Keypoint: CCPA-like privacy bills continue to be introduced and work their way through state legislatures.

Those who attended our recent webinar or who subscribe to this blog know that we have been closely tracking proposed CCPA-like legislation in state legislatures across the country. We also launched a 2021 State Privacy Law Tracker to keep pace with the latest developments.

Yet, even with these efforts, there still are numerous developments occurring on a near daily basis. Therefore, we decided to wait until a weekend (when state legislatures are quiet) to provide a summary of where these bills stand. Of course, the contents provided below are time-sensitive and subject to change.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of March 1, 2021

On February 19, 2012, the Virginia House of Delegates voted overwhelmingly to pass the Virginia Consumer Data Protection Act (CDPA). The Senate previously voted in favor of passing the legislation. The General Assembly had been considering the CDPA in a special session after both chambers passed companion bills during the regular session. The Senate and House bills are available here and here, respectively.

Prior to passing, the CDPA was amended slightly to create a working group to “review the provisions of [the CDPA] and issues related to its implementation” and submit a report with its “findings, best practices, and recommendations” to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.

According to the General Assembly, the bill will now be printed as an enrolled bill, and examined and signed by the presiding officer of each house. It will then be sent to the Governor, who is expected to sign it.

Let’s face it, tracking all of the proposed CCPA-like state privacy legislation has been nearly impossible. At last count, bills have been proposed in sixteen states, including Virginia, New York, Washington, Oklahoma, Arizona, Florida, Utah, Maryland, and Minnesota.

That’s why we created our new 2021 State Privacy Law Tracker.

The tracker identifies the states that are considering bills and provides their status along with helpful links to the bills and our blog posts analyzing them.

Bookmark the page and use it as a resource. We will update it as more bills are filed (we just added Maryland). If you like it, share it on social media for others to find and use.

While we can’t predict what will happen this year, we can at least try to make the journey a little bit easier.

Keypoint: Virginia is on the verge of becoming the second state, after California, to enact consumer privacy legislation.

As we previously reported, the Virginia House of Delegates overwhelmingly passed HB2307, the Virginia Consumer Data Protection Act (Act). On February 3, 2021, the Virginia Senate unanimously passed a companion bill, SB 1392. The bills will need to be reconciled before the legislature closes on February 11, 2021. However, that appears to be a mere formality given that the bills are identical and the House bill is already working its way through the Senate.

For an overview of the Act, see our prior post available here. In addition, on February 17, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss the Act as well as all of the CCPA-like privacy bills proposed across the country. To register, click here.

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).

Continue Reading Financial Agencies Contemplate 36-hour Deadline for Cyber Disclosures

Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.

More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.” Continue Reading Chopra’s Views on Data Security Could Impact Implementation of Section 1033

Keypoint: Virginia moves closer to enacting consumer privacy legislation.

On January 29, 2021, the Virginia House of Delegates passed HB2307, the Virginia Consumer Data Protection Act (Act) in an 89 to 9 vote. The Act now sits with the Senate Committee on General Laws and Technology. A companion bill, SB 1392, already passed the Senate Committee on General Laws and Technology on January 27, 2021.

According to the Virginia General Assembly Session Calendar, Friday, February 5 is the deadline for each house to complete work on its own legislation, except for the budget bill. The Assembly will adjourn on February 11.

Below is a brief overview of the Act. In addition, on February 17, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register, click here.

Many thanks to Amy Miller, Senior Reporter, Privacy and Data Security at MLEX Market Insight for alerting us to this development.

Continue Reading Virginia House Passes Consumer Data Protection Act

Keypoint: While the Washington Privacy Act appears poised to pass the Senate, a competing bill introduced in the House of Representatives would require opt-in consent for processing, create an Illinois-like biometric information privacy structure, and allow for a private right of action.

On January 28, 2021, Washington state Representative Shelley Kloba filed HB 1433, entitled the People’s Privacy Act (WPPA). According to the Washington legislative website, the WPPA will be formally introduced on February 1, 2020.

The WPPA, which is supported by the Washington ACLU, is a competing bill to the Washington Privacy Act (WPA) introduced by Senator Carlyle in the Washington Senate. Although the WPPA and WPA are intended to address the same issue (consumer privacy) they come about it in very different ways.

The introduction of the WPPA certainly draws into question whether Washington lawmakers will be able to reach a compromise and finally pass consumer privacy legislation this year. At a minimum, it signals that the same obstacles that have prevented a bill from passing in the 2019 and 2020 are still present.

Below is a brief overview of the WPPA. For a summary of the WPA, see our article here. In addition, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country, including the WPA and WPPA. To register, click here.

Continue Reading People’s Privacy Act Introduced in Washington State House of Representatives

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law (2021)

With state legislatures reconvening for 2021, numerous states already have seen California Consumer Privacy Act-like privacy legislation proposed, including Washington, New York, Minnesota, Virginia, Connecticut, Mississippi, and Oklahoma. Other states are expected to follow. Will this be the year another state (or states) joins California and enacts consumer privacy legislation?

Join Husch Blackwell Partner David Stauss, CIPP/US/E, CIPT, FIP, PLS and International Association of Privacy Professionals Westin Research Fellow Sarah Rippy on February 17, 2021, for a webinar in which they will provide an overview of this rapidly-changing privacy law landscape.

Click here for more information and to register.