Nota Bene Podcast Ep. 142
Big Data: A Practical Guide to Global Privacy Law with Liisa Thomas
Thank you for downloading this transcript.
Listen to the original podcast released September 8, 2021 here: https://www.sheppardmullin.com/notabene-331
Companies are struggling to understand how to comply with rapidly changing and sometimes conflicting privacy obligations. For entities outside of the U.S. seeking to do business in the States, approaching and understanding the patchwork of state and federal privacy laws can be daunting, especially since U.S. privacy laws vary depending on the type of activities in which companies engage, the individuals from whom they gather or use information, and the industry in which the company operates. While there are some “general” privacy laws (notably in California and Virginia) those are the exception rather than the rule.
Rather than think about legal requirements on a law-by-law basis, it can be helpful to group obligations by activity. In this episode, Liisa Thomas discusses ways to approach these requirements, and the support the recent treatise, Thomas on Big Data: A Practical Guide to Global Privacy Laws released by Thomson Reuters, provides for organizations. She goes into detail about global privacy laws (including all 50 states across America), covering telemarketing, email marketing, wiretap and eavesdropping, biometric children's privacy, spyware and adware and online privacy.
Guest:
Liisa Thomas obtained her undergraduate degree from Haverford College, and received her Juris Doctorate from University of Chicago. Liisa leads the privacy and cybersecurity team at Sheppard Mullin and practices in both the Chicago and London offices. She coordinates global policy in the area of privacy, and has taught at many universities including Northwestern University.
Transcript:
Michael P.A. Cohen:
Welcome to Sheppard Mullin's Nota Bene, a weekly podcast for the C-suite where we tackle the current national and international legal headlines affecting multinationals doing business without borders. I'm your host Michael P.A. Cohen. Let's get started. Welcome to episode 142 of the Nota Bene Podcast. And thank you to all of our listeners in more than 100 nations around the world for your continued participation in our fourth quarter conversations. I should call them now that we are into Q4 or headed that way, I should say, guess we're still in Q3 but we're getting towards Q4. I so appreciate your continued participation and your feedback, please keep it coming, it does continue to help influence our programming.
Michael P.A. Cohen:
My guest today is Liisa Thomas, she is a repeat guest on the show and we're thrilled to have her back. Liisa obtained her undergraduate degree from Haverford College, her Juris Doctorate degree from the University of Chicago where she I believe may be sitting today, not quite at the university but in the Chicagoland area.
Michael P.A. Cohen:
Liisa leads the firm's privacy and cybersecurity team. She was notably born in Finland and has previously lived in France, Egypt, and Spain. She speaks French and English, went to high school in France, I just learned, and she coordinates global policy for her clients in the area of privacy, at least for many of her multinational clients. Liisa is an avid teacher, I can't list all of the universities where she has taught, there are many, but she is currently actively adjunct at Northwestern University School of Law where she teaches her area of specialization and expertise. She practices from the firm in Chicago and London offices. Her awards and accolades are literally too rich to list but you can find them in her biography which we will link to the show notes as we do with all of our guests. So for listeners who may want to reach Liisa you'll be able to just click through and find out everything you may need to know about her.
Michael P.A. Cohen:
Notably and for purposes relevant to today's podcast Liisa is also an important author in this area, she has authored two landmark treatise, Thomas on Data Breach and Thomas on Big Data. Recently, Liisa has published a new book, I've been kind of involved not in any way substantively with the book but I have known for a long time that Liisa has been authoring this new book and I have been waiting for her to publish so that we could do a show together and talk about it. So here with us to do that today is Liisa Thomas, Liisa, welcome back to the Nota Bene Podcast, it's so wonderful to have you with us.
Liisa Thomas:
Thank you Michael, it's nice to be here. And thank you for that very kind introduction. Could you perhaps introduce me everywhere please.
Michael P.A. Cohen:
If I get paid for it, sure. Going to need to make a living soon here. So tell us about this new book, I mean, a lot went into it. To visually see this book it is important, it is a treatise, it's two volumes, it's big, it is long in the making and relevant in its release. Tell us, when did you start to kind of feel you needed to do it? What is it? Why did you do it? And what do we need to know that's in it at least for purposes of this podcast? That's pretty loaded but I think I'm just going to hand it over to you Liisa.
