By Nicole Smith
Beckage
In the age of data proliferation, the privacy, cybersecurity, and protection of data has emerged as a major concern for legislatures, businesses, and consumers alike. As more and more high-profile data breaches and cyber incidents make headlines, data protection has become increasingly important.
Unfortunately, despite the rise in interest in privacy and cybersecurity, the laws governing privacy and cybersecurity are complex and lack uniformity. Many countries, states, and regulatory bodies have enacted data privacy laws to regulate how information is collected and, in some instances, to provide rights to users who give away their data. This has resulted in a fragmented legal landscape with overlapping and uneven data protection standards, and navigating the patchwork of these laws can be daunting. This article provides a basic overview of privacy and cybersecurity laws at the state and federal levels, and also examines recent developments and trends in this emerging area of law.
U.S. Data Privacy Laws
There is no comprehensive federal law governing data privacy and cybersecurity in the United States. Instead, Congress has enacted numerous sectoral laws regulating different industries and/or categories of information. These regulations include laws such as the Health Insurance Portability and Accounting Act (governing personal health information), the Gramm Leach Bliley Act (governing personal financial information), the Fair Credit Reporting Act (governing the collection and use of credit information), and the Children’s Online Privacy Protection Act (governing the collection of information about or from minors).
As a result of this sectoral approach, some industries and data are left unregulated by federal data privacy laws. To fill in the resulting gaps, the Federal Trade Commission (FTC) has used its broad authority under the FTC Act to restrict “unfair or deceptive acts or practices” and to develop de facto rules to protect consumer privacy. In this respect, the FTC ordinarily acts to enforce the privacy promises made by businesses in their own privacy policies, terms of use or other policies; and to require that businesses that collect personal information have “reasonable security measures” in place.
State Data Privacy Laws
In addition to the array of federal data privacy laws, every state has a data breach law, some of which require reasonable security measures. In addition, many states have enacted or proposed data privacy laws dealing directly with consumer rights. These laws impose statutory frameworks for issues such as safeguarding data, privacy policies, and data breach notification requirements.
California’s Consumer Privacy Act and Consumer Right to Privacy Act
California’s Consumer Privacy Act (CCPA), the most comprehensive state data privacy law to date, significantly altered the privacy and cybersecurity landscape. The CCPA went into effect on January 1, 2020 and enforcement began on July 1, 2020. The CCPA not only introduced new rules related to how businesses can collect, process, and store data, but also set forth landmark privacy rights for California residents.
The CCPA applies to any for-profit company that collects personal information of Californians and satisfies one of the following basic thresholds: (i) has over $25 million gross annual revenue; (ii) purchases, receives, or sells the personal data of 50,000 or more California residents, households, or devices; or (iii) earns 50% or more of its annual revenue from selling the personal information of California residents. Personal information is very broadly defined to cover almost any data a business collects on an individual, regardless of how it is collected. The law gives consumers the right to know, the right to opt out, and the right to delete any information collected about the consumer.
Under the CCPA, the California Attorney General has the authority to enforce any violation against a business, service provider or other individual. The CCPA also has a limited private right of action for damages in the event of a data breach resulting in the exfiltration of certain sensitive personal information arising from a business’s failure “to implement and maintain reasonable security procedures and practices.” Enforcement penalties and statutory damages can be substantial. Since the CCPA was enacted, many putative class action lawsuits have been filed under the private right of action, including some for violations that do not include a data breach.
Recently, California voters voted by ballot initiative to adopt the Consumer Right to Privacy Act (CPRA), which supplements and amends the CCPA. The CPRA expands data breach liability and creates additional privacy rights and obligations relating to sensitive personal information. The CPRA also creates a new consumer right: the right to correct inaccurate personal information.
Notably, the CPRA also establishes a standalone privacy regulator, the California Privacy Protection Agency. This is the first U.S. government agency formed with the sole purpose of regulating consumer data privacy.
The CPRA is not set to go into effect until January 1, 2023, but it will have a “look-back” period to January 1, 2022.
2021 Data Privacy and Cybersecurity Trends
Looking forward, below are some of the top trends in data privacy and cybersecurity to keep an eye on in 2021:
COVID-19 Privacy Challenges and Concerns
The COVID-19 pandemic continues to create unique data privacy and security concerns for businesses throughout the world. As businesses begin preparing to go back into the office, there will be a need for new policies and procedures for protecting the confidential and secure collection, storage, and disclosure of medical and COVID-19 related data related to vaccines. For businesses that choose to remain work-from-home through 2021, ongoing vigilance will be needed against phishing and increased vulnerabilities created by a remote workforce.
Ransomware and Cyberattacks
As discussed above, the shift to remote work resulted in an uptick in data incidents last year and threats will likely continue to increase. Bad actors also utilize more aggressive methods, exfiltrating more data rather than just encrypting. These attacks can cause significant interruptions in business and financial harm. Businesses should conduct risk assessments to identify vulnerabilities and implement preventative steps to mitigate risk.
Biometric Data
Numerous class actions were filed last year related to the collection of biometric data, which consists of body measurements and calculations related to human characteristics such as face and fingerprint recognition. As biometric technology becomes more common, companies should review their policies and procedures surrounding the collection, sharing, and storage of biometric data. Illinois recently expanded its Biometric Privacy Act, and several other states have proposed similar legislation. In addition, we have seen states amending their existing data protection statutes to address biometric information.
Conclusion
New developments in data privacy and law will without a doubt continue in the coming year; meanwhile, businesses and lawyers should continually assess cybersecurity risks and implement policies and procedures to protect data.
Anyone who is interested in this area of law can also join the SDCBA’s newly created Privacy and Cybersecurity Law Section, designed to increase awareness, discussion, and education around cybersecurity and privacy law issues.