Welcome to 2021!

The Woods Rogers Cybersecurity and Data Privacy group is excited for new beginnings and a new year of solving privacy problems.

Now is the time to review 2020’s wild ride from a data privacy law perspective and to make resolutions for better privacy practices in 2021.

In 2020 – from California to Europe – data privacy regulations were both newly instituted and further refined with sharpened penalty teeth. Here are a few highlights:

  • In November 2020, California passed a new privacy ballot measure that created the California Privacy Rights Act (CPRA). The previous privacy regulation – the California Consumer Privacy Act (CCPA) was merely a timid step into the murky privacy waters. CPRA will push American business practices closer to those required under Europe’s General Data Privacy Regulation (GDPR). CPRA will be fully enforced in 2023, so businesses must begin to work toward compliance soon.
  • During the summer and fall of 2020, European courts dealt a heavy blow to trans-Atlantic data transfer with their long-anticipated Schrems II decision. If you have customers in Europe, get leads from Europe, or manage European employees or facilities, data transfer just became a bigger headache.
  • The FTC woke up. The sleeping data privacy regulator in the United States stirred, sending a wave of document requests to big tech. Experts believe this wave warns of a storm of penalties and fines in the future.
  • The global data climate continues to contract. New and revised regulations moved forward from Canada to Brazil to China.

What should you anticipate in 2021 and what steps should your company take in Q1?

1. Become aware of all data privacy regulations and of your company’s data footprint.

Look for more states and countries to pass strict data privacy regulations. Experts say California’s new regulations will drive the United States to pass a federal law.

Best Practice: Map your data and review your practices now to prepare for the future.

2. Do what you say you do with data.

When did you last dust off the privacy policy on your website and compare it against what your team does with the data being collected? The FTC’s most powerful weapon in the data privacy arena is its ability to penalize companies making false claims in their data protection policies. Most of the time it’s okay to use consumer data as long as your consumer knows what you are doing with it, so just be straightforward with them.

Best Practice: Make sure your privacy policy is accurate. Ask the hard questions. Audit for data risk.

3. Don’t be a data hoarder.

Data ages like milk, not wine. As cybersecurity and data privacy continue to overlap, ensure your shared drives aren’t full of personally identifiable information that will require hundreds of thousands of notifications should a breach occur. If you don’t really need the data, get rid of it.

Best Practice: Remove sensitive data from places where it can be easily accessed.

 

The Woods Rogers data privacy legal team wishes you a safe and secure 2021!