Liisa Thomas:
Well, I'll take them a little bit out of order I think, I'll start with the subtitle of the book which is, A Practical Guide to Global Privacy Laws. And that's really what the goal was, was to create an overview for myself and for others of how do we as corporate organizations, how do we work through complying with the labyrinth that is the privacy law regime. And as you mentioned, this book is ginormous, it has both an analysis of, what do we need to do when we collect information? When we're collecting information do we need to give notice? Do we need to provide people with choices over how they use their information? How can we use information when we're communicating with people directly? Can we share and combine information? So it's organized in a way to answer practical questions that come up all the time in the privacy realm.
Liisa Thomas:
In addition though and what makes this book so long is that it analyzes all of the privacy laws around the globe and it's 2,500 pages, two volumes, and includes copies of all of the statutes so that they're all there in an easy to find place. And I started this adventure, and you mentioned you were looking forward to when I would finish this book, I have been looking forward to when I would finish this book for eight and a half years. It is embarrassing to say that it has been almost a decade since I had the idea to put this book together. And when I came out with the data security book I thought, well, there's two sides to the coin for privacy and cybersecurity, there's the data security side and then there's the data privacy side. So I finished the data security side and thought, okay, now I'll just naturally turn to the privacy side.
Liisa Thomas:
And it was overwhelming to say the least given the number of requirements that exist out there. And frankly in the US because each state has anywhere from 5 to 20 laws in the privacy space here in the United States we probably have two thirds of the world privacy laws just because our states are so active. You have 50 states plus several jurisdictions so you have 53 regions that are creating privacy laws and they're not shy about it. So unlike other countries approaches where they'll be a one stop shop type of law where we have the privacy law and maybe there's one or two additional laws, the US is based on activity, type of entity, type of individual from whom information is being collected, so that's sort of an exponential number of laws that can be created. So I think I answered all of the questions and expressed my overwhelm of having gotten to this point.
Michael P.A. Cohen:
Yeah. Well, thanks for coming on the show. That's it for this week folks. It was just wonderful. First of all I just have to say, one of the things I love about my conversations with you is your use of your own vocabulary like ginormous. I just learned a new word from you in our precon, cringeworthy, which I'm sure it goes back to the hip generation but one I'll start to apply in my daily life.
Liisa Thomas:
Take it from my 16 year old, my vocabulary is not hip.
Michael P.A. Cohen:
Right. Your kids will always tell you that, that's right, or teach you what you should say. But there were some things I did want to go back to here, I mean, I think that was an extraordinary overview. Number one, it took you eight and a half years to do this because that's what it takes. I mean, how many treatise are out there that serve as a practical guide for businesses for the world's privacy laws? What's the competition look like?
Liisa Thomas:
Yeah, there are. They fall into two buckets the way that most folks approach privacy law and really why no one has done this. One is, let's do an analysis of all of the different laws, so we'll go through this law, we'll go through this law, we'll go through this law, and there's maybe five or six volumes that do that. And that's useful if you're an academic, if you are at a law firm and you're trying to understand a specific law. There are also short guidebooks that will say broad/broad-brush, here are the types of things to think about if you need to give a notice. But to get into the level of granularity where we're saying we've actually looked at all of the different requirements of all of the different laws, no one else has done that perhaps because they don't want to be sitting in the spot that I'm sitting in thinking, what if I forgot a law in this small country that people often forget? And I will not name a country because one of your listeners will be in that country and be very offended.
Liisa Thomas:
But having been born in a country where there's only five million people in the country there are countries that sometimes folks forget about and so I have a great deal of paranoia that perhaps I've forgotten one of those. And I think it's a combination of people worrying about, well, I don't want to have forgotten a country so it's safer to speak to the broad-brush and the fact that because there are so many laws the laws will change. And so putting something in print you're almost committing to saying, I'm going to have to update this on a fairly regular basis. And I made a deal with my publisher that while I may update the breach book on an annual basis this book is going to have to be every other year. Because, as you mentioned, I am the lead of our privacy and cybersecurity practice and I do have a day job and clients that rely on me providing them with legal advice so I can't spend full time on these two volumes.
