you access that tape for whatever reason, then all of that PII that's been asked to be deleted, must be taken off it," which is not an easy process. It's still a difficult process, but I've been told, and I've written about the idea, that you just keep a running list next to the backup tape and the next time you got to restore a backup tape, that's when your duty to go in and erase the data occurs.

David Stauss:

Yeah. And that's consistent with the California approach. I think California has a few other nuances to it. I believe that... Gosh, you say something on a podcast without going back and checking the internet... So I'm running the extreme risk of getting it wrong. But if memory serves, I believe the United Kingdom's Information Commissioner's Office has some of that similar concepts on their website. If anybody's not familiar with the ICO's website, just an incredible resource out there. I hope that our Attorney Generals in the United States or the CPPA in California really ends up producing something like the ICO has, because it's a fascinating resource for those types of things.

Bill Tolson:

Yeah. I've spent time on it. It is fantastic. So, David, I know we're out of time. I think we're going to need to wrap up this edition of the Information Management 365. I want to thank you this really interesting and actually enjoyable discussion with you today on this really important subject. If anybody has any questions, any listeners has any questions on this topic or would like to a subject matter expert, please send an email mentioning this podcast to info@archive360.com, and we'll get back to you as soon as possible. Also check back on the Archive 360 resource page for new podcasts. Leading industry experts on a regular basis. In fact, I have several recordings of podcasts that are going to be published in the next several weeks from additional legislators talking about their privacy regulations. So, check back with that, but David, this was absolutely enjoyable for me, and I learned a lot and I really appreciate it.

David Stauss:

Yeah. Thanks for having me, Bill. I appreciate being on.