The value of personal information is increasing as consumers and organizations are becoming more aware of their data footprint. Regulations, such as the California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR) demand that this type of data be handled according to certain standards, and that organizations accept ownership of how they collect, use, and transmit the information of individuals. Nearly all organizations have exposure to CCPA and/or GDPR, even those already covered by existing privacy laws such as HIPAA, FERPA, and GLBA.
Regulations are constantly evolving, requiring the adoption of new data privacy efforts.
Even if an organization considers itself to be compliant, regulations are constantly evolving, requiring the adoption of new data privacy efforts. Maintaining compliance with the ever-changing requirements of global privacy regulation is challenging. Not only should your organization assess, develop, and monitor your privacy compliance program—you must also be ready to adapt as needed.
2020 has been a busy year in the realm of data privacy and protection regulations. We’ve seen new laws passed globally, as well as here in the United States. Organizations should continue to be mindful of the data they are collecting on customers and employees, and take steps to limit their risk of regulatory action from the Federal Trade Commission, state attorneys general, and foreign data protection authorities. Below, we’ll share a few highlights of the regulatory changes we’ve seen this year, and a glimpse of what’s to come.
Earlier this month, California residents voted to enact the California Privacy Rights Act (CPRA), which will amend the California Consumer Privacy Act of 2018 (CCPA) to include the establishment of a new privacy enforcement agency, new definitions for sensitive data with limits on use and sharing, and expanded breach liability. Companies must comply with the CPRA by January 2022, with enforcement action beginning in 2023. There will be a look-back period to 2022 for fines and enforcement. By shifting the enforcement responsibilities to a new, better-funded agency, and away from the California Attorney General, attorneys and privacy professionals alike are anticipating an uptick in privacy-related fines and litigation coming out of California in the near term.
If your organization does business in California, or with California residents, and currently has gross global revenues exceeding $25M annually, or processes the data of more than 50,000 people, you should already be compliant with the CCPA of 2018. The amendments introduced in the CPRA will also need to be addressed, but the CCPA is enforceable today.
Earlier this year, the United Kingdom formally left the European Union in a move that created great uncertainty in Europe related to everything from trade agreements, to work visas, to data being exchanged by organizations across the U.K. and the EU. Though the U.K. has maintained that the EU’s General Data Protection Regulation (GDPR) will continue to be the law of the land, the two parties have not yet determined if and when the U.K.’s data protection regime will be deemed “adequate” by European standards.
The root of the EU’s concerns with transfers to the U.K. are similar to their concerns with transfers to the U.S., centering on government surveillance programs. As a result, multi-national and U.S.-based organizations that have been exchanging customer and employee data between U.S. and U.K. operations will potentially need to revise existing group agreements, standard contractual clauses, and review their legal bases for processing that data. Additionally, any organizations who do business in Europe, but only have representatives in the U.K., will need to identify and empower a representative in an EU nation, such as Ireland. As the December 31, 2020 deadline quickly approaches for the parties to strike a deal on adequacy terms, organizations should not delay in taking inventory of these processes and transfers and create a “Brexit” plan for their data.
Recently-introduced bills resemble the CCPA and the EU’s GDPR in terms of scope and consumer protection; however, lawmakers continue to grapple over state preemption and consumers’ private right of action.
The United States has historically relied on sectoral legislation and regulation to manage the risk to individuals’ privacy within certain industries such as healthcare, banking, and education. In recent years, however, Congress has explored the potential of a national law that would set a baseline for consumer privacy rights and data protection requirements spanning industries. The legislative texts put forth to date have not called to preempt existing laws such as HIPAA, GLBA, and FERPA; however, these new bills could build on other laws to allow for consumers to request access, correction, or deletion to the personal data held by organizations. The recently-introduced bills resemble the CCPA and the EU’s GDPR in terms of scope and consumer protection; however, lawmakers continue to grapple over state preemption and consumers’ private right of action to litigate against organizations that have mishandled data or ignored consumer privacy rights requests.
The bills put forth in congress are nearly identical, with the exception of these two areas. Lawmakers on both ends of the political spectrum seem to recognize the impacts that the CCPA and the GDPR have had on U.S. businesses and are seeking to balance consumer rights through a national standard that businesses can adhere to, and create protections that will allow the European Data Protection Board to deem data transfers to the U.S. as safe.
Considering these changes in the political and legal landscape, here are a few ways your organization can assess exposure and begin forming a plan of action:
Concerns about personal information and compliance with existing or future regulations are multi-faceted. In addition to assessing, implementing, and monitoring data privacy processes, our data privacy team works closely with P&N professionals in key complementary areas—including cybersecurity, database management, and application development—to help strengthen our approach to data and technology. Contact us to begin a conversation about your organization’s data privacy concerns and obligations.