Michael P.A. Cohen:
Well, that just makes it all the more extraordinary that you have done this in my own view. And you mentioned that it's a practical guide and I love that, and I want to pause on that and go back to that. How do you see the audience for this book? As a practical guide I'm sure it can be used in academia but as you just mentioned or a practical person because you're in practice. You work with clients and companies around the world, you meld into a variety of corporate cultures that amalgamate into some multinational business experience in your own mindset so, is this useful to companies? Who should get this book? How should they use it? Is that a fair question?
Liisa Thomas:
It's a very fair question, it's one the publisher asked me too. And I think that there's three types of people that will find this very helpful, one are the folks like us that are in law firms and who are trying to answer client questions. And I think there's two parts of this that's very helpful, one is that it gives this structure for addressing the client questions. And the organization of it is in the way the clients would ask the question, what do I need to do when I'm sending text messages, when I'm setting up an opt-in? So it's organized the way the questions would arise. And it has copies of the laws so that you can give yourself this high level overview, you can read the analysis, but then you can, which is what we always teach our young associates, go look at the actual law.
Liisa Thomas:
Don't just rely on someone else's analysis of the law, look at the actual law. There could be nuances in the fact pattern that you have that you need to compare to the wording of the statute, so that's the first audience. The second audience are the folks in-house in companies in the legal department or in the compliance department who are trying to answer these kinds of questions. And those folks if they're at an organization that has a large privacy compliance team will probably use these volumes independently of talking to outside council. This is something that they're already familiar with, this gives them some direction and gives them an outline of answers. Then there's folks that are poor friends in-house who are the jack of all trades who have to wear 80 million hats.
Liisa Thomas:
And this will help them, one, be for the five minutes that they're the privacy lawyer at the company identify what are the issues and what do I need to think about so I can more intelligently speak to my outside council so I can gather better facts from my business team so that I can work with my outside privacy council to come up with a solution. So those are the first two and I think the ones that are probably going to be the bulk of the users. And then there's the third which is my secret hope, the legislators, the people that are drafting new laws, the people who are sitting in DC, for example, in the US and saying, we think we should have a US privacy law, and who are approaching this by thinking, and this will supersede all state laws. And it is, well, and Michael you can see me because we're on Zoom but folks listening can't see, but it's a 2,000 page, 80 bajillion pounds, that's another Liisa word, of let's hold up a minute we can't get rid of this number of state laws.
Liisa Thomas:
And by the way there are many federal laws that already exist so my hope is this third audience as they're drafting new laws will use this to educate themselves about what exists out there already and what does the lay of the land look like already. And my immediate vision is US legislators because those are the ones right now that are talking about passing privacy legislation. But I think it also is helpful outside of the US in regions where they're thinking about, should we update our laws? What should our laws look like? Perhaps it's in a region that feels like, no, I need to catch up with my neighbor, I think in my neighboring country or a couple of regions over they've got different laws or perhaps "better laws," this could be a resource for them as well as they're thinking about what does that full lay of the land look like.
Michael P.A. Cohen:
Wow. I mean, I just think that's fascinating. I have some reactions I wanted to throw your way that will lead into getting your thoughts back but first, just some comments. I love how you have organized and structured the book by conduct, what do I need to know when I am creating an opt-in for talks? I practice in the field of international competition law and I see this all the time, some lawyer goes in and he starts off his talk to the business people citing the Treaty of the European Union or the Sherman Antitrust Act and the business people are just like, what the freaking hell? If I wanted to go to law school, right? I would've gone to law school man, this isn't a law school class.
Michael P.A. Cohen:
I remember I think I received some fortunate training or perhaps it was learning through hard knocks, it was probably some combination of those things, but it's really easy to talk to business people about what they do, your dealings with customers, your dealings with suppliers, your joint ventures with competitors, right? You can structure competition law around the business conduct, it doesn't need to be around the law. What you're there to do is to, right? Shed some help to the business about what it is they do and fall into the framework that they deal with and how the questions come to them. And you seem to have done that here and I just didn't want to let that go as sort of a subtlety, that is a big deal, a big difference in a usefulness of a practical guide. And I just think that's just super wonderful and should make the book super helpful to folks who need to answer questions about the conduct and not necessarily about the law.
