Press "Enter" to skip to content

2020 Consumer Data Privacy Legislation Builds on 2019’s Momentum, But Few Enactments

USA flagOn the heels of the EU’s General Data Protection Regulation (GDPR) going into effect in 2018, and passage of the California Consumer Privacy Act of 2018 (CCPA), 2019 proved to be a banner year for introduction of state consumer data privacy legislation.  Approximately 149 bills were introduced and 17 were enacted, and numerous states pressed forward with additional privacy legislation in 2020.

Consumer Data Privacy Legislation in General

The year 2020 was a carryover year for a number of state legislatures, meaning that some legislation introduced in 2019 could continue to be in play.  Additionally, new legislation was introduced in many states, including Arizona, California, Connecticut, Florida, Hawaii, Idaho, Illinois, Louisiana, Maryland, Michigan, Minnesota, Missouri, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin and West Virginia.  This brought the total number of active bills in 2020 to almost 200, as follows:

The legislation addressed a variety of issues, from restrictions on the use of genetic, biometric and geolocation data to comprehensive data privacy regimes like the CCPA or GDPR.  Of these, Michigan passed SB 172 relating to privacy policies provided by licensed insurers, and Virginia passed SB 101 relating to the use and retention of data scanned from driver’s licenses.  California is discussed below.

CCPA/GDPR-Type Legislation

Most of the legislation that proposed comprehensive protection followed the CCPA model, while a handful were a CCPA-GDPR hybrid.  None of this legislation was enacted. Our chart (linked here) provides a comparison of some of these bills in terms of thresholds, protections, exemptions and penalties.

California

The CCPA has been amended a number of times since enactment, and 2020 was no exception.  AB 713 conformed portions of the CCPA relating to deidentified patient data to the requirements of the Health Insurance Portability and Accountability Act Privacy Rule.  AB 1281 extended the existing exclusions for personal information associated with business-to-business communications and for certain employment-related personal information to Jan. 1, 2023.

Additionally, the Office of the California Attorney General has been hard at work on CCPA regulations.  The original  proposed regulations were filed in October 2019, and proposed modifications were issued in February and March 2020.  The “final” regulations became effective Aug. 14, and a third set of proposed modifications were issued in October and a fourth set in December. 

The regulations are generally perceived as being quite helpful in untangling the CCPA’s hastily-drafted requirements, and this level of rulemaking activity by the AG demonstrates a unique willingness to correct technical issues and to take action in response to public comments.

Finally, the California Privacy Rights Act (CPRA) was approved by voters in November and will substantially modify the CCPA effective Jan. 1, 2023.  Among other things, the CPRA: introduces “sensitive data” and new requirements regarding its use; provides consumers the right to correct their personal information; requires some businesses to conduct annual risk assessments and audits; requires notification as to how long a business intends to retain categories of information; outlines contractual requirements for businesses, contractors, service providers and third parties; and, creates the California Privacy Protection Agency.

2021?

With increased data breaches, security issues associated with working from home and concerns regarding COVID-19 tracing, consumers’ (and legislators’) interest in privacy laws is at an all-time high.  That, combined with additional time to explore the pros and cons of existing privacy laws, suggests that not only will the upward trend of legislation continue, but there will be a greater percentage of enactments.

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.