Privacy Law Update: August 23, 2021
As the invalidation of the EU-U.S. Privacy Shield still casts uncertainty over international data flows more than a year later, the need for federal privacy legislation looms larger than ever. Although congressional interest in revamping U.S. federal privacy laws persists, there has been only marginal action so far this year. On July 28, Sen. Roger Wicker (R-MS), ranking member of the Senate Commerce Committee, and Sen. Marsha Blackburn (R-TN) introduced a new version of the Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act). The bill comes not long after Wicker and Blackburn joined their House counterparts, Reps. Cathy McMorris Rodgers (R-WA) and Gus Bilirakis (R-FL), in urging the White House to work with Congress on a federal consumer privacy law.
California’s new stricter data privacy law takes effect January 1, 2023 but companies must be ready to provide a personal data report for the prior 12 months to any California resident — it’s one of several provisions in the new law that are not well understood but could result in massive fines. The upcoming California Privacy Rights Act (CPRA) is considered a pioneer in data privacy and it strengthens the current California Consumer Privacy Act with stricter rules. Enforcement is also beefed up with the creation of the California Privacy Protection Agency (CPPA) plus the ability of individual Californians to file suits against companies for non-compliance.
- China Adopts National Privacy Law: The top legislative body in the People’s Republic of China voted Friday to adopt a new national privacy law. The Standing Committee of the National People’s Congress passed the Personal Information Protection Law at a meeting in Beijing, according to the nation’s state-operated Xinhua News Agency. The sweeping law will take effect Nov. 1. With the move, the PRC joins three of the world’s top four economies with an omnibus privacy law, leaving the U.S. as the only nation in the top four without one.
- Virginia CDPA: The Virginia Consumer Data Protection Work Group, which is a subcommittee of the Joint Technology and Science Commission, met on August 17 to continue reviewing the Virginia Consumer Data Protection Act (VCDPA). The group is charged with recommending changes to this law to align it with other state privacy laws. Two more meetings are set for September 13 and October 13. Their final report is due November 1, 2021, since the VCDPA becomes effective January 1, 2023. The Virginia Attorney General’s Office outlined four suggested law changes, which Democratic Gov. Ralph Northam supports. Suggested changes the AG asked the group to consider would align more with California and Colorado including increased protections for children (Colorado automatic opt-out), a general opt-out provision (Colorado authorized agent opt-out) and annual reports from the Attorney General’s Office, outlining enforcement practices and adding language clarifying public records processors.
- IAPP Privacy Law Tracker