When it comes to data protection and privacy, some states have already taken the lead in trying to protect consumer data. But in these political times, expecting or hoping for the federal...
|
|
Ben focuses his practice on technology and data privacy. He advises clients in complex data transactions, software...
Victor Li is the legal affairs writer for the ABA Journal. Previously he was a reporter for...
| Published: | February 12, 2025 |
| Podcast: | ABA Journal: Legal Rebels |
| Category: | Legal Technology |
It’s a well-worn saying that the law always lags behind technology. It makes sense. We all remember the old song about how a bill becomes a law and how long the whole process can take. By the time you get to the verse about a president signing something into law, technology has either evolved into something even more cutting edge or become obsolete—replaced by a newer, shinier toy.
Special thanks to our sponsors Verbit AI and ABA Journal.
Announcer:
Welcome to the A Journal Legal Rebels podcast where we talk to men and women who are remaking the legal profession, changing the way the law is practiced, and setting standards that will guide us into the future.
Victor Li:
It’s a well-worn saying that the law always lags behind technology. It makes sense. We all remember the old song about how a bill becomes a law and how long the whole process can take. By the time you get to the verse about the president signing something into law, technology has either already evolved into something even more cutting edge or it’s become obsolete, replaced by a newer shinier toy when it comes to data protection and privacy. Some states have already taken the lead when it comes to trying to protect the consumer data, but in these challenging political times, expecting or hoping for the federal government to follow suit seems about as likely as watching pigs fly, throwing new revolutionary types of tech like generative AI and what was once alike has the potential to turn into a golf. My name is Victor Lee and I’m assistant managing editor for the A BA Journal. My guest on today’s episode of the Legal Rebels Podcast is Benjamin Mishkin. Ben is a member of Cozen O’Connor where he focuses his practice on technology, privacy and data security. He’s here today to talk about what the regulatory landscape looks like when it comes to data protection and privacy and what we can and can’t expect in the near future. Welcome to the show, Ben.
Benjamin Mishkin:
Thanks, Victor. Pleasure to be here.
Victor Li:
Yeah, I’m looking forward to our discussion today. So I gave a very brief elevator version of your bio. Can you talk a little bit about yourself and how you got to where you’re today?
Benjamin Mishkin:
Sure, absolutely. So yes, as you said, I’m a member at Cozen O’Connor in the privacy technology and data security practice group. I am with a small group of attorneys that came over to from a boutique law firm in 2020. So coming up on five years with, and in terms of my backstory, I went to, I’m a grad of Temple Law. I was born and raised in a Philly area, went to Philly Temple for law school and then right out of law school actually worked for the city of Philadelphia for their law department, the city solicitor’s office, and that’s where I started working on technology and privacy issues for the city. So it was good to cut my teeth there. I got a lot of interesting experience working with the municipal government and its various agencies, a lot of interesting privacy issues as you can imagine. And then moving from there into private practice to that boutique law firm. And from there, like I said, Koosa O’Connor, and that’s where I am today.
Victor Li:
So you’ve been affiliate your whole life, so I think this podcast is going to be out after the Super Bowl, so I don’t have to ask you who you’re rooting for then, right?
Benjamin Mishkin:
No, you do not go birds.
Victor Li:
Well, I’m from Pittsburgh, so we went out in the first round. We’ve done the last 10 years or so. So can you tell me a little bit about your practice? How would you describe it to someone if you’re meeting the first time?
Benjamin Mishkin:
It really separates into two buckets. The first is technology, transactions writ large, any kind of contract involving technology. We help our clients both on the buy side and the sell side, either buying technology platform, software platform, sometimes a combination of software and hardware, but most often SaaS contracts these days. Some of our companies are software providers and we help them create templates and negotiate with their customers. And then we have on the buy side, everyone from very large Fortune 500 clients to startups, emerging growth companies and help them buy the software that they need and negotiate software contracts. So that’s the first bucket in my practice. And then the other one is really privacy advising clients and counseling clients with regard to applicable privacy laws. What are you subject to? What are your responsibilities? Help you draft a privacy policy, help you handle requests that come in, these data subject access requests that come in. And we mainly focus on our privacy practice on the GDPR in the EU and the various state laws in the United States, which I think we’re going to focus on today.
