The Future of Data Privacy in the U.S.
David Stauss is a Partner at Husch Blackwell, a law firm offering comprehensive counsel on day-to-day operations in various industries, including banking and finance, data privacy and cybersecurity, and intellectual property. He is also chair of the firm’s Privacy and Cybersecurity Practice Group, where he counsels clients on existing and emerging state, federal, and international privacy laws.
As a recognized thought leader, David is an author and frequent speaker on privacy and cybersecurity. He was selected as JD Supra’s top data privacy author in 2022 and has been published and quoted in numerous publications, including The Wall Street Journal, CBS News, and Security Magazine. He is the editor of the Byte Back blog — one of the leading data privacy blogs in the US — and hosts the Data Privacy Unlocked podcast, which focuses on the development of U.S. privacy law.
Here’s a glimpse of what you’ll learn:
- David Stauss shares how he became a privacy attorney
- What can cybersecurity professionals expect from California and Virginia’s privacy rights acts?
- How companies can comply with state privacy laws
- David discusses the potential of the American Data Privacy and Protection Act
- The private right of action’s impact on privacy laws
- David describes each state’s plans for expansion of privacy rights
- Personal privacy advice from David
In this episode…
The American Data Privacy and Protection Act is in some ways unclear, leading individual states to devise their own privacy laws. So, what do these regulations entail for cybersecurity companies?
According to privacy law expert David Stauss, states like Virginia and Colorado are developing laws emphasizing consent around personal data. Conversely, California will allow organizations to utilize sensitive data with certain restrictions. With disparities among each state’s regulations, David urges businesses to remain savvy and stay abreast of potential updates.
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with David Stauss, Partner at Husch Blackwell, to discuss state and federal privacy regulations. David shares how companies can comply with state privacy laws, the potential of the American Data Privacy and Protection Act, and each state's plans for the expansion of privacy rights.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors’ website
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: firstname.lastname@example.org
- David Stauss on LinkedIn
- Husch Blackwell
- David Stauss on Twitter
- Byte Back
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
You can get a copy of their free guide, “Privacy Resource Pack,” through this link.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to email@example.com.
Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:22
Hi, Jodi Daniels here. I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant, Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:37
Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:52
And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. Today is super fun, because we have a battle of the mountain teachers as we should you all join to hear about privacy and security. But instead we're just going to talk about which mountain t shirt should we wear today for this episode?
Justin Daniels 1:38
Should you be the person who decides who has the better mountain t shirt?
Jodi Daniels 1:43
It might be So Justin, you are wearing Telluride which is a favorite. And then today's guest is my good friend and fabulous privacy professional David Stauss, who is a privacy and data security partner at the Husch Blackwell law firm of David will kind of cool yellow T shirt Do you have?
David Stauss 2:01
Well I've just had was well first thanks for having me on. I appreciate the invite, and you've requested me on I just have. I have my Hulk shirt on today. I was not aware that we were going to be videoing but very, very interested to be comparing T shirts. But I was saying to Justin before, I know you guys like to spend a lot of time out here in Colorado in the mountains is we've got to get him a flylo shirt next time He comes out and get him appropriately Denver, Colorado up with his with his with his shirt. So maybe we'll see you next time guys. Maybe maybe you'll get a fly with a shirt in the mail one of these days from it'd be
Jodi Daniels 2:38
awesome because you know, we kind of tire of the same collection of Colorado mountain where
Justin Daniels 2:46
What do you mean we're up to like nine we have Utah now?
Jodi Daniels 2:52
Yeah, well, let's let's dive on it. So David David here. Wow.
Justin Daniels 2:56
Just I guess people's names right there. Julie.
David Stauss 2:59
This podcast is over. Oh,
Jodi Daniels 3:04
that's what happens when we didn't eat lunch. All right. David, tell me how did you find your way to being a privacy attorney? Yeah,
David Stauss 3:15
I mean, some would still argue I'm still trying to become a privacy attorney. Right. So I guess, you know, is it is it fully realized yet? I guess we'll see. But I, I graduated law school and I guess oh five, right. So I've been an attorney for a long period of time. But I think with most attorneys, my vintage. We did something else. First before we did privacy while I was originally a litigator and came to privacy through breach response, and data security. And so originally was years ago, doing a bunch of data breach responses, and eventually really fell into what is my passion now, which is, you know, privacy laws like GDPR, CCPA, CPRA, Virginia, Colorado, those types of things. So, yeah, sort of, I think for the older people in this space, it's a very familiar sort of story. We were all kind of doing something and saw this avenue and ran into it. That's kind of my story. And you're sticking to it. I don't think I have a choice. I've got three young boys. I've got to get through college. Right. And, you know, we've got a growing field, I think. I think the wife has finally thought like, I found something that we can do. Yeah, yeah.
