Stites & Harbison Client Alert, January 29, 2021
Every January 28, the United States, Canada, and 27 countries of the European Union celebrate Data Privacy Day, which is an international effort to create awareness about the importance of safeguarding data and respecting privacy. The United States began observing Data Privacy Day in 2009, when Rep. David Price, D-N.C., took notice of the European Union’s Data Protection Day and introduced House Resolution 31 that January 28 was to be declared National Data Privacy Day. Passed by a unanimous vote, this resolution encouraged state and local governments to promote data privacy awareness, privacy professionals and educators to discuss data privacy and protection issues in high schools, and individuals to be aware of data privacy concerns and take steps to protect personal information online. In short, Data Privacy Day is meant to inspire dialogue regarding data privacy and protection. To keep the conversation going in honor of Data Privacy Day, we discuss some of the data privacy issues to watch in 2021.
Remote Work Security Practices and Vendor Due Diligence
COVID-19 created a sudden shift to remote working that raised a number of new privacy concerns. In response to the pandemic, contract tracing apps, symptom collection, temperature checking, and probes into personal travel have emerged as potential measures to combat the spread of COVID-19 and promote safety in our communities and the workplace. Businesses with essential workers who cannot work from home, and businesses with large remote workforces alike must manage productivity and safety, while keeping a keen eye on data privacy. It is a delicate balance.
With the barrage of stay-at-home directives at the beginning of the COVID-19 pandemic, many businesses had to work quickly to put in place new technology platforms and practices in an effort to continue business as usual via a remote workforce as the pandemic swept across the globe. Privacy and security considerations may have received short shrift in the rush to adapt. As businesses have had time to adapt to increasingly virtual workplaces, and given that we expect remote work to continue for many, businesses may want to pause in 2021 to check in on remote work practices and the vendors brought on to support 2020’s increased technology demands. Important considerations when engaging and evaluating vendors include: the type of information the vendor will receive, collect, or access; whether the vendor will host or store data; whether the vendor has adequate security controls and incident response plans; what the vendor is permitted to do with data; and what policies and rights exist with respect to data retention, deletion, and return. For remote workers, areas that may warrant attention include: continued backup of critical information despite decentralized working conditions; secure destruction for sensitive hard copy information; ensuring patch management continues through automated or other centralized means without relying on employees; controlling the computer assets used to connect to a business’s network and related security configurations; and, ensuring mobile equipment employees use for remote work, such as laptops, are encrypted to prevent unauthorized data disclosures in the event of loss or theft.
COVID-19 brought an increase in the time people spent connecting virtually, including time spent on social media apps. This resulted in an increased demand for the protection of personal data and an increase in allegations of data privacy violations. We saw an increase in headlines related to data privacy, and consumers became more interested in and adamant about the protection of their personal data. At the same time, it seems that consumers have grown more accustomed to the notion that companies capture and track their data and use it to serve targeted ads. Perhaps consumers are more willing to consent to the collection and use of data, so long as companies are transparent about the way in which it will be used. Over 2021, the importance of data ethics will continue and we anticipate a trend toward more stringent privacy regulations will continue.
COMPREHENSIVE FEDERAL PRIVACY LEGISLATION
The United States lacks a comprehensive federal law governing data privacy. Businesses must instead confront a complex “patchwork” of sector-specific federal laws and data-specific state laws addressing (in varying degrees) privacy, security, and breach notification. Understanding where a business fits into this complex legal web may be more obvious for businesses operating in highly regulated industries (financial and health care, for example). For many businesses, identifying relevant privacy laws is often a frustrating game of elimination.
In a September 2019 Business Roundtable letter to members of Congress, more than 50 CEOs representing multiple industries urged passage of a comprehensive consumer data privacy law, stating:
There is now widespread agreement among companies across all sectors of the economy, policymakers and consumer groups about the need for a comprehensive federal consumer data privacy law that provides strong, consistent protections for American consumers. A federal consumer privacy law should also ensure that American companies continue to lead a globally competitive market.
