Keypoint: While the Washington Privacy Act appears poised to pass the Senate, a competing bill introduced in the House of Representatives would require opt-in consent for processing, create an Illinois-like biometric information privacy structure, and allow for a private right of action.

On January 28, 2021, Washington state Representative Shelley Kloba filed HB 1433, entitled the People’s Privacy Act (WPPA). According to the Washington legislative website, the WPPA will be formally introduced on February 1, 2020.

The WPPA, which is supported by the Washington ACLU, is a competing bill to the Washington Privacy Act (WPA) introduced by Senator Carlyle in the Washington Senate. Although the WPPA and WPA are intended to address the same issue (consumer privacy) they come about it in very different ways.

The introduction of the WPPA certainly draws into question whether Washington lawmakers will be able to reach a compromise and finally pass consumer privacy legislation this year. At a minimum, it signals that the same obstacles that have prevented a bill from passing in the 2019 and 2020 are still present.

Below is a brief overview of the WPPA. For a summary of the WPA, see our article here. In addition, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country, including the WPA and WPPA. To register, click here.

On January 28, 2021, privacy professionals around the world will celebrate Data Privacy Day. This year, we decided to mark the occasion by gathering our team’s thoughts and expectations on what we expect to be the biggest privacy law stories in 2021 and beyond.

Last year we wrote a similar article, attempting to predict how the privacy landscape would unfold in 2020. We got some things right (e.g., the emergence of CCPA 2.0). But, let’s be honest, in March everything changed, including privacy law. As spring turned into summer our writing focused on the privacy law implications of COVID-19, including contact tracing, no contact temperature taking, and the unanticipated collection of heath information, among other unexpected topics. We also took note of developments overseas, including the Court of Justice of the European Union’s Schrems II decision and the emergence of Brazil’s federal privacy law, LGPD.

If there was one takeaway from 2020 from a privacy law perspective it was this – while it is impossible to predict its path, privacy law is rapidly growing and evolving, almost on a daily basis, and in nearly every corner of the world. With that, we turn to our 2021 predictions.

Keypoint: The European Commission will consider the joint opinion and public comments and decide whether to modify the draft standard contractual clauses.

On January 15, 2021, the European Data Protection Board (EDBP) and European Data Protection Supervisor (EDPS) issued joint opinions on the European Commission’s two draft standard contractual clauses (SCCs) issued in November 2020. The first draft SCCs concern the transfer of personal data to third countries. The second draft SCCs concern the transfer of personal data between controllers and processors in the EEA. Both SCCs were open for public comment until December 10, 2020.

The below post will focus on the joint opinion on the draft SCCs concerning international data transfers (hereinafter “Cross-Border Transfer SCCs”).

Keypoint: Five states are now considering online privacy legislation.

Virginia and Oklahoma join Washington, New York and Minnesota as states where lawmakers have proposed online privacy legislation this year. It is expected that lawmakers in other states will propose similar legislation in the coming weeks. As discussed in our prior posts, the fact the legislation has been proposed is not indicative of whether it has any chance of becoming law. Since lawmakers passed the California Consumer Privacy Act (CCPA) in 2018 numerous states have considered similar bills, but none of them has become law. That said, presumably one day another state (or more) will join California in passing such legislation.

Below is a brief summary of the two bills. To the extent that the bills appear poised for advancement we will provide a more detailed analysis.

In addition, on February 17, 2021, members of Husch Blackwell’s privacy and data security practice group will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country. To register click here.

Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.

Keypoint: The Washington Privacy Act is back.

The Washington state legislature will once again consider consumer data privacy legislation when it convenes on January 11, 2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the Washington Privacy Act (WPA) (Senate Bill 5062). The WPA is scheduled for a public hearing in the Senate Committee on Environment, Energy & Technology on January 14, 2021, which committee is chaired by Senator Carlyle.

In the past two years, versions of the WPA passed the Washington Senate without issue. However, in 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill but the two chambers were unable to reach a compromise. Ultimately, both years, the WPA failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.

The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions such as effective dates.

The below discussion focuses on Parts 1 and 4.

Keypoint: The UK/EU Brexit agreement provides for the continuation of UK/EU cross-border data transfers for the next four to six months, allowing the European Commission more time to consider issuing an adequacy decision.

On December 24, 2020, the United Kingdom and the European Union announced a number of agreements concerning the United Kingdom’s exit from the European Union (Brexit).

Keypoint: Supreme Court’s decision could require individuals to suffer an actual injury prior to participating in a class action.

On December 16, the Supreme Court of the United States agreed to review a case with potential major implications for data-breach class actions.

Trans Union v. Ramirez arises out of a class action about inaccurate credit reports. The class representative claimed that his credit report contained an error indicating that his name matched someone on the government’s list of persons with whom businesses in the United States are prohibited from transacting. Mr. Ramirez claimed this error caused him to be unable to obtain credit when purchasing a vehicle, caused him embarrassment in front of his family, and caused him to cancel a vacation to Mexico.

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.

Keypoint: Although the CPRA will not become fully operative until January 1, 2023, the provisions creating the California Privacy Protection Agency and extending the business-to-business and employee exemptions are now operative.

On December 11, 2020, California Secretary of State Alex Padilla certified the results of the November General Election. As a result, the California Privacy Rights Act (CPRA) became effective today, pursuant to Section 31 of Proposition 24 and Article II, Section 10(a) of the California Constitution. Notwithstanding the CPRA’s effective date, the majority of its provisions will not become operative until January 1, 2023. Nonetheless, certain notable provisions are now fully operative: