Business man with protective gesture and icons of people with lock instead of head showing developments in privacy legislation

Keeping Up with Privacy Legislation: Easier Said than Done

The privacy landscape has shifted dramatically over the past 12 months. From new hurdles including international data transfers to more than 20 new laws for COVID-19 regulatory requirements and living adjustments, privacy practitioners have a range of unprecedented new challenges to address. Legislation was introduced in 2020 to address the collection and use of biometric or facial recognition data by commercial entities. The outbreak of COVID-19 also led to the creation of new laws for regulating the protection of employee privacy. While the CCPA is one of the most well-known, in 2020 other states have also adopted their own privacy laws and requirements for businesses to implement and maintain reasonable security measures.

The following highlights significant data privacy developments:

Virginia. The passage of the Virginia Consumer Data Protection Act (CDPA) earlier this year will offer a range of new rights to the residents of the Old Dominion. Like the California Consumer Privacy Act (CCPA), the CDPA includes a clear threshold: businesses are covered as long as they process the personal data of 100,000 Virginia residents on an annual basis, or of 25,000 Virginia residents if over fifty percent of their gross revenue is derived from the sale of personal data. The CDPA will apply as of 1 January 2023.

New York. A proposed amendment to New York’s Civil Rights Law would create criminal liability for certain privacy violations, and the proposed It’s Your Data Act would create CCPA-like consumer privacy rights but with a broader private right of action. The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which amended New York’s breach notification law and required covered businesses to implement and maintain reasonable security measures, went into effect in March 2020.

Texas and beyond. The Texas Privacy Protection Advisory Council issued a report in September 2020, which described recent state legislative activities and various privacy and compliance challenges.

Several bills concerning the protection of biometric information are pending in the Massachusetts legislature, and comprehensive privacy bills were introduced in a number of states, including New Hampshire. Although the Washington Privacy Act failed in 2019 and 2020, a new version of the bill likely will be introduced in 2021. Connecticut’s Insurance Data Security Law went into effect on October 1, 2020. The Connecticut Insurance Department issued guidance for compliance with the law in July 2020.

With the enforcement of the 2020’s privacy regulations, and more laws likely to emerge, it’s more important than ever for organizations to think seriously about instituting holistic approaches to data privacy. As part of this, privacy professionals need to think whether their current practices and solutions are equipped to mitigate risk for the challenges to come. This holistic approach that many forward-looking organizations have instituted results in greater accountability for data privacy. Technology has become a lifeline that enables privacy pros to accomplish daily activities, and has completely changed the way we manage privacy both personally and professionally. Enterprises need solutions that can continuously scan a company’s details against laws and regulations as they emerge around the world. These solutions should make privacy management more intuitive by providing contextual insights and definitive actions to address any change in regulations.