Victor Li:
So let’s talk about that first with the various states and whatnot. How would you describe the regulatory landscape when it comes to consumer protection, data protection in the states? Is it pretty far along or is it still kind of lagging behind?
Benjamin Mishkin:
No, I would call us pretty far along at this point, but the way that I describe it is a patchwork. We have a patchwork of consumer privacy laws in the United States. We are up to 19 states that have laws on the books. A handful of those are coming into effect this year. At the end of this year, maybe it’s January 20, 26, we’ll have 19. And everyone kind of expects at that point, there’ll be more to come after that. Florida also has a law. Some people say we have 20 laws, and some people say we have 19. Florida has a weird law. It’s not really a general consumer privacy law. It is focused only on the biggest technology companies in the United States. It’s a conscious effort to focus on your Facebook, apple, Google size companies. So most privacy practitioners exclude Florida for that reason. Since it’s so narrow to only those very large companies, everyone else other than those very large companies, you have 19 different laws right now basically that you have to worry about.
So the patchwork state is such that they are similar. There’s a lot of similarities to them, but there are also unfortunately, unique aspects and differences. Some of them are more unique than others, which we can talk about. But suffice to say, you have slightly different, or in some cases materially different rules of the road in 19 different states. And again, we expect that to grow. So I think we’re going to end up in a place unless the federal government comes in, which we’ll also talk about and preview. There is most people think that is unlikely to happen, at least in the near term future, that we’re going to continue to have this patchwork of consumer privacy laws in the United States.
Victor Li:
Well, yeah, Florida is always their own thing, right?
Benjamin Mishkin:
Yes.
Victor Li:
What states would you point to as having a more comprehensive policy as opposed to maybe a less comprehensive one?
Benjamin Mishkin:
So the first mover in many things in the United States always is California, and they continue to have one of, if not the most kind of rigid, forceful privacy laws of any state. It’s the CCPA, the California Consumer Protection Act. It was amended by the California Privacy Rights Act. So it has a number of different things that distinguish it from the other states. And the first thing is, if you do any business in California, all the states, the threshold for these laws to apply to you. The question number one is obviously, are you doing any business in that state? Broadly construed California remains the only state where you can just be in scope in that state just by virtue of the fact of hitting a certain dollar threshold economic threshold, which is 25 million or more annual gross revenue in the previous calendar year. So the first thing that makes California unique is if you hit that threshold and you do any business in California, which you almost certainly do, if you are a national company, you’re in scope and you have to comply with it.
And then the other kind of very unique thing in California is all the other laws have exceptions for what we think about as hr, human resources, information, employee information, as well as business to business contact information, just names, business, phone numbers, business, email addresses, those sorts of things. All of the other states have exceptions for those categories. California does not. So in California, you technically owe the whole gamut of privacy rights to your employees, and that includes your former employees, your current employees, and your perspective employees like job applicants as well as kind of anybody who contacts you for a garden variety business purpose. Again, theoretically you owe them the whole suite of privacy rights that you owe to a consumer. So those are the biggest things I would point to that make California unique. And then California, I would say also has been the most aggressive so far in terms of regulation.
They’ve gone out both their attorney general and they have a dedicated administrative agency to enforcing their law. The CPPA, I want to say it’s the California Privacy Protection Agency, and they have been fairly aggressive. They’ve done a number of enforcement sweeps now. So all those things combined with the fact that if you’re in the tech industry, obviously California is top of your mind. If you’re not located in that state, you probably have significant ties to that state. All those things combined I think make the CCPA, the California CCPA, the state privacy law that comes to the top of people’s minds.
