Looking Back at Data Privacy Developments in 2021: Part One – the U.S.
- Regulatory & Compliance
- 4 min read
With the start of a new year, it is the perfect time to reflect on major legal movement with consumer privacy last year both in the U.S. and abroad. Data privacy is a hot issue that will continue to trend as more countries shape their privacy landscapes, established regulatory bodies issue fines, and seminal case law unfolds. 2021 was a pivotal year in this space with new or proposed legislation in several states, large General Data Protection Regulation(GDPR) fines, instructive case law, and important cross-border activities. Below are some major data privacy developments in the U.S. to ponder and prepare for what is to come in 2022. Part two of this blog series will be released next week and will round up last year’s major international privacy updates.
Lack of Federal Legislation
In 2021, there was still no significant movement towards creating a comprehensive U.S. federal consumer privacy law. The recent wave of state legislation, more global laws with extraterritorial effect, and continued reliance on digital platforms that collect personal data may accelerate the creation of a new federal privacy framework. However, the struggle between lawmakers and lobbyists coupled with the historically slow legislative process could keep delaying meaningful federal activity in this space. For now, the federal government continues to regulate data privacy in a piecemeal fashion through already established legal frameworks like healthcare and credit reporting laws or Federal Trade Commission enforcement.
New State Legislation
There was a flurry of privacy-related activity in the states last year. Virginia and Colorado joined the ranks of California and passed comprehensive data privacy legislation. Virginia’s law becomes effective in January 2023 and Colorado’s in July 2023, so organizations should use this year to review the laws and update compliance plans. Other states enacted laws touching on specific areas of privacy like Nevada allowing consumers to opt out of information sales to data brokers or Utah providing organizations with a limited safe harbor for data breach notification. Legislators also introduced privacy bills in 21 additional states that offered varying of degrees of consumer protection. While several did not make it, bills in Massachusetts, Minnesota, New York, North Carolina, Ohio, and Pennsylvania remain on the table this year and are in committee.
The three active consumer privacy laws grant similar protections such as the right to access, correct, or delete data; opt-out of sales; and portability. These states also require organizations to provide notice to consumers regarding collection of their personal data. Even with many similarities, there are some unique differences that will affect compliance approaches. Here are some big ones to note:
Enforcement: California is the only state that currently allows for a private right of action. The state also gives the Attorney General (AG) and newly formed privacy agency enforcement powers. Virginia only delegates enforcement to the AG and Colorado allows the AG and District Attorneys to seek penalties for privacy violations. California’s private right of action is limited to instances where data breaches occur, so it will be interesting to see if any future state laws expand on this right.
Grace Period: The laws also grant organizations the right to cure violations before the appropriate enforcer can seek penalties via an enforcement action – 30 days for Virginia and 60 days for Colorado. While the California Consumer Privacy Act (CCPA) also grants a 30-day cure period for enforcement actions and civil suits, when the stricter California Private Rights Act (CPRA) becomes effective in 2023 this allowance will only remain when a consumer initiates a private right of action. After that, when the AG or California privacy agency find noncompliance, they can immediately start up an enforcement action.
Data Protection Assessments and Sensitive Data: Like the GDPR, both Colorado and Virginia require that controllers perform data protection assessments for high-risk processing. California does not share in this requirement. Colorado and Virginia also directly track some key GDPR language, like the definition of sensitive data. Both states also grant an opt-in right for consumers regarding processing sensitive data, while California does not.
Treatment of Employment-Related Information: The CCPA broadly defines consumers and will specifically apply in employment situations when the even stricter CPRA becomes effective in 2023. Conversely, Virginia and Colorado exclude employment data from regulation.
Although this list highlights the critical differences between these three laws, it is not exhaustive and organizations should consult with their counsel and provider partners to ensure policies and procedures align with compliance initiatives. Remember that these laws can apply outside of state borders if an organization does business there.
California Enforcement Activities
In 2021, CCPA enforcement gained some speed. Last July, the AG released a report detailing the office’s non-compliance notices. Violations included insufficient privacy policies, untimely responses to CCPA requests, and much more. Most of the organizations remedied within the 30-day cure period and avoided enforcement actions, but about 25 percent remained under investigation or were still within the right to cure deadline at the time of the report. There have not yet been any fines. With the recent creation of the California Privacy Protection Agency and the stricter CPRA that removes the cure period becoming effective next year, even more vigorous enforcement and fines are likely on the horizon.
In 2021, there were also a handful of civil suits resulting from data breaches or that cited CCPA protections. While there have been no pivotal rulings yet, affected organizations and the legal community should continue to watch if any cases result in significant penalties. However, this will probably not gain much traction until after the CPRA becomes effective in 2023 and stronger protections unfold.
It is a confusing time for organizations that process U.S. consumer data, as privacy-related obligations can change quickly as more states pass laws. Overall, the active state laws and bills proposed during 2021 lack uniformity in several key areas such as the definition of consumer or personal data, the ability to initiate a private right of action, consumer rights, and various obligations for organizations. This will inevitably spark confusion and legal battles down the road for organizations operating in multiple jurisdictions. For now, one solution is to model compliance plans around the strictest state privacy rules that apply and incorporate flexibility for situations implicating unique responsibilities if and until a federal standard emerges. Organizations already subject to the GDPR will have a good foundation to work with when navigating U.S.-related obligations but will need to make sure unique provisions are upheld pursuant to the individual state law.
For more information about U.S. privacy law consider reading U.S. Data Privacy Roundup – What is on the Horizon?