The privacy law landscape is constantly changing, and it can feel like a daunting task for businesses to keep up with the laws of 50 states in the U.S. plus any international laws that also may be applicable. 2020 seems to be a banner year for change on many fronts. COVID-19 and the 2020 elections have caused profound changes this year, but for those who are affected by changing privacy laws, this has been a remarkable year of change as well.
For example, the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020; the final regulations under CCPA were approved by the California Office of Administrative Law in August of 2020; and shortly thereafter, the November elections brought additional change with the passage of the California Privacy Rights Act (CPRA). CPRA does not go into effect until January 1, 2023, however, it does have a one-year lookback, which means that companies will need to be largely in compliance by January 1, 2022. Additionally, anyone who has implemented CCPA or GDPR, will attest to how quickly two years can fly by when attempting to understand the multitude of changes imposed by a comprehensive privacy law like CPRA. The culmination of new requirements and broad scope of CPRA will need to be understood and implemented into privacy policies and procedures going forward in an effort to ensure compliance on January 1, 2023.
However, the CCPA/CPRA changes are only one example of the consumer data privacy legislation changes this year. According to the National Conference of State Legislatures, in 2020, bills relating to consumer data privacy legislation were considered in at least 30 states and in Puerto Rico (see NCSL 2020 Consumer Data Privacy Legislation). Though most of these bills were not passed, the fact that these bills were considered is an indicator of the interest in protection of consumer data and seems to foreshadow an increase in privacy regulation in the future.
From an international perspective, 2020 also brought the invalidation of the EU – U.S. Privacy Shield framework by Schrems II, which caused many businesses to have to rethink their approach to transfers of personal data between the European Union or United Kingdom and the U.S. (see Schrems II, Part 2 – Additional Guidance for the Transfer of Personal Data Between the EU and U.S.). Schrems II did not invalidate the use of Standard Contractual Clauses (SCCs) for transfer of data but it did call into question whether the SCCs are adequate to address the risks associated with data transfers to a non-EU country. The data exporter may need to apply supplementary measures, in addition to SCCs, if needed to protect the personal data when transferred. Supplemental measures can include encryption, anonymization, and pseudonymization, as well as other tools. Schrems II requires that businesses analyze the protections currently in place for data transfers between the EU or the UK and the U.S. to ensure compliance.
Awareness of these changes and implementing privacy policies and practices that protect your business are key during these changing times. Continue to rely on Bradley to keep you up to date on privacy rights and obligations.