Liisa Thomas:
Yeah. This is a newer area of law and so creating that structure can be daunting. So I have lots of people help me with this book so I should be very clear about when I say I or if I say we really there's a we behind this. And there were a lot of people that helped me with the research of this over the years especially because it took so long and the laws kept changing. But one of the hardest parts about moving forward with this book was, what should the structure look like? How do we go through and answer those questions?
Liisa Thomas:
Because clients have practical questions, as you said, they really don't want to go to law school because you went to law school as their outside council or as their in-house council and that's what they're counting on you to do is just give them an answer and to take that step back and say, well, how am I going to figure out the structure of their questions? Because this is such a new area their questions are a little bit disorganized. Today it's, how can I use this information? I want to send text messages what do I need to do? But we never talked about what we needed to do when we collected the cell phone numbers so that later question often comes first.
Liisa Thomas:
And so how can we start to create structure not just for us as the lawyers but also how can we start to create a structure for the folks on the business side so that they can think about not the laws but so they can think about what are the legal impacts, right? Of the way they should be going through this process of collecting information, getting consents, giving notice, doing those things that we want them to do because the law says so in a way that they can project manage around. And to me this is what's so exciting about privacy law is that it really does force us as lawyers. And this is what I tell the students in the class I teach at Northwestern is, we as lawyers cannot give good legal advice if we don't also have a business hat on and think about things from the perspective of the business person.
Michael P.A. Cohen:
Precisely because that's how the law meets the real world. I mean, the law is really a creation of and meant to apply to the human experience and it's not supposed to be just some treaties of language and corollaries philosophically to exist in their own right. That's what I love about the field honestly is that it does capture the human experience. I mean, tort law being born from a guy trying to break up a dog fight and poking another guy in the eye, I mean, that's the kind of shit that happens that creates law and this one created a field, stuff like that is super important. But if you're sitting at the general council desk you're going to get the question from the business people and they're going to ask you the conduct question. And having a book that's structured in a way that helps them to that at least pinpoint area, right? Is such a big beginning.
Michael P.A. Cohen:
It's really wonderful how you thought about that, I think the we part everybody gets, I assumed that and probably shouldn't but I was glad you said that, there's so many people that helped with it over the years and that's just wonderful to hear and to be expected. The other thing you mentioned is that you included the law so that somebody could go look at it and this somebody being an associate attorney in a law firm or a junior attorney working in an in-house position for a client, somebody legally trained, and I just think that's so important. People get to a phase of life where they assume they know something or that they know everything and the most dangerous thing in the world or that they know enough. I had a professor in my own education who said, "Look man, no matter how many times you think you know something, you go read the freaking statute," that was some of the most salient advice I had ever received in my career.
Michael P.A. Cohen:
Mostly applied for me in early days to evidentiary rules where there's a federal rules of evidence book and there are actually rules and rules of criminal procedure and rules of civil procedure but read the freaking rule, and I used to read the advisory committee notes every time too. It's so important to actually in practice look at the actual law to frame just everything you're about to do and the in-house audience it just does seem to me to be a remarkable resource. The legislator audience is where I wanted to come back and talk with you a little bit. You had a remarkable statistic and this just relates to something I had written down and was circling back to with you in all events, two thirds of the book are US state laws.
Liisa Thomas:
I didn't look exactly at the page count.
Michael P.A. Cohen:
You're making a point that it's a huge part of the volume, right? And yet the United States to a business client, right? To a multinational business, the United States is supposed to be a single market, right? I mean the European Union is a common market, China is a massively giant market, Japan is a market, Korea is a market, they're all important economic markets. And when you think of the United States a lot of multinationals think of the United States as an important single market North America. So for two thirds of this book to be state laws that are individual regulations in what's supposed to be a common market, I mean, that's impactful to a multinational business.
Michael P.A. Cohen:
At some point that has to affect interstate commerce in some way that is meaningful particularly in an era where America is no longer in the seat to count its laurels and just expect everybody to come do business here, there are folks who will be able to choose not to do business in America. And that hasn't really been part of America's history post World War II, that absolutely creates a regulatory burden in many ways. Do you think that it is time, Liisa, for preemptive federal legislation, a single policy from the federal government in America on privacy? Why isn't that a better idea for America as a market among many than 50 states where this in some senses I kind of feel is politically appealing but over the state's heads? Can you react to any of that?