Noting not just the need for a stable environment and well-understood legal and regulatory framework for businesses, the letter also cites the disservice to consumers who cannot be expected to know or understand that rights and rules with respect to their personal information may vary depending on the state in which they reside, the state from which they access the internet, or the state in which a company’s operations are located.
While efforts toward a comprehensive federal consumer data privacy law were advanced in 2020, they lacked bipartisan support. In recent years, Senators from both parties introduced comprehensive federal legislation with many common elements. The Consumer Online Privacy Rights Act (COPRA) and the Consumer Data Privacy Act (CDPA) each included requirements for transparent privacy notices, reasonable data security practices, privacy and risk assessments, oversight, and mechanisms for consent to process data. However, the lack of consensus on two critical issues – preemption and a private right of action – are often cited as the barriers to progress on privacy laws at the federal level. Another unknown is the impact a comprehensive federal law will have on existing federal regimes, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
In a more recent attempt at comprehensive federal privacy legislation, the SAFE DATA Act, proposed by Republican lawmakers in September 2020, contemplates a single national privacy standard that replaces state regulations such as California’s comprehensive privacy law that took effect January 1, 2020. California’s then Attorney General, Xavier Becerra, urged the Senate via remote testimony to allow work and innovation to continue at the state level. Emerging issues arising in connection with the COVID-19 pandemic were cited in support of a federal law with witnesses pointing out that organizations have difficulty understanding how to protect health data that is not covered by HIPAA, which contributes to confusion and hinders the ability to create technology that people can trust. With a new administration under President Biden, indications are strong that we may see a comprehensive federal privacy law in the near future. In any event, we expect privacy to be high on the federal legislative agenda again in 2021.
COLLECTION OF BIOMETRIC DATA
We expect the collection and use of biometric information will grow as an important area of privacy focus in 2021. Biometric identifiers include such things as fingerprints, face scans, voiceprints, or scans of the hand or face geometry. Wearable technology that collects biometric information is increasing in popularity, partially as a result of an increased consumer interest in tracking fitness activity during the pandemic. We have also seen the introduction of wearable devices that may be useful in detecting COVID-19 and assisting infected patients. For instance, late last year, wearable devices that contain blood oxygen sensors and ECG apps were released. Biometric information may also be collected in the workplace (for example, as a method of authenticating access to secure areas or to uniquely identify users accessing certain technology). Recently, the use of facial recognition to identify individuals engaged in criminal activity has gained attention; and, following an unsuccessful attempt last year, some Democratic lawmakers are pressing legislation to ban federal agencies from using facial recognition technology for law enforcement activities.
Many states have enacted legislation regulating biometric information, including Arkansas, California, Illinois, Texas, and Washington, and a number of other states have introduced biometric legislation. Though there have been efforts to advance federal legislation restricting companies’ abilities to collect, use, store, disclose, and sell biometric data without first obtaining consent, as we saw in 2020 with the introduction of the National Biometric Information Privacy Act, the list of states unwilling to wait for action at the federal level continues to grow. On January 6, 2021, a bipartisan group of New York state legislators introduced the Biometric Privacy Act, which imposes obligations on non-governmental organizations collecting biometric information to formalize how they handle, retain, and destroy such information. The proposed legislation also includes a private right of action; consumers may seek damages of up to $5,000 per violation for improper use or retention of biometric data.
Regardless of the purpose for which it is collected, organizations collecting and using biometric information should be mindful of the increasing regulation in this area, and give careful attention to possible obligations to provide notice and consent to collect, use, store, and disclose such data depending on the jurisdiction. Companies should also stay apprised of the latest developments in this area and work with outside counsel to implement policies and procedures regarding the collection and use of biometric data.
ALL EYES ON CALIFORNIA
The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, and since then, plaintiffs have brought more than 50 class action lawsuits based in part on the CCPA. CCPA requires increased transparency from businesses and provides California consumers with certain privacy rights. Businesses required to comply with CCPA must provide notice to consumers at or before data collection and implement procedures to respond to consumer opt-out requests. The second part of 2020 brought a wave of class action lawsuits that included claims based on the CCPA. Many of these lawsuits included other factually related claims, such as breach of contract, misappropriation of confidential information, invasion of privacy, unlawful business practices, and unfair competition. It remains to be seen how courts will handle these lawsuits.