Victor Li:
Gotcha. What are some of the differences between that and some of the other states like Connecticut or Colorado or even the Texas and states like that? What are some of the differences in some of the holes that are present with those laws and how does it affect the business? I mean, like you said, a national business that does any kind of real business or whatnot would probably be subject to California. So would it just behoove them to just follow California rules and have it apply to all of their business just so that way there’s no doubt that they would be in compliance with the most strict law that way? All the other ones, they’ll be fine to
Benjamin Mishkin:
Take the end of the question first. I mean, that is an approach that a lot of our clients choose to take the most stringent law and comply with that get yourself compliant with the most stringent law, which right now, again, we think is California. Maryland is the other one that a lot of people are pointing to is having some unique requirements that are a little bit more stringent in some respects even in California. But for the most part, take the California law comply with that, and then at least you have an argument for material compliance with these state laws outside of California.
Victor Li:
But
Benjamin Mishkin:
You have to ask yourself, first of all, whether you kind of want to voluntarily start affording anyone of these privacy rights that you’re now required legally obligated to afford certain state residents, or do you want to only afford those individuals to the kind of minimum extent that you’re legally required to do? So if it’s the latter approach, then you probably don’t want to take the most stringent law and try to comply with that across the board because you’re not required to give that right to somebody who’s not in a state that has that law. So the approach that our clients take really vary based on what they see as their level of exposure and risk combined with the industry that they’re in. Obviously the most significant, you’re a B2C business, you’re a business to consumer business. These laws can be hugely impactful and can be hugely burdensome on you if indeed you’re a direct to consumer company.
On the other hand, if you’re a business to business company, you could still be in scope for some of these laws by virtue of a lot of different things, like I just said in California, just by the economic factor alone. But otherwise, your exposure is pretty minimal. You really don’t have that volume of consumer information despite the fact that you are technically subject to the law. So the business to business risk, I would say is normally lower, although there’s obviously there are outliers and the business consumer, the risk is usually higher, and then you usually choose your compliance strategy accordingly based on that risk strategy. The first part of your question was more about what are the differences and what are some of the gaps in the other laws To respond to that portion of the question, I guess one of the big things is that also distinguishes California.
It has a suite of implementing regulations and there are a complex set of implementing regulations that were promulgated again by the AG and the CPPA, the administrative agency, and they really provide a lot of guidance and they also put teeth in the law. Colorado also has implanting regulations that are quite detailed, and New Jersey actually, which law just went to into effect a few weeks ago. As I’m speaking to you today, that is going to be the third law that has implementing regulations. And no one’s really exactly sure when those are coming out, what to expect from New Jersey, but that’s a big difference because some of the statutory language of a lot of these laws is a little bit vague as statutes always are. So we really get a lot of clarity from these regulations and almost all the states don’t have them, basically. So we’re kind of waiting around in all those other states to get some kind of guidance from the regulators and when there’s enforcement actions to see what happens on that front.
And then I guess the related gap that distinguishes California, California right now is the only law with any kind of private right of action at all, and it’s a limited private right of action. Even in California, it only applies in a data breach scenario. In a data breach scenario under certain circumstances, in a data breach scenario, you could bring a private right of action and if your data is breached and if you’re a California resident, none of the other laws have a private right of action right now. They’re all exclusive enforcement by the state attorneys general. So that would be a big game changer if someone else comes in and does a private right of action, especially one that was broader that would apply just to any violation of the law as opposed to only in a data breach scenario. California’s, that would be a real game changer. We haven’t seen that yet. So that’s a kind of notable difference and gap, I would say in most of these other state laws.
Victor Li:
Why do you think that hasn’t caught on? Is it just they don’t want to clock up the courts, you think? Or is another reason?
Benjamin Mishkin:
It’s a great question. I think that there’s a number of different interests at play. I think that the business lobbies, the pro-business lobbies in all of these states, I think are really would lobby hard against a law that was trying to put to do a private right of action.
Victor Li:
Yeah, fair enough.
Benjamin Mishkin:
I think that that would be seen as, like you were saying at the outset, a deterrent to doing business generally. So to preview, I guess part of the federal conversation, I think that’s a big reason why a lot of people think that’s a big reason why the federal government hasn’t moved on a privacy law is because the business stakeholders who would probably be some of the prime movers pushing Congress to get a law, they don’t have that incentive right now because there’s no private right of action. And again, the only state that’s been kind of aggressive so far is California, which you would expect. So a lot of commentators think that unless and until you start getting some states that have a private right of action, the federal government’s not going to have the sufficient incentive to jump in and put a federal law in place that preempts all of these state laws.