Liisa Thomas:
So I think one of the reasons why you have so many more privacy laws in the US than in most other countries is that US approach is to be very targeted in passing requirements that are specific to what a company is doing. So instead of saying we are going to have this broad stroke requirement that applies to absolutely every company that's doing business in our state, we're going to say, if you're sending text messages this is what you need to do for that activity, or if you are a mortgage lender you need to do this. And so perhaps because I've been living with these laws for so long and I sort of see myself in some ways as an evangelist promoting that they do make sense I actually find that that is a reasonable approach and it's one that's worked for decades.
Liisa Thomas:
For probably a lot of these laws started to come up about 80, 90 years ago with the advent of phone call sales and because we're regulating based on activity we are regulating also at a federal level based on activity. So when we talk about a US privacy law that looks like GDPR that would mean essentially dismantling a system that has grown up over 100 years and at a federal level as well because we have wiretap statutes that say, thank you for calling company X, this call will be recorded for quality and assurance purposes, that's a federal statute. That's also state laws that some states and for lawyers who are from with them there's the one-party consent state and two-party consent state so we've got that at a state level and a federal level. So rejiggering really our entire approach to privacy seems to me to be a fairly daunting undertaking really changing the way our legal system works and so I honestly don't think it's possible.
Michael P.A. Cohen:
Why is it rejiggering? Why can't we collectively use that wonderful laboratory of experience that you just highlighted and create some singularity for it that incorporates the best of that laboratory experiment for a common market experience forward?
Liisa Thomas:
So let's presume that I am absolutely 100% correct and I have found every single law. So we're going to now preempt every single one of those both at a federal and state level, which seems a little impossible but let's say that I did that, then we have to create a law that is now appropriate and applicable to every type of company doing every type of activity. And so what you may find is some of the consumer protections will diminish because it's just not possible to have that high of consumer protections. In some places we might have had higher consumer protections, now we're going to have to sort of even that out so you're going to have some on the consumer advocacy side that will not be happy with that. On the flip side, there are some industries that were not regulated because we weren't as concerned about them that will now have to follow higher requirements that didn't have to follow higher requirements before so I like the customized approach.
Liisa Thomas:
And I think as an example, Australia did sort of this mix of those that said, we have this general privacy law that's kind of a baseline but then we're also anticipating that different industries will have higher requirements because of their industry. But we already have that so we already have that sort of mix. And then the other piece is that states are charged with protecting the citizens that live in their state and many states are much larger than many countries. And so we're saying now instead of having consumer protection that is local-ish as exists in other countries that are the same size as some American states we are going to give that consumer protection responsibility only to a federal level. Now, maybe we would have enforcement at a state level but then the enforcement might start to look different.
Liisa Thomas:
And I think it just seems to me to be a lot for a system that when you look at it actually has some elegance to it and does work well. And what I typically tell companies, going back to your earlier comment about is now, well, people want to come and do business in the US we have to keep in mind that although we are talking about there's all of these laws really the perspective from outside of the US is that we don't have many laws and that even if we do have laws they're easier to comply with than laws outside of the US. And in some ways they are because they're very targeted, they're very focused, and they're easier to comprehend and understand.
Liisa Thomas:
And in addition to being appropriate to a particular industry I always remind clients and students when I'm talking about privacy laws, at the end of the day most of these laws boil down to just two requirements, notice, tell people what you're going to do, and choice, give them some choice, and so we have all these different versions of notice and choice that are appropriate to the activity. So that's a lot easier to change, right? Text messaging is real popular right now but when you and I started practicing law and the people listening to this that were practicing law, when we were starting to practice law, they'll laugh at this, they always laugh at me, but faxing was a really big deal and very modern and new and it was like, wow, faxing. There's still people that are doing fax advertising and because we have laws that are just in that space it's much easier to modify those laws to keep up with new activities.
Michael P.A. Cohen:
That is a super interesting perspective and point. And I'm not really sure that I fully appreciated before your description that this matrix of regulation in America is perhaps easier to relate to because it's born from actual conduct and actual experience, it's not theoretical. And that that is a bubble from 90 years of communication type laboratory experience and that this isn't just regulation on a mark, to the contrary, it's tailored and thematically perhaps easier to follow than legislation that is more contemplative and I think that's a super interesting perspective. In addition, the states have cooperated in the past in many areas where there has been a need for uniformity, uniform commercial code, uniform enforcement of judgments, I mean, there's many areas where the states cooperate.