While businesses should continue to work on CCPA compliance, including mapping consumer data; providing notices at collection to consumers, employees, and applicants; updating websites and privacy policies; and creating procedures to verify and respond to consumer requests, businesses should also be planning ahead for the next wave of privacy regulations. California voters decided CCPA regulations were not enough to protect consumer data, and on November 3, 2020, passed the California Privacy Rights Act (“CPRA”), which will amend and supersede CCPA.
CPRA will not go into effect until January 1, 2023, and will only apply to data collected after January 1, 2022. The law builds on CCPA, expands consumer privacy rights to more closely align with the European Union’s GDPR, imposes additional obligations on businesses, and creates the country’s first agency dedicated to privacy regulation and enforcement. The CPRA also adds contractual requirements for all persons that receive personal information and increases rights of children. The CPRA will maintain the CCPA’s 11 categories of personal information, but also adds a new category of “sensitive” personal information. Consumers will have the right to limit the use and disclosure of sensitive personal information, which includes specified types of information such as social security numbers, geographic location, religion, and biometric information. The CPRA adds a new definition of “third party,” to exclude service providers, contractors, and any business with whom a consumer intentionally interacts and that collects information as part of the consumer’s interaction with that business. This new exception is relevant to the CPRA’s expanded consumer right to opt-out of the sharing of their information with third parties. The CPRA also adds a definition of “profiling,” and allows consumers to limit the use and disclosure of personal information to specific business purposes that exclude profiling, unless the consumer expects that profiling is necessary to perform the services or provide particular goods requested. This addition to the CCPA may have implications for targeted advertising and remarketing in 2021 and beyond for California consumers.
The CPRA also expands obligations of businesses related to the protection and retention of consumer personal and sensitive information. The CPRA requires business to inform consumers of the length of time a business intends to retain each category of personal information and maintain it for no longer than is reasonably necessary. CCPA granted consumers the right to direct business not to sell their personal information, and CPRA expands this right to prevent businesses from sharing consumer personal information with third parties for the purpose of cross-contextual behavioral advertising. The CPRA also creates new contractual requirements for businesses that receive personal information. Such contracts will have to contain certain provisions protecting personal information in order to comply with CPRA.
Additionally, the CPRA institutes the California Privacy Protection Agency, which will implement and enforce the CCPA and the CPRA. This will be the first agency in the United States dedicated to consumer data privacy and will investigate and enforce violations through administrative actions. The CPRA also extends the scope of a private right of action by adding a cause of action under the CPRA for the unauthorized access and exfiltration, theft, or disclosure of an email address in combination with a password or security question and answer that could permit access to content.
Though the CPRA will not take effect until January 1, 2023, preparing early for implementation of its enhanced privacy obligations is recommended. Having a good grasp on an organization’s data collection, retention, sharing, and storage practices will better position businesses to comply with these increasing obligations.
NAVIGATING CROSS-BORDER TRANSFERS
Last July, the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield agreement between the European Union and the United States. The CJEU ruled that the agreement failed to protect the privacy of the European Union citizens’ data. This ruling meant that companies needing to transfer data cross-border had to find an alternative data transfer method that adequately protected personal data—and fast. The decision also called into question the viability of the other transfer mechanisms of personal data from the European Union to the United States under GDPR. The European Commission released updated standard contractual clauses in draft form in an effort to bring them in alignment with GDPR in late 2020. Companies will continue to face issues relating to the sufficiency of data transfer mechanisms in 2021.
LONG TERM PLANS
2020 brought the COVID-19 pandemic, the implementation of CCPA, the passage of the CPRA, the invalidation of the Privacy Shield agreement, and a whole lot more attention to privacy related issues. At the beginning of the COVID-19 pandemic, many businesses were forced to quickly change the way they operate. Reliance on technology has increased in ways few would have believed just one year ago. Companies that assess their data privacy and security risks and practices in 2021 will be better prepared for continued changes in the future. We predict 2021 will continue to offer an interesting, if not challenging, evolution in privacy and data security laws. Happy Data Privacy Day!