- Meanwhile, states have been advancing policies including the new, stricter California act that voters approved on Election Day.
When data privacy rules change, companies have to adjust the data collection, storage, sharing and protection of their customers’ and employees’ personal information, as well as procedures for reporting to regulatory agencies. When the rules are enforced, companies can face fines, disruption to their operations, related civil suits and damage to their reputation.
Email management can be central to regulatory compliance, since so much personal information is transmitted and stored in emails — and since business email is so often the entry point for hackers looking to steal personal information. Email service providers such as Mimecast support customers in managing compliant archives, securing personal information and meeting other requirements.
Some 30 privacy bills are already circulating on Capitol Hill. The Brookings Institution, a Washington think tank, recently wrote that “privacy legislation may be a subject on which Congress and the new administration can collaborate on a bipartisan basis.”
Many companies have complained about the patchwork of state data privacy policies across the country. BSA|The Software Alliance recently recommended that the new administration work closely with Congress to enact a national privacy law. The U.S. Chamber of Commerce has also promoted a model for national privacy legislation that it developed, drawing in part on Europe’s GDPR.
Data privacy enforcement may also increase under a new administration. The International Association of Privacy Professionals sees one example of this in the Federal Trade Commission, which has already been active but could see a change in leadership that brings more vigorous enforcement.
California Doubles Down on Data Privacy
In the 2020 election, Californians voted for Proposition 24, which strengthens the California Consumer Privacy Act (CCPA) implemented only a few months before. The new California Privacy Rights Act of 2020 is expected to tighten requirements to minimize the collection of personal data, limit its archiving and ensure its security, while creating the California Consumer Privacy Agency to enforce these requirements.
When the new agency begins operating in July 2021, companies doing business in California will have to submit risk assessments and cybersecurity audits related to safeguarding personal information. In another change, the act establishes what legal experts are calling the broadest definition of personal information in the country. Between existing and new categories of information, California’s definition now ranges from email addresses and the contents of some email and text messages, to social security numbers, geolocation, philosophical beliefs and more.
More small businesses may be exempt under the new rule than under the original CCPA, if their annual revenue or the number of their California customers fall below certain thresholds. “Even so, small companies can get bigger — and in that respect the law is something to note,” Inc. magazine reported.
Data Privacy Regulation and Enforcement Advances in Many States
After the CCPA passed in 2018, other states began following suit. The National Conference of State Legislatures recently counted legislative proposals in more than 30 states, but said many had stalled during the COVID-19 pandemic.
Measures vary, and may include requirements for conducting risk assessments, minimizing the archiving of personal data, monitoring to prevent data breaches and reporting any breaches that occur. In another twist, proposed New York State legislation could apply to all companies small and large, with no minimum revenue or consumer threshold like in California.
Whether these measures delayed by COVID soon regain momentum is an open question. Observers say that some states may wait to see what happens in Washington.
Meanwhile, enforcement is seen increasing in some states. In recent months, for example, the Massachusetts attorney general announced the creation of a Data Privacy and Security Division, charged with investigating and enforcing the Massachusetts Consumer Protection Act and Data Breach Law to protect consumer data.
U.S.-Europe Data Privacy Provisions in Flux
When the European Union’s top court recently invalidated the EU-U.S. Privacy Shield Framework, a rule governing the trans-Atlantic flow of data, negotiations were said to begin on a replacement. There has been little mention of the talks since then, though. Meanwhile, European officials have been collecting public comment on standard contractual clauses that can be used in place of the shield, which allowed companies to self-certify annually that they would uphold certain principles for protecting personal data, subject to enforcement.
The Bottom Line
Data privacy is expected to be a bigger focus of the new U.S. presidential administration, raising the possibility of a comprehensive national policy in 2021. Businesses should also brace for enforcement to ramp up at both the state and national levels.
 “A Look at Where Joe Biden Stands on Key Tech Issues,” S&P Global
 “By Passing Proposition 24, California Voters Up the Ante on Federal Privacy Law,” Brookings Institution
 “BSA Releases Policy Recommendations for Biden-Harris Transition Team,” BSA|The Software Alliance
 “U.S. Chamber Releases Model Privacy Legislation, Urges Congress to Pass a Federal Privacy Law,” U.S. Chamber of Commerce
 “What Could a Biden Administration Mean for Privacy, Cybersecurity?”, International Association of Privacy Professionals
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!