Liisa Thomas:
Yeah. And many of these laws follow similar patterns, it's not like they're that terribly different, there's just a few nuances from jurisdiction to jurisdiction.
Michael P.A. Cohen:
It'd be important if you're from there. The last thing I think that is really interesting that you kind of captured in your statement is that, hey, look, that local state responsibility for the public welfare of its citizens is not, I mean, this is what's built into the constitution, right? These states are important. I know there's a sleight of hand in American Supreme Court jurisprudence that basically says the federal government is for the people but the states really think they created the federal government and it exists at their will. And they're right because the states can call a constitutional convention by some majority that I should know offhand, which is probably 75%, and completely reform the entire structure of the nation. So they could do that without the will of the people, frankly they could do that, that's state legislatures but it would be reflective of supposedly the will of the people. Look, well, it boils down to this, as a Californian I'll just say this, man, I don't want people from Texas telling me how I live my life in California.
Michael P.A. Cohen:
And people from Texas are constantly telling other people how to live their lives nowadays outside the borders of Texas as their own lawsuits against those states indicate. And California is one-tenth of the population of the entire country, California probably feels a pretty strong responsibility for the 10% of the people who have decided that they want to live their lives in the way that California prescribes for them. And Texans may feel the same way about Texas and that's great as long as you're not telling somebody else how to live their life, go live it the way you want to, I don't care. And there's a law to the American state structure that is that way, right? There's a libertarian theme there. I hesitate to use that word now because it comes with so many political connotations. But to use it in its legal philosophical terms, there is indeed a self-governance principle in state regulation when it comes to consumer protection that's super important and I think you really captured that, that was cool.
Liisa Thomas:
When you were describing sort of the states getting together or competing in some senses, right? Of like, this is the way we do things in California, this is the way we do things in Texas. And I think about the ability to enforce different laws that it would be almost impossible to say we're not going to have any state enforcement of laws and federal laws anticipate state attorney general enforcement of federal laws. But I also think about how dynamic these various privacy laws, telecommunications laws, telemarketing laws, telephone solicitation laws, how much they evolve and change. Florida, for example, just recently changed its telephone solicitation law, it's sort of like we're constantly improving the laws because we've got 50 of them that can change. So for the data breach book every year there's a few states that kind of update their data breach laws, little tweaks here, little tweaks there. We're going to add what constitutes personal information under the definition in the data breach statute.
Liisa Thomas:
And then another state says, hey, that's a good idea, I think I'll do that, and so you get good ideas that come out, you get some bad ideas too frankly that spread and everybody jumps on board with a bad idea, but it allows for an evolution of laws where you say, well, all of the data breach notification laws are more or less the same with these 17 differences. And so we as a company, and this is what the breach law book does is to say, if I need to know just basically what do I need to do across the country that will outline as long as you do these things because this state requires this, this state requires this, you don't really care about that, you just want to know what you need to do, here's what you need to do across the country.
Liisa Thomas:
And I've taken a similar approach in thinking about the privacy laws. Okay. You don't really want to know what the different states say, you just want to know, what do I need to do? How early can I make advertising calls and how late can I make advertising calls? And the states may differ but they're all speaking to the same thing, there's a certain time that's too early and there's a certain time that's too late. And that allows these laws to evolve in a way that if we just had one we wouldn't be able to evolve. I think where the stress comes in are things like the Illinois biometric law where it's a brand new thing, no one has regulated it before. And that's where I think we get into this conversation around, well, should states be allowed to regulate a brand new thing? And that's that interstate commerce piece, is it really only in Illinois? Because it's really not only in Illinois and we see that very much coming out of California.
Liisa Thomas:
California passes the law because they're protecting people in California, but is it really only impacting people in California? Isn't it impacting everybody? And I think that's where that interesting part of the discussion comes. Because these states do just come up with these brand new ideas and we're seeing this, California came up with CCPA and then you've got Virginia and then sort of this snowball of, are we going to have of all these other states? We saw this before and I think we're going to see something very similar with CAN-SPAM. I think by 2002 we had maybe 23 or 25 states so about half the states had passed email marketing laws. Email was this brand new thing, people were starting to get email advertising and states were passing these email marketing laws.
