On February 19, 2012, the Virginia House of Delegates voted overwhelmingly to pass the Virginia Consumer Data Protection Act (CDPA). The Senate previously voted in favor of passing the legislation. The General Assembly had been considering the CDPA in a special session after both chambers passed companion bills during the regular session. The Senate and

Let’s face it, tracking all of the proposed CCPA-like state privacy legislation has been nearly impossible. At last count, bills have been proposed in sixteen states, including Virginia, New York, Washington, Oklahoma, Arizona, Florida, Utah, Maryland, and Minnesota.

That’s why we created our new 2021 State Privacy Law Tracker.

The tracker identifies the states

creditcards1iStock_000036595886_Large

Keypoint: April 12, 2021 is the deadline to comment on a proposed rule that would require banking organizations and bank service providers to promptly report computer-security incidents.

The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively the “agencies”) are requesting public comment on a proposed rule requiring banks to notify the applicable agency within 36 hours when the banks believe in good faith that a significant cybersecurity event has occurred. Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2399 (Jan. 12, 2021).

Keypoint: As leadership at the CFPB shifts, responses to the CFPB’s Notice of Proposed Rulemaking to implement Section 1033 of the Dodd Frank Act looms.

More than a decade ago, the Dodd Frank Act created the Consumer Financial Protection Bureau (CFPB) and gave it authority to promulgate rules implementing Section 1033 of the Act. Under Section 1033, upon request, a financial services provider “shall make available to a consumer information in its control or possession concerning the product or service that the consumer has obtained, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.”

Keypoint: Virginia moves closer to enacting consumer privacy legislation.

On January 29, 2021, the Virginia House of Delegates passed HB2307, the Virginia Consumer Data Protection Act (Act) in an 89 to 9 vote. The Act now sits with the Senate Committee on General Laws and Technology. A companion bill, SB 1392, already passed the Senate Committee on General Laws and Technology on January 27, 2021.

According to the Virginia General Assembly Session Calendar, Friday, February 5 is the deadline for each house to complete work on its own legislation, except for the budget bill. The Assembly will adjourn on February 11.

Below is a brief overview of the Act. In addition, on February 17, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register, click here.

Many thanks to Amy Miller, Senior Reporter, Privacy and Data Security at MLEX Market Insight for alerting us to this development.

Keypoint: While the Washington Privacy Act appears poised to pass the Senate, a competing bill introduced in the House of Representatives would require opt-in consent for processing, create an Illinois-like biometric information privacy structure, and allow for a private right of action.

On January 28, 2021, Washington state Representative Shelley Kloba filed HB 1433, entitled the People’s Privacy Act (WPPA). According to the Washington legislative website, the WPPA will be formally introduced on February 1, 2020.

The WPPA, which is supported by the Washington ACLU, is a competing bill to the Washington Privacy Act (WPA) introduced by Senator Carlyle in the Washington Senate. Although the WPPA and WPA are intended to address the same issue (consumer privacy) they come about it in very different ways.

The introduction of the WPPA certainly draws into question whether Washington lawmakers will be able to reach a compromise and finally pass consumer privacy legislation this year. At a minimum, it signals that the same obstacles that have prevented a bill from passing in the 2019 and 2020 are still present.

Below is a brief overview of the WPPA. For a summary of the WPA, see our article here. In addition, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country, including the WPA and WPPA. To register, click here.

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

Keypoint: The European Commission will consider the joint opinion and public comments and decide whether to modify the draft standard contractual clauses.

On January 15, 2021, the European Data Protection Board (EDBP) and European Data Protection Supervisor (EDPS) issued joint opinions on the European Commission’s two draft standard contractual clauses (SCCs) issued in November 2020. The first draft SCCs concern the transfer of personal data to third countries. The second draft SCCs concern the transfer of personal data between controllers and processors in the EEA. Both SCCs were open for public comment until December 10, 2020.

The below post will focus on the joint opinion on the draft SCCs concerning international data transfers (hereinafter “Cross-Border Transfer SCCs”).

Keypoint: Five states are now considering online privacy legislation.

Virginia and Oklahoma join Washington, New York and Minnesota as states where lawmakers have proposed online privacy legislation this year. It is expected that lawmakers in other states will propose similar legislation in the coming weeks. As discussed in our prior posts, the fact the legislation has been proposed is not indicative of whether it has any chance of becoming law. Since lawmakers passed the California Consumer Privacy Act (CCPA) in 2018 numerous states have considered similar bills, but none of them has become law. That said, presumably one day another state (or more) will join California in passing such legislation.

Below is a brief summary of the two bills. To the extent that the bills appear poised for advancement we will provide a more detailed analysis.

In addition, on February 17, 2021, members of Husch Blackwell’s privacy and data security practice group will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register click here.