Recently I had the pleasure of recapping the privacy regulatory landscape in 2020 along with key trends in data breach regulations alongside Deborah Rimmler, Counsel at Dentons, in an IAPP webinar, Trends in Evolving Data Breach Regulations: The Year in Review.

As Deborah stated during the webinar, staying on top of privacy laws is a lot like raising a toddler: Just when you think you understand what to do, the rules change. In that vein, I suppose privacy law activity in 2020 could be best characterized as The Terrible Twos: sudden shifts in mood, inconsistent behaviors, and uncertain outcomes.

We now expect that each year – each month for that matter – will bring about change in our regulatory landscape, whether a new regulation or a nuance to an existing regulation. But this year the rule book changed completely, as the pandemic gave us an additional layer of unpredictability that kept us on our toes and required additional vigilance to ensure our organizations were protected from known and new risks.

And while the pandemic had an impact on delaying the effective and/or enforcement dates of some regulations, many regulations pressed on, resulting in tighter controls to data and more stringent breach notification requirements.

Below we’ll summarize a few of the most interesting takeaways from this year. Stay tuned for the next two posts in our series, which delve into the three key trends we observed in 2020 data breach regulations, as well as our predictions for 2021.

So what the heck happened this year?

The International Scene:

Dozens of countries now have a mandatory or recommended notification obligation under a general breach notification law. Four of these laws went into effect by mid-November, impacting Brazil, Egypt, Thailand, and South Africa; and Australia’s new Privacy Act went into effect on December 1. A few interesting points about these developments:

  • Brazil and Thailand extended effective dates for part or all of their legislation, due to COVID-19. Thailand issued an interim notification that set forth basic security control standards that have to be followed by larger data controllers.
  • South Africa went forward with the implementation of its new data protection legislation, and one of the biggest changes with this regulation is an obligation to report data breaches
  • Australia’s new Privacy Act 2020 explicitly clarifies that businesses that use cloud service providers remain totally responsible for that data. This sets a standard by which you must have rigorous procedures in place to vet your vendors. (For more information, see Dentons’ cleverly-titled brief What to Expect When You’re Collecting)

In the United States:

As of mid-November, 12 data breach notification laws or amendments went into effect across 11 U.S. jurisdictions this year, including:

  1. California AB 1130, Jan 01
  2. Connecticut HB 7424, Oct 01 (NAIC)
  3. Illinois SB 1624, Jan 01
  4. Louisiana HB 614, Aug 01 (NAIC)
  5. New Hampshire SB 194, Jan 01 (NAIC)
  6. Oregon SB 684, Jan 01
  7. Texas HB 4390, Jan 01
  8. Texas Notice of Cybersecurity Incident, Feb 27
  9. Vermont S 110, Jul 01
  10. Virginia HB 1334 Jul 01 (NAIC)
  11. Washington HB 1071, Mar 01
  12. Washington DC Act 23-268, Jun 17

We’ll get into the nitty-gritty of some of these laws one of our future posts.

Of course, we cannot escape mentioning the California Privacy Rights Act (CPRA) ballot initiative, which was approved by voters in the November election and whose provisions will go into effect in 2023.

The CPRA – referred to by some as the CCPA 2.0 – revises the CCPA, clarifying some elements and creating more stringency for certain businesses. Much has already been said about the CPRA, but a few key things to know here:

  • The CPRA reduces the applicability of the CCPA to some small and mid-sized businesses, while it extends applicability to businesses that generate most of their revenue from sharing personal information, not just selling it
  • It introduces a category of “sensitive personal information,” similar to that of the GDPR
  • It expands the private right of action in the California civil code, essentially increasing the risk of litigation for businesses that experience a data breach

U.S. Bonus: The National Association of Insurance Commissioners (NAIC) model law

The NAIC model law, introduced in 2018, was intended to set the standard for breach notification obligations as part of the overall data security for the insurance industry. But of the 11 states that have adopted it since mid-November, with six more pending with activity in 2020, multiple states have tweaked it to their own specifications and molded it to harmonize with other data breach regulations, creating more ambiguity. Not quite the cookie-cutter law it seemed to be upon introduction.

We know from our Benchmarking Privacy Report, which includes an analysis of thousands of privacy incidents, that most breaches involve more than one jurisdiction – four, on average, in the case of an electronic breach. States will continue to introduce new and amended privacy legislation, and even a “cookie cutter law” can’t be counted on to create consistency across jurisdictions.

The bottom line: Don’t get too attached to that rule book. The breach regulation baby is always growing and changing.


What is our regulatory crystal ball predicting for 2021?

Join us December 10 for a live discussion on this topic featuring Alex Reynolds, Counsel at Davis Wright Tremaine, in conjunction with The Privacy Collective. We’ll also cover the highlights from that session in a future post.

And stay tuned for the next post in this series, which will cover the three key trends we observed in 2020 data breach regulations.

Related Resources:

Webinar: Trends in Evolving Data Breach Regulations: The Year in Review
Report: Benchmarking Privacy Incidents 2020
Free breach law library: Breach Law Radar