Liisa Thomas:
They all looked very similar and California came out with one that said, in the subject line a company would have to put ADV in the subject line of the message so the consumer would know that it was advertising and then obviously very easily be able to delete it. And in December of 2002 the federal CAN-SPAM Act was passed to preempt that part of the California law but all of these other state laws and say, no, this is the way this narrow activity is going to work across the entire country. Because emails by their very nature are going, it's an inner state thing, so it doesn't make sense to have a different version on a state by state basis.
Liisa Thomas:
And so I wonder if we're going to have something very narrow like that that says it doesn't make sense to give a different way for people to ask for access and deletion of their information on a state by state basis because it's too much of an interstate thing. So that might be what our federal law looks like is it says, we can't just have all of these states coming on board, especially with this concept of telling companies I don't want you to fill my information. We can't have the California approach is this way, the Virginia approach is this way, the West Virginia approach is this way, the Vermont approaches this way, I'm just making up states, it would not work and so we need one approach for that particular activity for that particular thing, I think that makes a lot of sense.
Michael P.A. Cohen:
Yeah, it really does. And it allows the laboratory, right? To bubble up the idea and then of the federal government to step in surgically where there is a need for common market regulation. Which might be easier and better approach 435 men and women representing their various constituents in one chamber and 100 in another rather than to try to recraft, as you said earlier, or even conceive forward a world that doesn't yet exist. That's not really what they're in the business of doing, that perhaps is a great benefit to the model in many ways so not surprising the book then is so awaited.
Michael P.A. Cohen:
Liisa, you've been so generous with your time today but I'd be remiss if I let you go before I ask you one last question. I know that you are now going to be on a two year cycle at least for revisions and I think that's wise by the way, but putting the book aside, what do you see as the kind of major things that lie ahead over that two year period? Putting your visionary goggles on for a moment, what's a foot in the privacy world that folks may want to tune into? You mentioned Illinois and biometrics, that may be something to look at, anything else or want to talk more about that?
Liisa Thomas:
This is a hope that this is what is on our radar over the next few years, these laws are just going to keep changing, they are, there's going to be biometrics, there's going to be these different laws that pop up, there's going to be a different approach to do not sell. I hope that this organization, this structure, helps companies start to think about how are we going to approach privacy compliance from a practical risk management perspective and how can we use this as a tool to help us feel more comfort around our privacy compliance activities. A lot of people come to me or they don't come to, they have these thoughts independently of, I'm really concerned about how compliant my company is with privacy, I don't have a big budget to deal with this, I am not really sure what the biggest and next risk is, the biggest problem is, and I don't know where to start.
Liisa Thomas:
And so maybe I'll work with IT and spend a big budget on cybersecurity initiatives, maybe I'll get very wrapped up and worried about ransomware, maybe I'll be very concerned about the Illinois biometric law, but really what I feel like I'm doing is just playing Whac-A-Mole, I'm just there. One thing for those folks who are outside the US and not familiar with our game of there went one problem and here comes another. And so I very much hope that the next few years are spent thinking about, let's put some structure and organization in place and figure out ways that we from the privacy compliance outside council inside compliance team can help organizations better, and this is that big data piece, better use this information and feel comfortable with using it in a way that is protective of individual but also recognizes the goals and the bottom line of the company.
Michael P.A. Cohen:
Thanks Liisa, that's so well put. Liisa Thomas everybody with a new book, Thomas on Privacy, a practical guide, and we'll include links where you can get the book. Liisa, thank you so much for being with us and sharing some of your time with our multinational audience today. It's always great to have you on the show and I hope I get to see you again soon.
Liisa Thomas:
Thank you Michael. This was fun as always.
Michael P.A. Cohen:
Well, that's it for this week folks and I look forward to continuing our weekly conversations until next Wednesday when we release. Be well.
Contact Information:
Liisa’s Bio: https://www.sheppardmullin.com/lmthomas
Resources Mentioned:
Thomas on Big Data: A Practical Guide To Global Privacy Law
* * *
Thank you for listening! Don’t forget to FOLLOW the show to receive every new episode delivered straight to your podcast player every week.
If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show in Apple Podcasts, Amazon Music, Stitcher or Spotify. It helps other listeners find this show.
Be sure to connect with us and reach out with any questions/concerns:
This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.