Welcome to the first edition of the DGS Privacy & Data Security Legal Update! The goal is to keep you apprised of the latest developments in privacy and data security law. If you have any comments, questions, suggestions, or feedback, please reach out to the author, Camila Tobón.
In this month’s edition we cover amendments to the California Consumer Privacy Act, privacy bills in Minnesota, New York, Oklahoma, Virginia, and Washington, and updates to the standard contractual clauses for personal data transfers from the European Union to third countries.
California voters approve amendments to the California Consumer Privacy Act
On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA). The CPRA amends and will replace the CCPA when it takes effect on January 1, 2023. Significant changes in the CPRA include:
Extended exemptions for business contact and employee data until January 1, 2023. This is a welcome development for businesses and means that the full suite of privacy rights will not be required for employee and business contact data until 2023 (or later if the exemptions are further extended).
Expanded opt-out right covering not only “sale” but “sharing.” Recall that sale is defined as disclosure of PI by a business to a third party for monetary or other valuable consideration. Sharing is now defined as a disclosure to a third party for purposes of cross-contextual behavioral advertising, whether or not for monetary or other valuable consideration. This change removes any doubt as to whether the right to opt out applies to online behavioral advertising cookies on websites. Companies must prepare to provide the opt-out right to consumers for online tracking.
New subcategory of “Sensitive Personal Information” (SPI) and the right to limit use and disclosures of SPI. SPI includes SSN, state ID, or passport number; account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of mail, email and text messages (unless business is intended recipient of communication); genetic data; biometric information for the purpose of uniquely identifying a consumer; PI collected and analyzed concerning a consumer’s health; and PI collected and analyzed concerning a consumer’s sex life or sexual orientation. Consumers may request limitation on the use and disclosure of SPI to those that are: (i) necessary for the good or service requested; (ii) for purposes of ensure security and integrity; (iii) short-term, transient uses; (iv) performing services on behalf of the business; and (v) activities intended to verify or maintain the quality or safety of goods or services. Businesses will need to identify whether they process and disclose SPI and if so, why, in order to determine whether a consumer will have a right to limit the use and disclosure of that SPI.
Extended right of access to PI beyond a 12-month period, provided the PI was collected on or after January 1, 2022. Under the CCPA, the disclosure of required information following an access request must cover the 12-month period preceding the request. The CPRA allows the consumer to request information beyond that period and the business is required to provide it unless doing so proves impossible or would involve disproportionate effort. Businesses must be prepared to track, compile, and produce consumer PI collected on or after January 1, 2022.
New comprehensive privacy legislation introduced in Minnesota, New York, Oklahoma, Virginia, and Washington
Legislators in Minnesota introduced HF 36, a bill giving consumers various rights regarding personal data, imposing transparency obligations on businesses, and creating a private right of action. Consumer rights include access, deletion, and opt-out of sale. Transparency obligations include notice by a business to the consumer at or before the point of collection about the collection, use, disclosure, and sale of PI, including third parties to whom PI may be disclosed and/or sold. The bill provides a private right of action for any violation of the law, with statutory damages between $100-$750 allowed per consumer, per violation, and allows suit by the state attorney general to enforce.
In New York, several privacy bills were introduced when the 2021 legislative session opened. Two are notable. The New York Privacy Act (AB 680) was re-introduced after having failed last year to make it out of committee. This bill requires consent for the use, processing, or transfer of PI to a third party; imposes a fiduciary duty of care with respect to PI; provides consumers GDPR-like rights; and grants a private right of action under the state’s unfair and deceptive practices statute for actual damages. A new bill introduced for the first time this year, SB 567, is very similar to the CCPA. It provides consumers rights over their PI and imposes transparency obligations on businesses. But unlike the CCPA, it grants a private right of action for any violation of the law with statutory damages between $1,000-$3,000, depending on the nature of the violation.
HB 1130 in Oklahoma focuses on transparency obligations. It requires businesses and website operators that collect a consumer’s personal digital information to provide notice of the categories of PI collected and the purposes of use. Information about PI sale and disclosure must also be provided, and sale is defined as disclosure to a third party for monetary or other valuable consideration (like the CCPA). Unlike the other bills, HB 1130 does not provide consumer rights or allow for a private right of action to enforce.
Legislators in Virginia introduced SB 1392, the Consumer Data Protection Act, which is similar to the Washington Privacy Act. The Virginia bill would provide consumers the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and profiling. The bill imposes transparency obligations on controllers, defines the responsibilities of controllers and processors according to their role, and requires data protection risk assessments for certain types of processing activities. The state attorney general is the only entity with enforcement authority and enforcement penalties would be capped at $7,500 per violation. No private right of action is provided.
In Washington, the Washington Privacy Act (SB 5062) has been introduced for the third time. Last year, the bill passed the Senate but died after the Senate failed to ratify amendments by the House, which included the addition of a private right of action. The latest version of this bill gives consumers the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, or profiling. It imposes specific obligations on controllers and processors and would require data protection risk assessments for certain processing activities. The bill does not include a private right of action. New provisions added to this third version in response to the pandemic include those relating to processing data for public health emergencies and automated contact tracing.
Other states are expected to follow suit with proposed privacy legislation. In addition, there appears to be momentum at the federal level to pass comprehensive privacy legislation. We will continue to monitor and report on developments.
European Commission issues new draft Standard Contractual Clauses for data transfers from the European Economic Area
On November 12, 2020, the European Commission (EC) issued draft standard contractual clauses (SCCs) for data transfers from the European Economic Area (EEA) to third countries. These draft SCCs are meant to replace the existing SCCs, which were adopted in the 2000s while the GDPR’s predecessor, the 1995 Directive, was in effect. The new SCCs are designed to cover a broader set of data transfers out of the EEA between controller-controller, controller-processor, processor-processor, and processor-controller (the existing SCCs work only for controller-controller and controller-processor transfers). The revised SCCs also address the Court of Justice of the European Union’s (CJEU) decision in the Schrems II case. (For more on the CJEU’s decision in Schrems II, see our previous client alert). Specifically, the SCCs include provisions for the data exporter’s analysis of the receiving country’s laws to determine whether they are “essentially equivalent” to EU law and provisions addressing the data importer’s obligations in the case of government access requests.
The consultation period for the new SCCs closed in December. Revisions are anticipated before the SCCs are finalized. Once finalized, companies will have one year from finalization to update existing contracts.