Victor Li:
Gotcha. And so we’ll talk a little bit more about federal law and what may or may not happen after we take a quick break for a word from our sponsor and we’re back. So unless you be living under a rock, we have a new president, it’s fair to say that he could be unpredictable, doesn’t necessarily do what people expect. So what can we realistically expect from President Trump in this new administration? I mean, obviously he just fired the head of the Consumer Finance Protection Bureau. In general, Republicans tend to be very hostile toward the CFPB. Do you think that’s going to continue under this administration?
Benjamin Mishkin:
Yeah, I think from a consumer privacy perspective, people are not optimistic that of Republican Congress and this White House that we’re going to get, like I was saying before the break, that we’re going to get a federal consumer privacy law or that we’re going to get the kind of watchdog, consumer protective actions that we were seeing at least a little bit from some of the administrative agencies out of the Biden administration. I think that there are narrow domains in which it appears that either there’s bipartisan in some cases or Republican support for some privacy related initiatives. I think the biggest one is child protective laws. You’ve already seen a little bit of conversation and action on that front at the federal level to strengthen copa. I think that that recently went into effect or will shortly go into effect, and you’ve seen some of that at the state level as well, that the states have passed, call them laws that are specifically geared towards children and protecting children’s information, protecting children online.
I think that’s an area where you really do have bipartisan consensus that is a gap. COPA hadn’t been updated in a long time, and the state of technology, as it always does, has outpaced the legislation. California has a design code act that is, I think a pretty stringent, maybe the most stringent example of this in the United States where if you design a device or a service specifically for children, children in California, that you have to comply with this design code Act and it’s a rigorous law. So I would not be surprised to see that other kind of narrow areas in which you might get either Republican support, bipartisan support, or both. I guess this rubs up against some of the AI topics, but stuff like deep fakes where you have people impersonating other people that is an intersection of privacy and ai, like I said, I think there is already clear bipartisan consensus.
That is a big problem. I think you already have seen, and you’ll continue to see people legislating in that area to either prohibit or criminalize DeepFakes and similar voice cloning in those type of technologies. So that’s a couple examples. Again, I mean, I think the big thing that everyone is waiting for in the privacy world is a federal privacy law. You got a bipartisan bill last year. In the last year, the Biden administration, it had support on both sides of the aisle. I want to say American Privacy and Data Protection Act, something along those lines. I don’t have the name of it in front of me, but it had sponsors on both sides. The aisle, it was going to preempt the state laws, and I don’t even think it got an up or down vote in either the House or the Senate. I don’t even think it got out of committee.
Victor Li:
The American Data Privacy and Protection Act, the ad PPAI think, or something like that.
Benjamin Mishkin:
Yes, thank you. The privacy world was surprised to see that bill get introduced last year, and everyone was kind of skeptical, and indeed it did not get an up or down vote in the waning months of the previous Congress. So even in that, which I think everyone kind of agrees, we had, for better or worse, we had a better chance under the previous administration if it had reached President Biden’s desk. I think that people are skeptical that it’s going to get the kind of support that it would need in the current Congress and from the current White House. I think there’s a number of reasons for that. What I’ve read is first and foremost, that is not a priority for, or it’s not top of the priority top of mind for the current congressional leadership or President Trump. So I think I was saying earlier, I think there has to be some external factors that bring other stakeholders in to put pressure on Congress to pass federal law, a law obviously, that it would only kind of have the kind of positive effect if it had preemptive power. If it didn’t have preemptive power, then you would have a federal law rule of the road, and then you might have 50 different state rules of the road. So I think everyone on the business side of this equation, most of our clients would to see that, would like to replace 19 rules of the road with one rule of the road. And unfortunately, I’ve been saying I think that the prospects of that are now poor, at least for the short and maybe the medium term future.
