Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Craig S. Horbus & Jarman J. Smith on February 3, 2021
The United States is on pace to make 2021 the most eventful year for consumer privacy law this country has ever seen. Many states have begun following California’s example by enacting privacy legislation of their own. Additionally, federal legislators are expected to begin prioritizing efforts to establish a federal standard for privacy throughout the country. Furthermore, federal agencies are likely to continue aggressive efforts to hold organizations accountable for inadequate data security and use.
California Privacy Law
Last year, the California Consumer Privacy Act (CCPA) went into effect on January 1. This was the first law in the nation to give consumers rights over their personal data, such as discovering what consumer information companies hold, the right to have personal data deleted, and the right to opt-out of selling their information. Although many companies took substantial steps to become compliant with CCPA in 2020, we can expect compliance efforts to continue in 2021 because the law is comprehensive requiring organizations to dedicate time towards implementing entirely new processes.
Aside from revamping policies and procedures to align with the enhanced notice, transparency, and consumer choice requirements of the CCPA, companies will also need to start preparing for additional consumer rights granted under the California Privacy Rights Act (CPRA) which will go into effect on January 1, 2023. Companies should try to leverage their existing CCPA compliance efforts to determine what additional work needs to be done to comply with the CPRA. Most notably, the CPRA will allow consumers to have more control over the use and disclosure of their sensitive personal information, and the law also creates a new agency dedicated to data privacy.
Anticipation of National Privacy Law Standard
As privacy regulations become more popular amongst states in the U.S. and countries abroad, pressure has been on Congress to enact federal legislation that creates a uniform consumer data privacy standard. Despite bipartisan support for such legislation, the law has been delayed over disputes regarding whether the federal standard for data privacy should preempt the more stringent state law protections already enacted and whether consumers should be allowed to bring private lawsuits regarding their personal information. Many predict that the Biden administration is likely to make consumer privacy a high priority, especially considering Vice President-elect Kamala Harris’ reputation for being an aggressive privacy enforcer while serving as the California attorney general. The federal government may also feel pressure from the business community at large, as many organizations seek a comprehensive federal U.S. data privacy law that would set uniform standards across all states, thus easing business concerns regarding the need to monitor and operationalize differing privacy standards in each state. However, as discussed above, lawmakers are still unsure as to whether a federal privacy law would preempt state privacy laws. It is not unimaginable for Congress to set a bare minimum privacy standard on the federal level while also allowing states to enact privacy laws that provide greater data rights for consumers. Nonetheless, efforts towards federal privacy regulation will most likely gain traction in 2021, especially considering the data collection issues that accompany the rollout of the COVID-19 vaccines.
Privacy Enforcement by Federal Regulators
The Federal Trade Commission (FTC) aggressively pursued privacy and data security issues in 2020 and we are likely to see those efforts continue throughout 2021. Last year alone, the FTC recorded a $5 billion settlement against Facebook for data use misconduct1 and imposed a $136 million fine against YouTube for children’s privacy violations2. The FTC is likely to continue with this aggressive approach towards privacy and data security even with the current Republican Chairman Joe Simons likely to step down, as the agency’s leader traditionally does when a new party enters the White House. Democratic Commissioners have shown support for the continuance of an aggressive approach as demonstrated through dissents where commissioners have criticized their colleagues for not doing enough to punish companies or protect consumers concerning privacy and cybersecurity issues. FTC leadership has also pushed Congress to enhance the agency’s current limited ability to fine companies and engage in rulemaking. Such a proposal is likely to appear in any federal legislation that may pass through Congress regarding federal privacy law.
In addition to the FTC, other federal agencies such as the Federal Communications Commission (FCC) and the U.S. Securities and Exchange Commission are expected to pursue privacy and data security enforcement efforts in 2021. The FCC, in particular, may seek to reenact discarded regulations that required providers to get permission from consumers to use and share web browsing data and other sensitive information. Moreover, as cyberattacks targeting both private and public entities continue to escalate, regulators are expected to increase oversight of data security and breach response efforts. Regulators have taken notice of the rise in cybersecurity incidents in 2020; thus, we can expect to see increased scrutiny of companies’ cybersecurity programs moving forward in 2021.
How Brouse Can Help
Consumer privacy rights are rapidly expanding in the United States, and there is a clear trend toward the establishment of a uniform standard for cybersecurity on a federal level. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to navigate data security and privacy law compliance. Along with providing insight to your business regarding data compliance requirements, we also provide proactive solutions for companies to defend against cyberattacks and general guidance through the complexities of all data privacy laws and regulations. Our team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.