Jodi Daniels 4:29
Definitely growing for sure.
Justin Daniels 4:32
So why don't we start out with our favorite privacy state?
Jodi Daniels 4:39
your five favorite privacy?
Justin Daniels 4:41
All right. So there's big news out of California recently with the Attorney General announcing his first enforcement action. What should companies listening to our podcast learn from the settlement near from your perspective?
David Stauss 4:53
Yeah, I thought you guys are gonna say Colorado is your favorite privacy state, but you're gonna rework the question In order here, but I guess not.
Jodi Daniels 5:04
Overall, from a privacy Point of View, California keeps us on our toes.
David Stauss 5:08
Jodi Daniels 7:06
So let's switch to the other coasts, and move and chat about Virginia. So while companies are getting busy preparing for California's update, CPRA, they also have to be thinking about Virginia, at least soon. Well, we'll get to Colorado and some of the others a little bit. But let's talk about Virginia, what are some of the things that people might not be realizing they should be paying attention to? In the Virginia law? What might surprise people or kind of like how you talked about those 13 enforcement actions? Were were not as prominent? What should we be thinking about from Virginia that might not be as prominent? Yeah, I
David Stauss 7:43
think, you know, Virginia is kind of flying under the radar a little bit, right. I mean, it doesn't have a rulemaking process that's happening. It's January 1. I mean, for those listening, obviously, January 1, imagine your listeners probably know that already, is the compliance deadline, there are some aspects of Virginia that I think keep us on our toes. For one, the consent for sensitive data, right, you need to have consent to collect sensitive data. And that's different than California is different than in California today. And it's going to be different than California with the California Privacy Rights Act Amendments, which is going to be this this concept of you can use sensitive data, but it's got to be kept in this box. And if you go outside the box, then you've got to, you know, outside the box of limited permissible uses, then you've got to offer people the the ability to restrict you back down to this box. Virginia is different, right, Virginia has to consent the process sensitive data. And so I think companies really need to be paying attention to what they collect, and whether it becomes, you know, collection of sensitive data, and if so, make sure that they've got consent in place to collect that. What I think is interesting in that is it's not altogether clear that you've had the right to revoke your consent, after you've actually provided your consent. There was something in Connecticut, you mentioned your your home state, which I know is Connecticut, we've had that conversation. You know, it's something that Connecticut bill that that was added to it to provide that clarity. So that's one sensitive personal information is obviously a high on the list there. And then the DPI A's, I guess they're calling it. We call it DPI A's because of GDPR data protection impact assessments in the US language, it's going to be data protection assessments. We've we've screwed up our acronyms because now we have DPA data processing agreements and data protection assessment. So we have DPA twice,data protection authorities in some countries. Yeah, so we've just really overused the DPA acronym to the point of just like it's meaningless now, right. But, you know, there there is this requirement to do data protection, I'll call it impact assessments in Virginia, around certain processing activities, like the sale of data and targeted advertising. So you know, those are things we we probably will eventually get to that point. In California once the regulations are done, and these risk assessment regulations are done, which they haven't started yet, but for Virginia, those are some, some high ticket items, I think. And then there's also, you know, maybe talking about data processing agreements, obviously, Virginia has that requirement. So I think lining up all of your third party transfers and identifying what needs contracts, and what doesn't eat contracts is really, it's a big task for a lot of companies. And we're struggling with that struggle is not the right word. We are working on that with a number of clients right now, about lining up data processing agreements, and negotiating those it takes time.
Jodi Daniels 10:39
So I'm curious, you mentioned for Virginia, people have to be thinking about sensitive data and opt in and what that might look like, is there anything that you can share, have clients started, or companies started talking about what that might look like? Or it's still too early on? They're trying to figure it out?
