2021 Data Privacy Overview: New Regulations and Guidance
While everyone hoped that 2021 would be less tumultuous than 2020, it certainly did not turn out that way in the end. The same was true in the world of data privacy – with sweeping new data protection regulations and guidance issued throughout the year that made significant ripples. Below is a summary of some of the most important data privacy changes that will impact companies operating in the United States, Europe, and China in 2022 and beyond.
US Regulation Changes
Virginia Consumer Data Protection Act (VCDPA)
What it Does: Similar to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) (jointly, the first GDPR-like data protection regulations passed within the US), the new Virginia regulation is a comprehensive data protection law that bestows certain rights and protections to Virginia residents regarding the use of their personal data, including:
- The right to opt out of having their data sold or used for targeted advertising, as well as the right to opt out of having their data used for “profiling” (i.e., using a person’s personal data to evaluate, analyze, or predict aspects of their economic situation, health, personal preferences, interests, reliability, behavior, location, or movements).
- The right to request that companies provide information about the personal data they have collected from them, and have it corrected or deleted.
- The right to request a free copy of their personal data in a portable, readily usable format.
The law also requires companies to gain permission from citizens before collecting certain classes of highly sensitive personal data, including racial or ethnic origin, genetic data, and geolocation. The new law does not provide for a private right of action (i.e., it does not allow individuals to bring lawsuits against companies for data privacy rights violations). Instead, the law will be enforced by the state’s Attorney General.
Who it applies to: All Virginia residents have rights under the VCDPA. Any company or organization that conducts business in Virginia and meets either of the following two criteria must comply with its requirements:
- Controls or processes personal data of at least 100,000 consumers; or
- Derives over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
Note that there are broad exemptions for financial institutions, as well as organizations or businesses that are governed by HIPAA or HITECH. Other exemptions include non-profit organizations and higher education institutions.
When it takes effect: Jan. 1, 2023
When it was passed: March 2, 2021
Other notes: Tech industry trade groups and businesses heavily supported the VCDPA.
Colorado Privacy Act (CPA)
What it Does: Following in the footsteps of California and Virginia, Colorado was the third state to pass a comprehensive GDPR-like data privacy law. The new law conveys data privacy rights to Colorado residents that are nearly identical to the VCDPA, including:
- The right to opt out of the use of their personal data for sale or targeted advertising, as well as for the use in profiling decisions that would have legal or significant effects to the consumer (such as the use of personal data that may affect decisions regarding consumer lending, financial, housing, and insurance decisions).
- The right to request that companies provide information about the personal data they have collected from them, and request that it either be corrected or deleted.
- The right to obtain their personal data from a company in a free “portable” and readily usable format.
Similar to Virginia and California, the law also classifies “sensitive data” as a separate category of personal data that requires additional protection, including: personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or personal data from a known child under the age of 13. Note that Colorado’s definition of sensitive data does not include precise geolocation data, whereas Virginia and California’s data protection laws do.
Who it applies to:
All Colorado residents have rights under the CPA. Any company or organization that conducts business or produces commercial products or services that are intentionally targeted to Colorado residents and meet either of the following two criteria must comply with its requirements:
- Controls or processes personal data of at least 100,000 consumers in a calendar year; or
- Derives revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
The law specifically does not apply to state and local governments, state institutions of higher education, personal data governed by certain state and federal laws, and employment records.
When it takes effect: July 1, 2023
When it was passed: July 7, 2021
Other notes: Similar to the VCDPA and to the CCPA, the CPA does not create a private right of action. Enforcement is exclusively with the state’s Attorney General and District Attorneys. Additionally, the act specifically states that a violation of its requirements is a deceptive trade practice for purposes of enforcement.
Utah Cybersecurity Affirmative Defense Act
What it does: Utah’s Cybersecurity Affirmative Defense Act provides new affirmative defenses that businesses in Utah can use to defend themselves against lawsuits arising out of a data security breach. The law states that an organization can affirmatively defend itself against a data security breach lawsuit that alleges that the organization failed to implement reasonable information security controls, so long as that organization maintained and complied with a written cybersecurity program that meets certain requirements spelled out within the law.
The new law also allows an organization to defend itself against claims that it failed to appropriately respond to a cybersecurity breach, so long as its cybersecurity program had reasonable protocols in place for responding to breaches.
