February 24, 2021
2020 saw many changes in the world of privacy, and 2021 is shaping up to continue that trend. From changes in state laws, to updates to European privacy law, to the possibility of federal privacy legislation in the US, and more—here’s what you need to know.
Privacy Law Developments in the US
As discussed in SixFifty’s recent blog post, the California Privacy Rights Act (CPRA) was approved by California voters last November. The initiative significantly amends the state’s existing California Consumer Privacy Act, a law that has set the de facto standard for general consumer privacy in the nation. One thing to watch with the CPRA is its prohibition on “dark patterns,” or user interfaces designed to influence, manipulate, or even trick consumers into “agreeing” to more invasive privacy practices than they otherwise would. While the CPRA doesn’t fully take effect until the start of 2023, your organization will want to begin considering how to include privacy by design in its products—not to mention to begin planning on how to comply with the legislation’s myriad other new provisions—sooner rather than later.
Elsewhere in the US, lawmakers in Washington state are hopeful that they can pass their own consumer privacy law this year after coming close to doing so in 2020 and 2019. The current proposal borrows a mix of ideas from privacy laws in California and Europe and does not directly regulate facial recognition technology, which was a sticking point in previous iterations. One very current issue this version of the bill does address is how both private businesses and state agencies can handle personal information when addressing public health emergencies.
New York is also considering two privacy-related bills: one focused on biometric data, and another that would require companies to disclose their deidentification methods, place safeguards around data sharing, and allow consumers to obtain the names of all entities with which their data is shared. The bill would also allocate funding for an office dedicated to privacy/data protection.
But both Washington and New York may be beaten to the punch. Over the last three weeks, Virginia’s Senate and House of Delegates quickly approved versions of their own Consumer Data Protection Act, which is largely similar to Washington state’s proposal—and did so by wide margins. The law would require businesses to conduct privacy impact assessments in many situations; provide consumers rights to access, correct, and delete their personal information; and have a broader opt-out right than California currently does (though similar to what the CPRA will impose starting in 2023). Virginia’s opt-out right would reach not just sales of personal information, but also targeted advertising and profiling that produces significant effects on consumers. Like Washington’s proposal and the CCPA, the law would not include a general private right of action, meaning that individual consumers would not be able to sue for violations—that would remain in the hands of the state’s attorney general. If the bill gets through reconciliation (no problems are anticipated), it could be signed into law by Governor Ralph Northam as early as the end of the month. If enacted, the law would take effect on 1 January 2023, in tandem with California’s CPRA.
If these or any other states enact new privacy laws, that could increase pressure on Congress to pass federal privacy legislation to prevent a patchwork of state privacy regulations. While this has long been an area of concern—Congress has introduced multiple significant legislative privacy proposals every year for the last half-decade—developments at the state level, as well as unified control of the Presidency, the House, and the Senate, make federal privacy legislation a much more tangible possibility.
In the health-specific privacy world, the Department of Health and Human Services recently announced proposed amendments to HIPAA regulations to enhance patient access rights and make it easier for them to share their health data. However, the Biden administration’s freeze on regulatory actions leaves the proposal’s fate uncertain.
Late last year the European Union announced draft versions of new standard contractual clauses for permitting the transfer of personal data under the General Data Protection Regulation (GDPR) to countries not already subject to an adequacy decision—such as the United States. This topic has become even more critical given the European Court of Justice’s decision invalidating the EU–U.S. Privacy Shield framework last year, leaving the standard contractual clauses as the primary legal basis for such transfers of personal data. Once the new contracts are approved, which could be as soon as the first quarter of 2021, companies will have a one-year transition period to implement them, though new contracts should incorporate them as soon as possible.
With the 31 December 2020 finalization of Brexit, the United Kingdom’s privacy laws are also in flux. While the UK and EU have agreed to continue to permit the free flow of personal data between their jurisdictions for the first 4–6 months of 2021, they hope to have an adequacy decision in place before that grace period ends. Either way, companies will have to begin considering the UK separately from the EU in their privacy analyses.
Closer to home, Canada is considering significant amendments to its consumer privacy laws. The changes would bring the country’s privacy regime more into line with the GDPR, including by tightening the requirements around obtaining user consent, codifying situations where companies can rely on their legitimate interests (in lieu of consent) to process personal data, beefing up consumer rights, and improving enforcement mechanisms—including significantly increasing potential fines, which in some cases could be even heftier than those under the GDPR.
Brazil is also implementing its new general privacy statute this year. Administrative fines, for example, go into effect 1 August 2021, but individuals and prosecutors can already bring claims for losses or damages. The law is modeled on the GDPR and has similarly broad applicability, extensive consumer rights, and strict requirements about transferring personal data outside the country. Brazil has not yet issued any standard contractual clauses, so organizations should be prepared for a flurry of contract amendments or addenda when those are issued.
In summary the only constant when it comes to data privacy around the world is that laws are constantly changing and strengthening. Those organizations with less-robust privacy programs should anticipate increasing the attention and resources dedicated to privacy in 2021, and all organizations should anticipate a continued need for staying abreast of the changing legal regime.
Schedule a free demo with SixFifty to see how we can help you navigate the privacy requirements facing your organization. You can also sign up for invitations to SixFifty’s free webinars that cover privacy, employment, and other compliance-related areas.