Victor Li:
Well, lemme ask you, I mean, there have been some Republicans who have expressed skepticism about big tech wanting to regulate big tech or at least take a close look at things. I think Josh Hawley’s been one of the big ones, and we talked about the Florida law, where you talked about the Florida law, which kind of covers that narrow ground a little bit. Do you think that could possibly be an area of common ground between Democrats and Republicans? I mean, again, it can be hard to predict the White House, right? First they hated TikTok. Now they love it. Now they hated Facebook. Now they love Facebook. So that can be hard to predict, but do you think that could possibly be an area of common ground?
Benjamin Mishkin:
Yeah, I mean, again, perhaps there are some areas of common ground where you get bipartisan support for things, especially if it’s not generally applicable to any business or anyone who does business on the internet, which is everyone narrowly regulating certain aspects of these tech companies that have become so pervasive in our everyday life. I could see narrow initiatives getting bipartisan support. I think the law in Florida is, I don’t know to what extent that has potential to be the template for something that would be a national or federal law, but there are certain things I think people are, again, both sides of the aisle, people are awake now to the idea that there can be harms on some social media, especially again, children using social media. I think there’s a push now to, if not age gate with more stringent effect, then kind of more effectively regulate children’s use of social media, this kind of perception that social media is addictive in certain ways and can be harmful to brain development, especially again, for children and adolescents.
I think you could see support for something in that regard, which not necessarily privacy, again, it’s privacy adjacent probably, but regulating the big tech companies who have obviously meta and the big other big platforms that have the services where everyone is logged in. That would be the only ones that would really be relevant, I think, at least at first. And then I guess the other one, again, it’s privacy adjacent, but a lot of people think this administration is now going to be more friendly to crypto. So I think that’s yet to be seen exactly how that’s going to play out. And obviously as I’m talking to you, Bitcoin I think lost a few thousand dollars overnight. I didn’t look at the number this morning, so I don’t know how happy people are at this moment with the administration getting that industry. Obviously that industry has been stigmatized to some degree and siloed to some degree because the suite of financial regulations have not really allowed them to integrate meaningfully into a lot of areas of commerce.
And I think there is a lot of people think that this administration is going to pave the way for that a little bit. So I wouldn’t be surprised to see that. I think that if you could do that in a responsible way, I think that that could also get bipartisan support. There’s people on both sides of the aisle I think are going to have constituents who want to see that industry succeed. So that’s another, again, privacy adjacent area of technology focus where I think this administration, this administration and this Congress could actually get something passed.
Victor Li:
What about existing federal law? Are there laws that are currently on the books that will cover some aspects of privacy or data protection, or is that not sufficient?
Benjamin Mishkin:
No, I mentioned there are narrow fields in which there are federal laws on the books that give people privacy rights, I guess is the short answer I mentioned. One COPA already gives children rights, children and their parents and guardians obviously rights with respect to how children’s information is collected and used on the internet. A couple other examples, the other one everyone knows is hipaa. In the healthcare world, obviously there’s a federal law, hipaa, if you are providing any kind of healthcare services or if you are a healthcare service provider, that’s where most of our clients are. Not healthcare providers themselves, but they are contracted service providers. And under the HIPAA parlance, they’re business associates. There’s obviously a whole suite of rights that people have under HIPAA and a robust set of requirements that those entities have to comply with. And then the other one that we come up a lot against in the financial sector, there’s the Graham Leach Bliley Act.
GLBA is the acronym, and that is the law, and I’m sure that you’ve seen it, Victor, when you open a bank account or when you get a loan, if you’ve ever got a loan, they present you with the same kind of table. It’s a chart. It looks kind of very standard. It’s a set of privacy disclosures that they’re obligated to make under GLBA. Both traditional financial institutions and financial service providers have to make this disclosure to you and certain use cases of your data, they have to allow you to opt out. There’s probably a couple other examples. Those are the biggest healthcare and the financial services and protecting children’s information, and you’re starting by the way to see that at the state level. Also, some of the states are taking a narrow approach, some of them, in addition to the larger, more generally applicable consumer laws, Washington state passed a law, my health, my data that is narrowly tailored to health data and regulates entities that are not hipaa, not subject to hipaa. So if you are out there, you have an app, you have a wearable, a smart
Victor Li:
Device
Benjamin Mishkin:
Device, yeah, yeah, exactly. And you’re collecting health related information. You’re not a healthcare provider. You might not even be a service provider to a healthcare provider. And then this law is meant to kind of cover that gap. Again, it’s a pretty stringent law if you’re collecting the health data of people in Washington state, that you have to be compliant with the New York State legislature. Again, as I’m talking to you, just I think last week passed a law that would be similar to that, a law that would be similar to Washington’s My Health, my Data Act, that would kind of bridge a gap between what HIPAA covers and this healthcare health tech world, and that is governor of New York. People are not sure. There’s people pushing both ways is my understanding on pressure from both ways for her to sign it or her to veto it. So we’re going to see what happens there. So there’s some examples of that where states have gone narrow as well. I think that that’s going to continue. So that’s another kind of complication to the patchwork of state laws. It’s even further complicated if you’re in one of these regulated industries like finance or healthcare that you very well may be subject to not only the general applicable consumer privacy laws, but then these industry specific laws as well.