Additionally, an organization can defend itself against claims that it failed to appropriately notify individuals effected by a data breach if the organization’s cybersecurity program had reasonable protocols in place for notifying individuals about breaches and those protocols were followed after the breach.
In this way, the law provides an incentive for Utah businesses to implement updated cybersecurity programs to protect Utah residents’ personal data more effectively, by providing defenses to data breach lawsuits if such programs are implemented and followed.
Who it applies to: Any person (which the law defines as an individual and most business organizations) that creates, maintains, and reasonably complies with a written cybersecurity program that meets the requirements spelled out within the act, and is in place during the relevant cybersecurity breach.
When it takes effect: May 5, 2021
When it was passed: March 11, 2021
Other notes: The affirmative defenses are not available where the organization had advanced notice of a cybersecurity threat or risk. The law also states that it does not provide for a private right of action for failing to comply (thus private citizens may not sue organizations who don’t implement cybersecurity programs that meet the requirements spelled out within the law).
California Consumer Privacy Act Amendments
What it does: The amendments update the California Consumer Privacy Act (passed in 2018) to include three general changes relating to a consumer’s right to opt out of the selling of their personal information, and one change to authorized agent requests for information related to a consumer’s personal information.
The three changes relating to a consumer’s right to opt out of the selling of their information include the following:
- Any business that sells personal information that it collected offline must now inform consumers in an offline method of their right to opt out, including instructions on how to do so.
- Authorizes the use of a specific “opt-out” icon that can be used in addition to posting the notice of the right to opt out (but not in lieu of that notice).
- Mandates that a business’s method for consumer request submissions to opt out must be easy to execute, require minimal steps, and not designed in a way that purposefully or substantially subverts or impairs a consumer’s choice to opt out.
The change regarding authorized agent requests to a business on behalf of a consumer related to the consumer’s personal information includes the following:
When a consumer uses an authorized agent to submit a request for information about the personal data a company has collected from the consumer (or requests to change or delete that personal data), the responding business may now require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:
(1) Verify their own identity directly with the business.
(2) Directly confirm with the business that they provided the authorized agent permission to submit the request.
This is a change from the previous version of the law, which mandated that the consumer provide the authorized agent’s signed permission, in addition to the other two requirements listed above.
Who it applies to: All California residents have rights under the CCPA. Any for-profit business that does business in California and meets any of the following criteria must comply with the CCPA:
- Has a gross annual revenue of over $25 million.
- Buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices; or
- Derives 50% or more of their annual revenue from selling California residents’ personal information.
When it takes effect: March 15, 2021
When it was passed: March 15, 2021
New Standard Contractual Clauses (SCCs) Issued by the European Commission
What it Does: The SCCs are a contractual device used to help ensure that personal data transferred outside the EU is kept secure and complies with GDPR requirements, wherein the entity receiving the data contractually agrees to protect the transferred personal data according to stringent GDPR requirements. After the 2020 invalidation of the EU-US Privacy Shield, SCCs are now one of the only viable GDPR-compliant methods for entities within the US to receive personal data from entities in Europe.
The new SCCs take into account the decision-making behind the invalidation of the EU-US Privacy Shield. Whereas the old SCCs were rigid, the new SCCs provide a bit more flexibility. They are now “modular,” meaning entities can now choose from a selection of four different models, depending on the type of transaction: controller to controller; controller to processor; processor to sub-processor; and processor to controller. They also expand the rights given to data subjects, including the right to enforce SCC provisions against both the data exporter and data importer. Additionally, the SCCs mandate that data importers must agree to EU jurisdiction (including EU courts as well as compliance with applicable EU data protection laws). There is also a new optional clause (Clause 7) that allows new parties to be added to the SCCs, as well as new Annexes that must be customized for each transaction.
Who it applies to: A data importer located in a country without an EU adequacy decision (like the US) that is not itself subject to the GDPR should utilize the new SCCs to transfer personal data from the EU – unless exceptions apply (i.e., the parties are able to rely on an alternate transfer mechanism, etc.). However, Recital 7 of the new SCCs appears to state that when the data importer is itself subject to the GDPR (for example, because the company provides services or goods to individuals living in the EU), the new SCCs cannot be used. This language has left open questions around what transfer mechanism companies should use in that situation (see below for a summary of additional guidance issued by the European Data Protection Board surrounding this issue).
