As the pandemic forces our lives and livelihoods online, expect 2021 to be a hotbed of data privacy litigation and legislation. California expands legislation (CCPA and CPRA) to strengthen protections against the exposure and sale of personal information online. Other states are likely to follow suit in the decade to come. Read More Below.

As technology advances, we are able to see the impact of data collection on the changing virtual landscape: in our filtered social media feeds, personalized web advertisements, and localized Google search results. 2020 has seen major developments in data privacy law with more on the horizon for 2021.

The California Consumer Protections Act of 2018 (CCPA) became effective in July and is strengthened by the newly passed California Privacy Rights and Enforcement Act (CPRA). The CCPA and CPRA mandate extensive disclosure requirements and grant consumers unprecedented rights to “opt out” of large swaths of the data collection process.

According to the NCSL, consumer data privacy bills were considered in at least 30 states and Puerto Rico in 2020. California (CCPA, 2018) and New York (SHIELD Act, 2019) were the first states to enact legislation for the protection of personal information online. While the CCPA is by far the most comprehensive data privacy law in the US, other states are incorporating similar protections based on the state’s specific needs. For example, Virginia’s SB 101 allows a merchant to scan the machine readable zone of an individual’s driver’s license for verification purposes, but requires the merchant to destroy the retained information when the purpose for which it was provided and retained has been satisfied.

While there is no one comprehensive federal law that governs data privacy in the United States, Sen. Jerry Moran, R-Kan., along with other representatives, established initial drafts of the Consumer Data Privacy and Security Act (CDPSA) of 2020 back in March. While it is unlikely that there will be an agreed upon federal law in the near future, this approach aims to fill a void around centralized governing of data privacy and security at the national level.

In the EU, the European Court of Justice overturned the transatlantic “privacy shield” governing data transfers from Europe to the United States with the “Schrems II Decision.” The decision effectively reinstates the baseline protections of the European General Data Protection Regulation, which is even more protective than the new legislation coming out of California.

As legislation strengthens and data privacy litigation is on the rise, businesses should be acting now  to ensure compliance with new laws surrounding the exchange of personal data online.

Click the links below for information on developments in Data Privacy Law in the US and beyond.

California’s CCPA and CPRA & EU’s Schrem’s II:

Statewide 2020 Consumer Data Privacy Legislation:

Pandemic increases threat to data privacy:

Federal CDPSA of 2020: