The following provides some key insights to consider as we kick off 2021.
- The California privacy law landscape is set to change dramatically (again). While 2020 was host to uneven implementation of the California Consumer Privacy Act (CCPA), 2020 did come to a close with two monumental changes to the California privacy law landscape.
- California will have a new top cop. With California Attorney General Xavier Becerra joining the Biden administration, the California attorney general position remains vacant. Privacy enforcement under Becerra was less than forceful given the other priorities of the attorney general’s office during the Trump administration, but it should be no surprise if privacy again becomes a priority as it was during Vice President-elect Kamala Harris’ tenure as California attorney general.
- If you thought the CCPA was onerous (or simply ignored it), here comes the CPRA. California voters decided to up the ante on consumer protection, and the California Privacy Rights Act (CPRA) passed in November 2020. You can review some of its key provisions here, but now is the time to put together a compliance plan and leverage the work your organization undertook to comply with the CCPA.
Despite another round of modifications issued late in 2020, the CCPA will be the subject of enforcement activity in 2021. The modifications made, if nothing else, should serve to place businesses on alert as to which provisions of the CCPA will likely be an enforcement target: an organization’s failure to honor the consumer’s rights to know, delete, and correct personal information.
- It is no longer just the CCPA and the GDPR to worry about. Two acronyms have dominated the privacy compliance and enforcement lexicon for the last few years: the CCPA and the GDPR. Other countries have caught up to speed in the last year including:
- Brazil: The LGPD (more detail here), like the GDPR, is now Latin America’s privacy hurdle to overcome.
- Jamaica: A growing jurisdiction and home for global business, Jamaica passed its own version of the GDPR in 2020, which will take effect in January 2022.
- Canada: With a new Digital Charter and proposed changes to PIPEDA, businesses should expect updated privacy obligations soon.
- The FTC starts to flex its muscle. The Federal Trade Commission (FTC) has started to use its powers to seek information from companies regarding their data collection practices, requesting information related to use, tracking, ad targeting, use of algorithms and data analytics, user engagement evaluation measures, and impact of their data practices on teens and children. Although the initial requests for information were sent to nine major social media companies, this likely will not be the end of such inquires in 2021. With a new administration taking charge, FTC enforcement is likely to be a major story in 2021.
Finally, there is always the question whether this will be “the year” for a federal omnibus privacy bill to gain real traction. COVID-19 will keep legislators focused on privacy issues related to health and similar data, and many legislators will also look to emulate the CCPA at the federal level. Meanwhile, many state legislatures are poised to consider new privacy statutes modeled on the CCPA and the GDPR.
With so much to consider when it comes to privacy issues, companies would be well served to begin 2021 by focusing on the following:
- Revisit your privacy compliance efforts and leverage that work, whether it was complying with the GDPR, the CCPA, or other regimes. That work may need to be updated, such as for the CCPA’s annual requirement to update a company’s public disclosures. This work can serve as the baseline for complying with the other statutes and regulations listed above.
- Conduct a privacy impact assessment. In the rush to comply with the GDPR and the CCPA, many companies overlooked undertaking a truly comprehensive process to map data across their organization and systems. While conducting such an assessment is a requirement of some existing regulations, it is also a requirement of regulations that are going into effect in the next two years, and will likely appear in other new domestic and global regulations that are adopted.
- Adopt or update your data breach response plan. 2020 saw an uptick in data incidents and breaches, with some major data breaches impacting companies globally. Given the current landscape, your business will want to ensure it is both prepared for a data breach of its own systems, as well as if a third party or a service provider has experienced a data breach that compromises the personal information of your business or individuals that your business may serve.
- Keep up to date with enforcement trends. Data protection authorities in the European Union are actively enforcing the GDPR. The FTC’s recent inquiries are likely indicative of more enforcement to come. Various state attorney general’s offices are investigating privacy and security matters involving businesses. Ensure that you are working with legal counsel to understand how these trends, and accompanying investigations and enforcement actions, may impact your business.