The demands of data privacy and security have been changing quickly for the past several years, and 2020 was no exception. Even with a global pandemic, legislation related to data marched ahead. Consumer privacy was the leading issue, with more bills introduced in 2020 than in 2019. Companies need to work harder than ever to stay informed and keep their websites compliant.
Despite a proliferation of new data privacy bills introduced in 2020, few were enacted since legislatures were focused primarily on the COVID-19 pandemic. This could mean that 2021 brings renewed attention to pending legislation. Learn what is being discussed currently and what the future may hold for privacy and security in 2021 and beyond.
New data privacy legislation related to the COVID-19 pandemic
An issue directly tying the pandemic to data privacy was contact tracing and the collection of health data. In May and June of 2020, three different pieces of legislation were introduced in the Senate.
1. Consumer Data Protection Act
Senate bill 3663 sought to require consent before covered entities could collect, process, or transfer an individual’s personally identifiable information for the purpose of COVID-19 contact tracing. It also would require a mechanism for individuals to revoke affirmative consent at a later time.
2. Public Health Emergency Privacy Act
Similarly, Senate bill 3749 sought to specifically protect health data collected during an emergency, including COVID-19 test results as well as other physical or mental health information, or the individual’s location at the time of the emergency.
3. Exposure Notification Privacy Act
The bipartisan Senate bill 3861 addressed contact tracing apps specifically. It would require companies that operate “automated exposure notification services” to have strict privacy safeguards in place.
Although the urgency behind these bills has waned in light of the authorization of COVID-19 vaccines, the concerns they raised about privacy related to the pandemic may set a precedent for data collection and impact future privacy laws.
New technology spawns new privacy concerns
As always, the encroachment of new forms of technology continue to necessitate new privacy and security measures. As an example, legislation was introduced in 2020 to address the collection and use of biometric or facial recognition data by commercial entities. A handful of cities in California, Massachusetts, New Hampshire, and Oregon have enacted some form of legislation banning use of facial recognition technology.
In early 2020, Brookings put out a brief on how artificial intelligence will exponentially increase the proliferation of information about people’s lives. The authors predict:
“Streams of data from mobile phones and other online devices expand the volume, variety, and velocity of information about every facet of our lives and puts privacy into the spotlight as a global public policy issue.”
They go on to call the current model of consumer “notice-and-choice” meaningless in an increasingly algorithm-driven world. What will replace that model is likely to become a prominent topic through the 2020s.
CPRA builds on the CCPA
The California Consumer Privacy Act of 2018 (CCPA) took effect January 1, 2020, with a grace period that extended to June 30. Recall that the law applies to any company that collects or uses personal information, not just those operating in California.
Also in 2020, California voters passed Proposition 24, the California Privacy Rights and Enforcement Act (CPRA). CPRA builds upon the CCPA, strengthening consumers’ privacy rights. It allows consumers to direct businesses not to use or disclose their SPI. It also defines non-personalized advertising — advertising not based on a consumers’ past behavior. It calls for the creation of a first-of-its-kind government agency to enforce the law.
CPRA applies to personal information collected after January 1, 2022, and comes in force on January 1, 2023.
Schrems II court decision in Europe
The court decision known as Schrems II put the spotlight on data transfer between the US and the European Union. The decision in Data Protection Commission v. Facebook Ireland, Schrems. invalidated the US-EU Privacy Shield. Approved in 2017, the Privacy Shield provided companies with a list of principles governing their compliance with data protection requirements when transferring personal data from the EU (and Switzerland) to the US. Without this framework, companies may be unable to transfer data across the Atlantic if they cannot ensure that it is protected from public authorities.
Global trend toward increased privacy
California and the European Union have each started a ripple effect across other states and jurisdictions. Hawaii, Massachusetts, New Jersey, Pennsylvania, Rhode Island, Puerto Rico and Washington have all proposed privacy bills.
The European Union set a new standard with the GDPR, recognizing privacy as a fundamental human right. As such, other countries are following their example. New privacy regulations have emerged in Brazil, South Africa, India and Singapore, to name a few. More than 100 countries have implemented some form of data privacy and protection laws, ranging from the strictest in China to the most relaxed in Trinidad and Tobago.
Fines for violations
Since GDPR took effect, well over a billion US dollars have been levied against companies in fines and penalties. While some companies may have hoped for a reprieve during the pandemic, they did not get it. The hardest hit was Equifax, who paid another $45 million on top of the $575 million they paid as a result of their 2017 security breach.
As an example at the state level, The New York Attorney General’s office has levied fines of more than $600 million related to data breaches. Hanna Andersson, a children’s clothing retailer, had to pay $400,000 to settle a CCPA lawsuit over a 2019 data breach.
These examples demonstrate that companies need to invest heavily in protecting their customers’ data or prepare to pay large penalties going forward.
Fielding consumer requests
One area where companies have found they need additional resources is in their ability to field customer requests related to privacy rights.
The CCPA gives consumers the right to:
- correct their personal data
- opt out of proximate geolocation tracking
- browse without pop-ups
More than one-third of businesses say they will fulfill these requests from anyone, not just California residents. They will need adequate personnel and technology to do so.
Data privacy and security in 2021
Regardless of their location, companies have their work cut out for them to prepare to meet new privacy and security demands in 2021 and the ensuing years.
One way to stay on top of compliance requirements is with Spirion Data Privacy Manager, which accurately discovers structured and unstructured sensitive data in real time, enabling companies to comply with privacy and security demands. In addition to CCPA, GDPR, and other regulations listed here, Spirion data discovery, classification, and protection capabilities also help organizations meet:
- Gramm-Leach-Bliley Act (GLB Act or GLBA)
- Family Educational Rights and Privacy Act (FERPA)
- Defense Federal Acquisition Regulation Supplement 7012 (DFARS)
- New York State Department of Financial Services Part 500 (NYDFS)
- NAIC Insurance Data Security Model Law
- Privacy Act of 1974
- State Data Protection Laws
To see how Data Privacy Manager can work for you, contact Spirion today to schedule a demo with one of our security experts.