Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.

Keypoint: The Washington Privacy Act is back.

The Washington state legislature will once again consider consumer data privacy legislation when it convenes on January 11, 2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the Washington Privacy Act (WPA) (Senate Bill 5062). The WPA is scheduled for a public hearing in the Senate Committee on Environment, Energy & Technology on January 14, 2021, which committee is chaired by Senator Carlyle.

In the past two years, versions of the WPA passed the Washington Senate without issue. However, in 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill but the two chambers were unable to reach a compromise. Ultimately, both years, the WPA failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.

The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions such as effective dates.

The below discussion focuses on Parts 1 and 4.

Keypoint: The UK/EU Brexit agreement provides for the continuation of UK/EU cross-border data transfers for the next four to six months, allowing the European Commission more time to consider issuing an adequacy decision.

On December 24, 2020, the United Kingdom and the European Union announced a number of agreements concerning the United Kingdom’s exit from the European Union (Brexit).

Keypoint: Supreme Court’s decision could require individuals to suffer an actual injury prior to participating in a class action.

On December 16, the Supreme Court of the United States agreed to review a case with potential major implications for data-breach class actions.

Trans Union v. Ramirez arises out of a class action about inaccurate credit reports. The class representative claimed that his credit report contained an error indicating that his name matched someone on the government’s list of persons with whom businesses in the United States are prohibited from transacting. Mr. Ramirez claimed this error caused him to be unable to obtain credit when purchasing a vehicle, caused him embarrassment in front of his family, and caused him to cancel a vacation to Mexico.

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.

Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative:

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

Keypoint: The California Attorney General’s office again introduces an opt-out button.

On December 10, 2020, the California Attorney General’s office published a fourth set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The deadline to submit comments to the proposed modifications is Monday, December 28, 2020.

The latest set of proposed modifications are revisions to the office’s third set of proposed modifications, published on October 12, 2020. The deadline to submit comments to the third set of modifications passed on October 28, 2020. For a discussion on the third set of modifications, see our prior blog post available here.

Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.

As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.

The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.

In the below post, we outline the four steps required by Apple.

Keypoint: Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.

As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.

As explained in the implementing decision, the SCCs “needed to be updated in light of new requirements in” GDPR. The SCCs also needed to be updated to consider “important developments . . . in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” The draft SCCs are also heavily influenced by the CJEU’s Schrems II decision.

The implementing decision and draft SCCs are open for public feedback until December 10, 2020. The European Commission presented the draft SCCs to the European Data Protection Board (EDPB) at the EDPB’s 42nd plenary session and requested a joint opinion from the EDPB and the European Data Protection Supervisor. For reference, the EDPB’s recommendations on draft supplementary measures was discussed in this blog post.

Once finalized, there will be a one-year implementation period in which entities can continue to rely on the existing SCCs for contracts entered into prior to the new SCCs going in effect, provided that the contract remains unchanged. However, the parties to the contract still must institute supplementary measures to allow for appropriate safeguards in light of the Schrems II judgment.

A discussion of some of the relevant takeaways from the draft SCCs follows: