Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

Keypoint: Virginia moves closer to enacting consumer privacy legislation.

On January 29, 2021, the Virginia House of Delegates passed HB2307, the Virginia Consumer Data Protection Act (Act) in an 89 to 9 vote. The Act now sits with the Senate Committee on General Laws and Technology. A companion bill, SB 1392, already passed the Senate Committee on General Laws and Technology on January 27, 2021.

According to the Virginia General Assembly Session Calendar, Friday, February 5 is the deadline for each house to complete work on its own legislation, except for the budget bill. The Assembly will adjourn on February 11.

Below is a brief overview of the Act. In addition, on February 17, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register, click here.

Many thanks to Amy Miller, Senior Reporter, Privacy and Data Security at MLEX Market Insight for alerting us to this development.

Keypoint: While the Washington Privacy Act appears poised to pass the Senate, a competing bill introduced in the House of Representatives would require opt-in consent for processing, create an Illinois-like biometric information privacy structure, and allow for a private right of action.

On January 28, 2021, Washington state Representative Shelley Kloba filed HB 1433, entitled the People’s Privacy Act (WPPA). According to the Washington legislative website, the WPPA will be formally introduced on February 1, 2020.

The WPPA, which is supported by the Washington ACLU, is a competing bill to the Washington Privacy Act (WPA) introduced by Senator Carlyle in the Washington Senate. Although the WPPA and WPA are intended to address the same issue (consumer privacy) they come about it in very different ways.

The introduction of the WPPA certainly draws into question whether Washington lawmakers will be able to reach a compromise and finally pass consumer privacy legislation this year. At a minimum, it signals that the same obstacles that have prevented a bill from passing in the 2019 and 2020 are still present.

Below is a brief overview of the WPPA. For a summary of the WPA, see our article here. In addition, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country, including the WPA and WPPA. To register, click here.

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

Keypoint: The European Commission will consider the joint opinion and public comments and decide whether to modify the draft standard contractual clauses.

On January 15, 2021, the European Data Protection Board (EDBP) and European Data Protection Supervisor (EDPS) issued joint opinions on the European Commission’s two draft standard contractual clauses (SCCs) issued in November 2020. The first draft SCCs concern the transfer of personal data to third countries. The second draft SCCs concern the transfer of personal data between controllers and processors in the EEA. Both SCCs were open for public comment until December 10, 2020.

The below post will focus on the joint opinion on the draft SCCs concerning international data transfers (hereinafter “Cross-Border Transfer SCCs”).

Keypoint: Five states are now considering online privacy legislation.

Virginia and Oklahoma join Washington, New York and Minnesota as states where lawmakers have proposed online privacy legislation this year. It is expected that lawmakers in other states will propose similar legislation in the coming weeks. As discussed in our prior posts, the fact the legislation has been proposed is not indicative of whether it has any chance of becoming law. Since lawmakers passed the California Consumer Privacy Act (CCPA) in 2018 numerous states have considered similar bills, but none of them has become law. That said, presumably one day another state (or more) will join California in passing such legislation.

Below is a brief summary of the two bills. To the extent that the bills appear poised for advancement we will provide a more detailed analysis.

In addition, on February 17, 2021, members of Husch Blackwell’s privacy and data security practice group will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register click here.

Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.

Keypoint: The Washington Privacy Act is back.

The Washington state legislature will once again consider consumer data privacy legislation when it convenes on January 11, 2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the Washington Privacy Act (WPA) (Senate Bill 5062). The WPA is scheduled for a public hearing in the Senate Committee on Environment, Energy & Technology on January 14, 2021, which committee is chaired by Senator Carlyle.

In the past two years, versions of the WPA passed the Washington Senate without issue. However, in 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill but the two chambers were unable to reach a compromise. Ultimately, both years, the WPA failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.

The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions such as effective dates.

The below discussion focuses on Parts 1 and 4.

Keypoint: The UK/EU Brexit agreement provides for the continuation of UK/EU cross-border data transfers for the next four to six months, allowing the European Commission more time to consider issuing an adequacy decision.

On December 24, 2020, the United Kingdom and the European Union announced a number of agreements concerning the United Kingdom’s exit from the European Union (Brexit).

Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative:

Keypoint: The California Attorney General’s office again introduces an opt-out button.

On December 10, 2020, the California Attorney General’s office published a fourth set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The deadline to submit comments to the proposed modifications is Monday, December 28, 2020.

The latest set of proposed modifications are revisions to the office’s third set of proposed modifications, published on October 12, 2020. The deadline to submit comments to the third set of modifications passed on October 28, 2020. For a discussion on the third set of modifications, see our prior blog post available here.