David Stauss 10:56
Not? Well, it's great question, right. Like, what what consent looks like? Right. And so I mean, it's one of the difficulties I think we have with the Virginia law is, Colorado is going to follow pretty quickly, July first 2023, with this law, and it's the same model, although a more consumer friendly model of the Virginia law, right. And so it has this consent based aspect to it as well. And the point of that is that the AGs office in Colorado is going to be issuing regulations. And some of those regulations are likely to touch upon what consent is, right. And at the same time, California, is issuing regulations, and in the least the draft regulations, they talk a lot about what consent looks like, it's like two pages. So the draft regulations is on consent, even though in California consent really doesn't take a prominent role like it does in Colorado and in Virginia. So the question then is, you know, Virginia is not going to regulate around consent. But Colorado and California are right. And so it is kind of a moving target, I think for people right now, because you want I mean, most of you guys hear the same thing I do, right, which is I want a single bullet solution to everything right? Don't tell me that, like, I've got to have consent be different in California than it is in Colorado and Virginia, I want a single solution. So I think a lot of us, though, you know, who have been in this space for long enough to have done a lot of GDPR compliance, I think we're thinking about consent, really an aspect of like the European data protection, guidance on consent. And I try to use that as our model and kind of hoping that the regulator's follow suit United States, right, like informed, like, let's make an informed consent, let's make it specific, you know, all those types of things. So hopefully that answers your question. It's, it's a difficult there are aspects right now that are just really difficult and nuanced, right now to try to navigate through.
Jodi Daniels 12:51
That is the leader.
Justin Daniels 12:53
So we're going to head to our new acronym, which is, what is it ad PPA.
Jodi Daniels 12:59
Everyone says all these acronyms in all different ways. Add Popol, there you go, or some people just spell it, you know, this person letters.
Justin Daniels 13:07
A lot. I have to say the privacy industry is starting to rival the security industry for use of acronyms that if I had to catch up, I guess so. Anyway, with that preamble in mind, everyone wants to know, will the federal privacy law law that we announced will pass? David using your crystal ball? Yeah. What do you think?
David Stauss 13:34
Yeah, I mean, it is pure speculation. Right. I mean, I've tried to talk to people probably like most people have and, you know, to get a feel for where things are at. I think the prevailing wisdom is not this year, and he's railing wisdom. I mean, obviously, we are. We were in the August recess right now. Lawmakers are going to come back and then we are in the November election cycle. Right. So it is, you know, a distracted group of individuals. And, you know, I think people thought the window really was before the August recess happened. There's been talk about well, you know, if there was a lame duck Congress, maybe something could happen but I think people are looking towards next year. Now that's not to say that if everybody got back in September and they voted on it that I mean anything's possible right now. I think what you know, what we've kind of you know, jokes not the right word for it but we've kind of talked about is is you know, when it was originally released, it was you know, three corners bill it just needed to get can well support in the Senate and it was a done deal, right. And we thought about it and we've said like, Well, okay, what's the opposite of growing consensus, right, because since that like, presentation of just these camo just these can't Well, now we see California jump in and and just throw a monkey wrench into the whole entire thing over the preemption issue. And your listeners obviously are familiar with that. But having Nancy Pelosi be a California Democrat having the entire state of California rail against this bill for good or for not. It just feels like we are getting less consensus around these issues instead of more consensus. And so yeah, I think, frankly, I'm disappointed to think that it's not going to pass I think it you know, I rarely offer my opinions on bills, because I think people just don't care. But I think I actually think that this is a good bill. I think the ADP EPA is a is a good bill. It does things that the California bill doesn't do and Colorado and Virginia and all those things, you know, especially around algorithms and civil rights. I think there is a concern, and a legitimate concern from people that once we put something on paper and we pass it, it's going to be outdated very quickly. And I think that that is an extremely legitimate concern. But I think there's also, you know, it's it's a good bill, and we should be encouraged by it. And I wish it would be something that would would have a chance of passing. I think it's going to pass I don't I don't I haven't heard anything that says yes, it's, but it's but I wish you I wish it would, I suppose was the answer.
Justin Daniels 16:24
So David, I want to ask a follow up question kind of lawyer to lawyer question. It seems to me one of the primary enforcement mechanisms for the privacy laws that get companies attention is the private right of action. And love to hear your thoughts around the private right of action and what that would mean if it were in or not in this bill, because apparently it's cratered privacy bills in other states on this one issue alone.
David Stauss 16:51
Jodi Daniels 21:00
So in the spirit of talking about all those different states, and what has happened in 21, and 22, you recently wrote a really great op ed, if everyone has not read it an IPP covering the different state laws and what happened 2022 And a little bit of what might happen in 2023. So continuing with your crystal ball theory, for those who haven't had a chance to read it, but I highly recommend that you do. What should we know?
