The most important data protection and privacy events from 2020 and their impact on the US over the long term were discussed during the webinar Data Protection and Privacy: Year in Review & 2021 Outlook.
The first area highlighted was the passing of the California Privacy Rights Act (CPRA) 2020 into law last month, amending the California Consumer Privacy Act (CCPA) of 2018. Scott Giordano, VP and senior counsel, privacy and compliance at Spirion noted: “This is essentially a national standard; it’s changed the California constitution,” bestowing “new rights for consumers and new responsibilities for businesses.” He explained that the law has been heavily influenced by the European General Data Protection Regulation (GDPR) legislation, with changes including allowing consumers to direct businesses not to use or disclose their SPI, and introducing the concept of non-personalized advertising, defined as advertising and marketing not based on a consumers’ past behavior.
It will also see the creation of a new government agency to enforce the law, which is a first for the US. “That says privacy and data protection are here to stay,” commented K Royal, associate general counsel at TrustArc.
Applying to data collected on or after January 2022, the new law will have a particularly major impact on giant tech firms such as Facebook and Google, according to Giordano. “It’s a big change and I don’t think anyone appreciates just how big it’s going to be until enforcement starts,” he added.
The other huge event this year was the Schrems II court decision in July concerning data transfers. This has invalidated the US-EU Privacy Shield, therefore causing a lot of issues for US businesses operating in Europe, especially as the ruling took effect immediately. While standard contractual clauses as a mechanism for transfers remain valid, this must be done on a case-by-case basis, with organizations assessing whether the laws of the country data is being transferred to will impact an individual’s right to privacy through government surveillance.
Royal explained that this is an ongoing situation, and the EU recently released recommendations for businesses including the criteria that a third country’s data privacy legislation needs to meet in order to justify surveillance; however, this is an area laws in the US do not currently reach according to these standards.
Giordano noted: “There’s a lot to be done to get on board with what the EU is asking for.”
In light of these two profound changes in 2020 as well as the growth of data privacy legislation worldwide, organizations will need to do plenty to prepare to meet the new global landscape over the next three to five years. Giordano set out six action areas to be implemented during this timeframe: implementing a comprehensive framework to build consistency, having data inventory, introducing training on standards for teams, understanding individual rights, vendor management and oversight, and notice/transparency.
Royal added: “The key to moving forward in the next three to five years is to make sure that you are prepared with the general privacy practices that are pretty consistent across all privacy laws.”