Victor Li:
Before we continue, let’s take a quick break for a word from our sponsor and we’re back. So let’s take a look ahead. I mean, obviously you had talked a little about your lack of optimism when it comes to the federal level, but let’s just say magic happens and they pass the GDR or the American version of the GDR into law. Do you think that’d be a good thing for this country, or do you think GDP DR is too stringent? What are your views on that?
Benjamin Mishkin:
I personally would like to see a national privacy law, federal privacy law with preemptive effect. I think that it is getting a little bit, I will call it a little bit silly and a little bit certainly difficult for a business who does do business in all 50 states to have this many different rules of the road. I think that there would be a lot of benefits from that in terms of certainty for our clients and for businesses about what the rules of the road were looking to the federal government as the sole source of authority with respect to consumer privacy, I think just makes a lot of logical sense and would clarify I think a lot of confusion and difficulty that the businesses are having right now. I don’t think if I was given lawmaking powers in the United States, I would not just clone the GDP DPR and put the GDP DPR in place.
I think that as you are seeing obviously from a lot of the pushback from some of the American technology companies that have been subject to scrutiny in Europe, there are aspects of the GDP DPR that I think are, they’re difficult to comply with and that they cause businesses to kind of go through a lot of heartache in order to do something that I frankly don’t think has a great deal of benefit. A lot of people say it, but I think it’s true. The one concrete thing that happened since GDPR went into effect is you have a cookie banner on every website that you ever land on. I think they have it more there if you have an IP address coming from any EU country than the us, but even in the US you’ve seen it now, every single site you land on, you have to go through a cookie banner to make it go away basically before you use a website.
Is there some value there? Yes, there’s definitely some value, but I don’t think, I just have to think that there is a more targeted, smarter way to get companies to both be transparent in terms of what they’re doing with people’s data and to give people some basic rights with respect to their data. So I would strike a balance. I guess I would like to see the people call ’em the Virginia model of laws, because Virginia was one of the first states, and Virginia’s model is kind of held up as the other side of the spectrum from California, which we were talking about earlier. Virginia doesn’t have any private right of action. It has the similar suite of rights to what you can do under California. So the substantive rights that people have are very similar, if not identical, and it doesn’t have those crazy exceptions. So it doesn’t apply to your employees, it doesn’t apply to your business contacts. It has an opt out for targeted advertising, which is I think the biggest target of these laws across the board. Everyone’s trying to give people rights to allow them to opt out of these kind of what are seen as invasive advertisements and pervasive advertisements that kind of follow you around. If you’ve ever gone to three different websites and seen the same banner ad
Victor Li:
Oh yeah. Oh yeah. Right. I’m
Benjamin Mishkin:
Sure that you have, as we all do. I think you get that in federal law. Again, I just think the reality of the different interests at play is you’re, you’re probably not going to get a federal law, at least not again, in the short to medium term that would have preemptive effect, I’m sorry, not preemptive effect that would have a private right of action. You would want it to have preemptive effect, but they’re not going to want it to have a private right of action, and instead you would task one of the existing federal administrative agencies with enforcing the law. So I think that’s my reasonable best case scenario is that you would get a Virginia model law that has preemptive effect, so it gives you the one rule of the road. It simplifies your obligations, and the businesses are happy that it doesn’t have the private right of action.