David Stauss 21:29
Yeah, so this this article was was basically how I spent my July 4 weekend, right? I just sort of has to find. Yeah, I just, you know, it's kind of goofy, right? But it was, it was it was kind of like, you know, just sitting down and eating, eating almost, in the foreshadow of this was. So in. At the end of July I was I was asked to come in and speak at NCSL, which is the National Conference of State Legislatures, right. It was in Denver earlier this year. And they have subcommittees as part of it. And one of the subcommittee's is the privacy subcommittee, right. So it's like all the state lawmakers who are gonna be pushing privacy legislation, right. And they said, which come in which you kind of talk to people, these lawmakers about what what's happening in 2022, and what you think for 2023. Right. So this article was a way for me to kind of like work through my own mental process of what we saw and what we could get expect to see in 2023. You know, just hitting the high points on 2022. It was a crazy year, we had 29 states plus the District of Columbia either had bills, carryover from the prior session, or new bills got introduced. It was at times overwhelming, frankly, the number of bills and states that were that were at issue. But you know, from all of that you could see what states were actually kind of going to make some some noise. And we always knew coming into New Connecticut, it was going to make a lot of noise. Senator Moroni has lined up that state over the past couple of years really to make a run at it in 2022. And true to form, he got it across the finish line took a lot of work, but he did it. But then you had a state like Utah, where it just sort of came out of nowhere, right. And like 21 days, we had a privacy bill out of nowhere, right. And so then you also had a number of states that were like your Iowa's Indiana's Wisconsin's Utah would be in that group as well. Louisiana, originally is that bill was originally introduced and Tennessee, that we're running, you know, what I call business friendly variants of the Virginia bill. Right, you basically take the Virginia bill, and then like you get rid of provisions that are not as business friendly as as you'd like them to be. And so we saw a number of states that had bills passed through one chamber, Indiana, Iowa, Wisconsin all have the, you know, the cdpa light bills passed through one of the chambers. And so you know, and then you had another piece of puzzle, obviously, we have the Dobbs decision, right? Which which overturns Roe versus Wade, and wherever you sit on the political spectrum, you just have to recognize that it creates noise in the system around privacy issues. It just does. And people are really passionate about those issues. And you've seen some of that with the ADP, EPA fallout. So when you look Jody, to answer your question about like, what is 2023 look like? I think the things that we're thinking about 2023 are a what are the likely states, right? What's the Connecticut of this year? Right. And it's it's kind of hard to find Oregon's has a workgroup right now. That's been has been meeting for a number of months, and there's prepared legislation there this coming out. In Minnesota. Senator Elkins I know is very interested in running a bill I know he's he's very interested in looking at the ADP, EPA, and trying to take pieces of the ADP EPA, right and and drifted onto his bill, which is a really sort of interesting aspect of the edTPA, which is the idea of that bill, is that supposed to create one common standard, right, because of the fear of all the states doing what they're doing. But there's really good pieces of that bill. And if it doesn't pass, it's completely foreseeable to the point where it's inevitable that a state lawmaker is going to take a piece like the Civil Rights portion, or the AI portion and add that to his state Privacy Bill or her state Privacy Bill. So the EPA, ADP EPA could create the very patchwork of privacy balls that it's trying to avoid, right, just by the fact that like it does this. So I think, you know, I think we're looking at 2023, I think we're going to see, you know, the states that ran, you know, business friendly bills, I think we'll be back. If you got through one chamber, you know, let's fix it and get through another chamber. So I think we'll have that push. I think we'll have the job stuff. And I think the odds is going to work out in two ways. One is I think you're going to see provisions around sensitive data in state privacy bills. But I also think that you're going to see separate bills run around discrete issues, right, like data sets, right like yet we saw the FTC enforcement action yesterday, they got filed around like, you know, sensitive data sets and consent for collection. So that's one way we can see that as well. Smaller pieces. I think the ADP EPA. Also it was not in my article, but something we've been thinking about is it carves out PIPA like it carves out the EPA, as from preemption. So I think a number of states that are thinking about doing PIPA like bills are going to try to get a pass next year, in the hopes that they would also join in that carve out. And then, you know, it just kind of goes from there. And obviously, there's also the ADP EPA, Justin asked that question about whether it will pass. But I think, you know, for for lawmakers, you know, they're going to have one eye on their own state and what they want to do and one eye on the federal government, and whether it will see preemption. Long answer to a short question, Jodi, sorry, but I've got a lot. I've got a I've got nothing but thoughts on state privacy bills. So nothing I thought,
Jodi Daniels 27:06
that is why I asked him that we are grateful for the very detailed answers. It's incredibly valuable to have that perspective, and you did an unbelievable job. So anyone listening, you absolutely want to make sure that you are following David on LinkedIn for your 2023 privacy date.
Justin Daniels 27:26
So as we ask everyone, what is your best personal probably tip you'd offer your friends when you're out hiking in the flat irons in Colorado?
