Photo of Erik Dullea

Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Follow:Read more about Erik DulleaErik's Linkedin Profile

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Key Point: California AG Becerra’s investigation into security flaws in the Glow fertility app results in a settlement agreement that resembles recent enforcement agreements in New York but is also unique in requiring the app’s developer to consider gender-specific concerns within its privacy-by-design principles.

“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” according to California’s Attorney General Becerra. The consequences of not having the appropriate data protections? It means “a digital disclosure of your private medical records is instantaneously and eternally available to the world” per Becerra.

For these reasons, especially in the new era of telemedicine, developers of medical applications (health app) understand that consumers’ privacy and security must be protected. “Excuses are not an option,” Becerra warns. California’s settlement agreement with Upward Labs Holdings, Inc. (Upward Labs) and its subsidiary Glow, Inc. (Glow), is an example that Becerra’s warning should not be ignored.

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).

Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.

On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.

Keypoint: With just two days to go before the close of the Washington legislature, a conference committee will try to resolve conflicts between the House and Senate versions of the WPA.

As we previously reported, on Friday, March 6, the Washington House passed an amended version of the Washington Privacy Act (WPA) that included a private right of action. The bill then moved back to the Senate where, on Monday, March 9, the Senate refused to concur in the amendments and asked the House to recede from them. Predictably, the House refused.

However, the House requested that the Senate agree to a conference committee, which request the Senate quickly granted. The House and Senate thereafter appointed three members each to participate in the conference committee.

As it did last year, the Washington state senate has overwhelmingly passed comprehensive consumer privacy legislation. The legislation, entitled the Washington Privacy Act (WPA), passed the state senate on February 14, 2020, by a vote of 46-1. The legislation will now move to the state house of representatives where it failed last year. A copy

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: Maryland lawmakers have introduced a bill that would allow Maryland residents to opt-out of certain types of personal information transfers but that would stop far short of creating CCPA-like rights for Maryland residents.

On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.

Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of the Maryland legislation (as introduced).

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.

2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.

But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.

Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.