The consumer advocates are hopefully at least a little bit happy that people are getting real rights under the law and that there is a recourse in terms of you make a complaint to one of these federal agencies and the federal agency can choose to investigate, which is how many of these other laws that we’ve talked about work in a similar fashion. That’s where I would want it to go. If I was in an ideal world, that we would get that one rule of the road, like we’ve talked about for a variety of reasons, I think it’s unlikely to happen, at least with the current makeup of Congress and the executive.
Victor Li:
Are there more states that are considering data privacy laws, and do you think that they would skew more towards the Virginia model, or do you think there would take the more restrictive California approach?
Benjamin Mishkin:
Yes, yes. There are a number of other states right now that have them in their legislature. Those states include, I’m talking to you from the suburbs of Philadelphia. As we mentioned at the outset, Pennsylvania and New York also there, the two of the biggest states that are debating laws right now, some other states, Ohio, South Carolina, Illinois, Massachusetts, those all have laws that are in somewhere in their legislatures. I don’t have enough on the ground intelligence to tell you whether I think they’re going to pass or not. The biggest one is New York. I think people are surprised that New York doesn’t have one yet, one of these comprehensive consumer laws, everyone kind of is in agreement that this patchwork is just going to continue to grow. Maybe some states will just be hold out to not do anything, but you’re going to have 25 states. You’re going to have 30 states by 20 26, 20 27 if we stay on the current trajectory, and then no, I think most of them are not.
California is unique. No one has exactly copied California. Maryland is a recent example of a law that is more stringent, and I think I mentioned in some respects more stringent actually than California. It has data minimization standards is the thing that’s getting people a little bit of excited and worked up. None of the other state laws in the United States have really codified data minimization, which means you’re statutorily prohibited from collecting and using more data than is absolutely necessary for whatever the purpose is that you say that you’re collecting the data in the first place. It’s A-G-D-P-R style of privacy, and the data minimization is actually a little bit different than GDPR, but I would call it GDP, DPR style in this Maryland law. So most people Maryland to the side are emulating what I was calling the Virginia Model of laws. I think that will continue to be the case because again, it strikes this nice balance. I think what is a pretty nice balance between consumer advocates and pro-business doesn’t have the private right of action gives a consumer some rights that they didn’t previously have. That is the vast majority of these laws. Strike that consensus. I think that will continue to be the case going forward.
Victor Li:
So finally, if our listeners want to keep track of these issues or want to get in touch with you to ask you some questions about it, what’s the best way for them to do that?
Benjamin Mishkin:
So yes, people absolutely could feel free to reach out. My group again, helps all kinds of companies, everyone from very large corporate clients to startups and people who have an idea and helping them out of the gate. So we’d be happy to talk to you about your privacy needs and privacy exposure. My email is B Mishkin, the letter B-M-I-S-H-K-I-N, at cozen.com. My firm is you can go to cozen.com or Google Cozen and my name Benjamin Mishkin to bring up my profile. Please feel free to get in touch. We send out client alerts, we do blog pieces. We do podcasts like this, the one with Victor today, which has been lovely, by the way. So happy to assist anybody who is interested in this issue and is looking for privacy advice, privacy counsel.
Victor Li:
Great man. Yeah, I enjoyed our conversation too. Thanks again, Ben, for joining us.
Benjamin Mishkin:
Absolutely. It was my pleasure and I’d love to come back sometime.
Victor Li:
If you enjoyed this podcast and would like to hear more, please go to your favorite app and check out some other titles from Legal Talk Network. In the meantime, I’m Victor Lee and I’ll see you next time on the ABA Journal Legal Rebels Podcast.
Announcer:
If you’d like more information about today’s show, please visit legal rebels.com, legal talk network.com, subscribe via iTunes and RSS. Find both the ABA Journal and Legal Talk Network on Twitter, Facebook, and LinkedIn, or download the free apps from a A Journal and Legal Talk Network in Google Play and iTunes. The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network is officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Notify me when there’s a new episode!
|
|
ABA Journal: Legal Rebels |
In depth interviews with innovative pioneers in the legal profession.