David Stauss 27:40
Yeah, it's a great well, I'm hiking. If I'm asked about privacy when I'm hiking, usually my wife would be like, Don't ask him about any of these types of things when you're out hiking, right? Yeah, yeah. What is the best personal privacy tip? I think it's to get you know, and I'm the worst at all that right but but it is just that just, I mean, it's, it's, you know, get out in nature, right, get off your devices, all those types of things, disconnect the cord, i i probably for you guys. I'm guessing that kind of like, hits home for you. I know you guys come out into the mountain region a lot and try to get out here right but it is, in our lines of work. It's you can be it's gonna be all consuming with everything that changes on a daily bite basis. So I think the ability to disconnect and go enjoy nature a little bit is definitely is definitely the my bite to exaggerate anybody cares? Well, I think that probably be my best personal privacy tip. All right.
Jodi Daniels 28:31
So when we were in Montana, for several hours driving through the Lewis and Clark forest, and there was zero sauce. I need myself sorry about
David Stauss 28:44
there's nobody worse in this world than me. I mean, it's advice. It's I don't take the advice. I give the advice kind of thing, right. But
Jodi Daniels 28:52
it was great. Well, we thought it was the perfect time. So take a call. I was driving we have these several hours. And there's zero hours, not even one. If you ever do it again, you should have some type of satellite backup. But might have already given the hints so when you're not helping companies comply with privacy laws, and writing riveting state privacy related pieces? What do you like to do for fun?
David Stauss 29:20
Ah, yeah, so I mean, I mentioned a couple of things probably during it. I've got three young boys not to overshare and this is a privacy privacy podcast. And now I'm just gonna like tell you about my life. But I've got three young boys, I've got a young family and obviously keeps me pretty, pretty active, just like keeping them away from one another and hurting each other. Then, you know, it's just, it's just a full time job. I feel like at this stage in my life, but we've got we've got a play. I'm in Denver, and we've got a little place up in up in the mountains that we'd like to spend as much time at as possible right by Winter Park. I'll send you guys some some pics There's the next time we go up there. And he had a family like I do a lot of running. And trying to do like long distance running and what we'd like to do all the outdoors, things like hiking and running, and we've got some inflatable kayaks that we like to get out on Grand Lake and shadow, Mountain Lake and all those types of things. So, full disclosure, I grew up in New Jersey, some people will hear the accent, the jersey accent. I've been out here for a number of years, but haven't been able to lose the accent. But I came out here when I got married. And as a condition of employment. As husband, my wife had to move out to Colorado, but it's really, the outdoors lifestyle is really sort of taken. So if I'm writing on privacy laws, or you know, billing hours and all those types of things, you'll probably find me up in the mountains run around doing something stupid. So
Justin Daniels 30:52
I need an amendment to my marital contract immediately. I need you to drop something for me immediately. A lot.
David Stauss 31:01
Yeah, that was sort of like the, you know, okay, fine. I'll do it. Right. But like you're gonna owe me on this one. So, yeah, if anybody listening hasn't been out to the great State of Colorado. It's, it's fantastic. I say to know, the mountain region in general. I know you guys. You mentioned Montana. Fantastic up there as well. Wyoming, Utah, as well, I just now I'm just turning into a travel advertisement. But we have I mean, if you're looking for a good excuse, we have the Rocky Mountain Information Security Conference on September 21. So come out, say hello. We've got hundreds of people showing up to and we have a privacy day. We have a privacy day. I
Jodi Daniels 31:39
said it's Sunday, only security privacy counts, too.
Justin Daniels 31:42
We need to get some speaking gigs. There you go.
David Stauss 31:48
Yeah, I should have thought ahead. I should have thought ahead and got you guys out.
Jodi Daniels 31:51
Well, there's there's there's next year it's all good. So David, Where can someone listening find you? So
David Stauss 31:59
yeah, LinkedIn, right. It's probably the easiest. Just look me up David Stauss and then I run a privacy blog. bytebacklaw.com bytebacklaw.com. Yeah, so that's usually my shameless plugs is follow me on LinkedIn. Twitter's I've got Twitter, but I I'm always a little the privacy twitterverse is it's something else, right? Like, you know, you step into that one, you might just get the bonus. All right. So I tend to do my I tend to do my stuff on LinkedIn, and then obviously, the blog as well. So thank you.
Jodi Daniels 32:37
Well, sure. Well, we'll be starting to include those in the show notes. But David, thank you so much for sharing all of your wisdom and perspectives with us today. We really appreciate it.
David Stauss 32:47
Thanks for having me, guys. I really, really appreciate the opportunity to come on and talk privacy.
Thank you. Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven't already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.