In this second edition of the DGS Privacy & Data Security Legal Update, we cover Virginia’s Consumer Data Protection Act, which was approved by both legislative chambers, and new bills in Alabama, Florida, Utah, and Washington. On the international front, we cover new guidelines from the European Data Protection Board on breach notification and the latest developments in negotiations over an ePrivacy Regulation.
If you have any comments, questions, or suggestions, please contact the author, Camila Tobón.
In early February, both the Virginia House of Delegates and the Virginia Senate passed identical bills for the Virginia Consumer Data Protection Act (HB2307 and SB1392). Governor Ralph Northam is expected to sign the measure, after reconciliation of the two bills. The Act more closely mirrors the Washington Privacy Act (WPA) than the California Consumer Privacy Act (CCPA) and adopts the controller/processor terminology from the GDPR as opposed to the business/service provider/third party terms from the CCPA. It would apply to entities that control or process data of at least 100,000 Virginians, or those that derive at least 50 percent of their revenues from the sale and processing of consumer data of at least 25,000 customers. It includes entity-level exemptions for financial institutions subject to the Gramm-Leach Bliley Act and covered entities under the Health Insurance Portability and Accountability Act, among others, as well as data-level exemptions for personal information covered by other state and federal laws, employee data, and business contact data. Controllers must provide the rights of access, correction, deletion, data portability, and opt-out of targeted advertising, sale, and profiling and develop a mechanism for consumers to appeal a controller’s refusal to act on a request. The Act creates an opt-in regime for the processing of sensitive data (which includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying a natural person, children’s data, and precise geolocation data). It also requires data protection risk assessments for certain types of processing activities, including processing data for targeted advertising or profiling, sale of data, processing of sensitive data, and any other activity presenting a heightened risk to consumers. The state attorney general is the only entity with enforcement authority and enforcement penalties would be capped at $7,500 per violation. No private right of action is provided. The Act would take effect on January 1, 2023 (the same date the California Privacy Rights Act (CPRA) takes effect).
Earlier this month, HB216 was introduced in the Alabama House. The Alabama Consumer Privacy Act is similar to the California Consumer Privacy Act. Consumers are given the rights of access, information, deletion, opt-out of sale, and non-discrimination. There is also a private right of action for breach of nonencrypted or nonredacted personal information resulting from a failure to implement and maintain reasonable security procedures and practices. Unlike the CCPA, the Alabama Act does not provide for statutory damages, instead requiring courts to determine damages according to a set of factors set out in the bill. If enacted, the law would take effect on October 1, 2022.
SB200 was introduced in Utah for a Consumer Privacy Act. Unlike the Alabama and Florida bills, this one mirrors the Washington Privacy Act. Consumer rights include access, correction, deletion, portability, and opt-out of processing for targeted advertising, sale, or profiling in furtherance of decisions regarding educational enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities as well as opt-in to processing sensitive data. The bill requires that controllers implement a process for appeals of consumer requests and conduct risk assessments for certain high-risk processing activities. The bill does not provide a private right of action. Enforcement would be by the attorney general with penalties not to exceed $1,000 per consumer per violation. The bill would take effect January 1, 2022.
Last month, the European Data Protection Board (EDPB) issued Guidelines 01/2021 on Examples Regarding Data Breach Notification. Public comments will be accepted through March 2, 2021. In the Guidelines, the EDPB provides examples of the most common breach notification cases such as ransomware attacks, data exfiltration attacks, lost or stolen devices and paper documents, misdirected mail, and social engineering. For each type of attack, the guidelines set out guidance and recommendations, including obligations to notify supervisory authorities and affected individuals. The concrete examples provided in the guidelines should greatly assist organizations with conducting their risk assessments following a breach and determining whether notification is required and to whom. The guidelines will be finalized following the public comment period.
The EU has been working on an overhaul of the 2002 ePrivacy Directive, which governs privacy and electronic communications, for several years. There are two main goals. First, to harmonize rules over electronic communications data in the EU. As a regulation, the ePrivacy Regulation would become immediately binding in all EU member states upon enactment (as opposed to a directive, which must be implemented in each member state’s national law resulting in diverging applications of the rules). Second, to address new technological and market developments, such as the current widespread use of Voice over IP, web-based email and messaging services, and the emergence of new techniques for tracking users’ online behavior. This recent development will kick-start negotiations between the Council of the EU, the European Parliament, and the European Commission over the final text of the ePrivacy Regulation.