Additionally, due to Brexit, the new SCCs do not apply in the UK. The UK Information Commissioner’s Office (ICO) has launched a public consultation on drafting a new set of SCCs for use within the UK.
When it takes effect: The new SCCs became effective on June 27, 2021. Any new contracts and processing transactions taking place after September 27, 2021 must use the new SCCs. Any contracts entered into prior to September 27th, 2021 must be updated with the new SCCs by December 27, 2022.
When it was issued: June 4, 2021
New Guidance for Cross-Border Data Transfers Issued by the European Data Protection Board ("EDPB")
What it Does: The invalidation of EU-US Privacy Sheild in 2020, along with the new SCCs (above), has led to uncertainty around how to comply with the GPDR when transferring data between the EU and countries such as the US that do not have an adequacy decision (i.e., a decision by the European Commission that a country outside the EU offers adequate levels of data protection to safely protect EU personal data that is transferred there). In particular, language within the Recitals of the SCCs states that the new SCCs only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR. This language has left open questions around what type of transfer mechanism (if any) is needed for a transfer of data to an importer that is already subject to the GDPR.
New guidance issued by the EDPB provides some concrete answers to a few of these questions, as well as resolved some other long-standing murkiness about cross-border transfers (even if the guidance does not resolve all uncertainty).
For example, the guidance now definitively states that data transfers from an EU-based data exporter to a data importer based outside the EU is, in fact, a transfer within the meaning of Article 44 of the GDPR and therefore would require the importer to enter into an SCC (or possibly adopt Binding Corporate Rules). However, as noted above, if the importer is itself subject to the GDPR, Recital 7 of the new 2021 SCCs state that the new SCCs cannot be used, leaving open the question of what SCC should be used in that situation. Note that the minutes to the European Data Protection Board plenary meeting held in September of 2021 mention that the EU Commission will issue a new set of SCC to govern this type of data transfer.
The guidance also settled some long-standing questions around other types of transactions that are not considered transfers of data under Article 44 of the GDPR. For example, the new guidance affirmatively states that “direct collections” of personal data from individuals located within the EU does not constitute a transfer of data (because when the information is collected directly, there is no transfer between controller and processor). It also clarified that “intra-company” data transfers are not considered a transfer of data under Article 44 because a transfer requires two parties. However, note that while these transactions are not considered “transfers” under Article 44, all other applicable GDPR protections still apply and must be followed.
Who it applies to: The guidance will be particularly useful for any non-EU organization that needs to transfer or collect data from within the EU.
When it takes effect: November 19, 2021
When it was issued: November 19, 2021
Other New Regulations
China’s Personal Information Protection Law (PIPL)
What it does: China’s new Personal Information Protection Law is a GDPR-like comprehensive data protection law aimed at protecting the personal information of “natural persons” located within China. It governs how companies collect, process, and transfer personal data of people within China and like the GDPR, is exterritorial in its reach – meaning it applies to companies outside of China that handle the personal data of someone located in China. Also like the GDPR, it allows individuals in China to request access to their personal data that a company has collected and ask for it to be corrected or deleted. And like the GDPR, the regulation includes the risk of large fines against companies that fail to comply with its mandates – including up to five percent of a company’s annual revenue. However, unlike the GDPR, failure to comply also includes the risk of being “blacklisted” by the Chinese government, as well as possible criminal penalties.
Multinational organizations with Chinese employees should also be aware that the law contains specific regulations regarding transferring the personal information of Chinese employees across the country’s borders. This means that companies cannot transfer internal employee information (including typical information routinely handled by a company’s HR department) outside of China’s borders without the consent of the employee and meeting other specifications spelled out within the law.
Who it applies to: The PIPL protects the personal data of people located in China. It applies to companies operating in China, as well as organizations outside of China that process the personal data of people within China for any of the following reasons:
(1) To provide products or services to people in China;
(2) To analyze or assess the behavior of people in China; or
(3) Any other circumstances that falls under unspecified Chinese laws and regulations.
When it takes effect: November 1, 2021
When it was issued: August 20, 2021