National and State Data Privacy Laws and Their Impact on eDiscovery

Currently in the United States, only states have data privacy laws that may impact eDiscovery. To date, the United States has not supported a national privacy law. So where are we at with national and state data privacy laws and how do they impact eDiscovery?

Where are we at with a national privacy law?

Is a national privacy law, the American Data Privacy and Protection Act (ADPPA), likely this year? Currently, there are many state laws that relate to privacy, with more in the works.

States with laws enacted include:

States currently considering data privacy bills include:

The U.S. government has been discussing a federal law for more than four years.  In the summer of 2022, Congress got together with the House of Representatives to try to move it forward.

The original plan pushed out the cause of action to four years, then two years. It was recommended that the FTC enforce the act and set up a privacy bureau, but today the FTC lacks funding and staff to enforce a national privacy law. The proposed act would supersede all state laws, an action that was not supported by California elected officials because they felt the California state law was stronger. No recent action has been taken by the U.S. government.

The bottom line is this act will likely not make it through all the legislative channels in 2023. Once one is passed, it is likely countries under the GDPR will not find the U.S. version adequate, so another Privacy Shield Program may be needed to provide data protection between companies operating in the EU and U.S.

Companies operating between the U.S. and the EU should consider taking a conservative approach to data privacy, only keeping data they need, knowing where data resides, knowing the jurisdictions in which they do business and understanding which regulations apply to them.

Privacy laws and their impact on eDiscovery

 Data privacy rules will directly impact your eDiscovery workflow by restricting the types of data that may be collected, stored, produced, and utilized as a part of a case. For instance, before collecting and using a person’s personal information, businesses must seek that person’s explicit consent under the GDPR in the EU. GDPR violations are punishable by hefty penalties and judicial action.

Laws governing data privacy may also have an influence on eDiscovery’s review and production stages. For instance, the CCPA mandates that companies provide customers access to the personal data they collect and that they be able to have it deleted upon request. Due to the necessity to identify and exclude material subject to deletion demands, firms may need to change how they review and produce data during eDiscovery.

In short, the eDiscovery procedure will be significantly impacted by the data privacy rules in your region or the region of data origination. In order to comply with these rules, businesses and organizations must be aware of them and modify their procedures accordingly. Legal repercussions and financial penalties may follow if a company fails to do so. To make sure you are ready to address these issues, ensure you have experts on your team or on speed dial who can help guide you through these processes and make them as painless as possible.

Be sure to read our in-depth blog post on the CCPA and CPRA here.