For a while, privacy in Q2 was looking like it would follow the season’s idiomatic rule: in like a lion, out like a lamb. But it came roaring back in June with a new U.S. state law, EU adequacy decisions, a new EU data transfer mechanism, and more. As we look back over the second quarter of 2021, several important developments are worth noting.
U.S. State Privacy
Overall, the short legislative season proved to be as much an obstacle to passing comprehensive privacy laws as the private right of action has been. By the end of the second quarter, with a total of 26 states having introduced comprehensive privacy bills since the start of 2021, only Colorado and Virginia crossed the finish line by the end of their legislative calendar. Massachusetts, New Jersey, and Pennsylvania remained in session with privacy bills on the agenda.
Much as Virginia did last quarter, Colorado stole the show this quarter as legislators worked quietly and diligently to become the third state in the U.S. to pass comprehensive privacy legislation. Drawing from laws in California and Virginia, and generally seen as striking a balance between consumer privacy and enabling business, the Colorado Privacy Act positions itself as an example for other states to follow.
Signed into law by Gov. Jared Polis, the CPA provides consumers with what have come to be seen as the standard data subject rights in the U.S. — access, rectification, deletion, and portability. Similar to California and Nevada, it provides the ability for consumers to opt-out of the sale of personal information and, like Virginia, includes an opt-out option for targeted advertising and profiling.
The CPA will take effect July 1, 2023. Enforcement of the CPA rests with the Attorney General’s Office, which has also been tasked with creating clarifying regulations. The bill does not include the private right of action — a common deal-breaker for privacy laws — and, for clarity, states this multiple times.
Polis has acknowledged that the CPA is a work in progress, remarking in his signing statement that, "in the haste to pass this bill, several issues remain outstanding … SB 21-190 will require clean-up legislation next year.”
U.S. Federal Privacy
A U.S. federal privacy law seemed inevitable at the start of 2021. Lawmakers on both sides of the aisle generally support and agree on how to provide protections for consumers. The proof can be found in the various bills introduced, which show overwhelming agreement in the details of how to construct a federal standard. Despite this, proposals continue to be met with resistance and delays, and toward the end of the quarter, congressional attention on privacy seemed to practically disappear.
Discussions on federal privacy are rumored to begin later this summer. Until then, we will be watching to see how the Federal Trade Commission handles it in the near term. With Lina Khan now confirmed and appointed Chairwoman, the FTC is well-positioned to explore its rule-making capabilities as a solution for federal regulation. We are even seeing previously reluctant FTC members acquiesce to the idea in the absence of a federal law.
In contrast to the United States, Europe continues working to develop more nuanced areas of focus in privacy and data protection matters as it continues its digital transformation. Work on reforming the ePrivacy Directive into a regulation continues, for instance, while the European Commission released new Standard Contractual Clauses, issued adequacy to the U.K. and a draft adequacy decision to South Korea, as well as released guidance on artificial intelligence.
The Court of Justice of the European Union issued a judgment that will change the EU’s one-stop-shop mechanism and is likely to de-congest an enforcement bottleneck. The CJEU’s judgement gives supervisory authorities other than the lead authority the power to bring cases of alleged GDPR violations to their national courts in certain circumstances, specifically cross-border cases. With myriad big tech firms headquartered in Ireland, this decision is likely to lessen the burden placed on the Irish authority, which has been criticized for failing to properly enforce GDPR matters in a timely fashion.
China recently released the second draft of its Personal Information Protection Law, which adds clarification to the first draft and expands data subject rights. It is expected that the draft will be reviewed once more before adoption later this year.
South Africa’s Protection of Personal Information Act (POPIA) became enforceable on July 1. POPIA protects personal information processed by public and private bodies, provides data subjects rights, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify of data breach incidents, and imposes statutory penalties for violations of the law.
Looking ahead to the third quarter, here is what we will be watching:
- Remaining active state privacy bills: New Jersey, Massachusetts, and Pennsylvania
- How will federal privacy discussions play out this summer?
- How will the FTC navigate rule-making for privacy regulations?
- Will we see increased enforcement action across Europe as one-stop-shop is clarified?
- Will the ePrivacy Regulation finally get passed?
About the Authors:
Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.