Archive Data Protection

    Elections Change Outlook for U.S. Data Privacy Policy in 2021

    National privacy policy is on the agenda in Washington, a stricter California policy is approved by voters, and other states are poised to act.

    by Karen Lynch

    Key Points

    • Many businesses favor a national privacy policy rather than patchwork state policies.
    • The incoming Biden administration is open to instituting comprehensive national data privacy policy.
    • Meanwhile, states have been advancing policies including the new, stricter California act that voters approved on Election Day.


    2021 is expected to bring new data privacy policymaking, regulation and enforcement across the U.S. All eyes are on Washington and California, where recent election results have changed the dynamics. But developments in states like Massachusetts and New York also bear watching, while international data privacy rules affecting U.S. companies have been in flux.

    Many American businesses must already comply with various data privacy requirements, under policies such as the U.S. Health Insurance and Accountability Act (HIPAA) and Europe’s General Data Privacy Regulation (GDPR). To date, though, there has been no comprehensive U.S. data privacy policy, and observers say 2021 could usher in just such a national law. Greater enforcement efforts are also on the horizon, especially under a new California Privacy Protection Agency.

    When data privacy rules change, companies have to adjust the data collection, storage, sharing and protection of their customers’ and employees’ personal information, as well as procedures for reporting to regulatory agencies. When the rules are enforced, companies can face fines, disruption to their operations, related civil suits and damage to their reputation.

    Email management can be central to regulatory compliance, since so much personal information is transmitted and stored in emails — and since business email is so often the entry point for hackers looking to steal personal information. Email service providers such as Mimecast support customers in managing compliant archives, securing personal information and meeting other requirements.

    Here’s a rundown of new data privacy policy developments in the U.S.

    Washington Opens Path to New Privacy Policy

    President-elect Joe Biden has publicly stated support for comprehensive data privacy policy, “not unlike the Europeans are doing.”[1] Exactly what that policy would look like and how quickly it might pass, if at all, may depend on which political party takes control of the Senate in January.

    Some 30 privacy bills are already circulating on Capitol Hill. The Brookings Institution, a Washington think tank, recently wrote that “privacy legislation may be a subject on which Congress and the new administration can collaborate on a bipartisan basis.”[2]

    Many companies have complained about the patchwork of state data privacy policies across the country. BSA|The Software Alliance recently recommended that the new administration work closely with Congress to enact a national privacy law.[3] The U.S. Chamber of Commerce has also promoted a model for national privacy legislation that it developed, drawing in part on Europe’s GDPR.[4]

    Data privacy enforcement may also increase under a new administration. The International Association of Privacy Professionals sees one example of this in the Federal Trade Commission, which has already been active but could see a change in leadership that brings more vigorous enforcement.[5]

    California Doubles Down on Data Privacy

    In the 2020 election, Californians voted for Proposition 24, which strengthens the California Consumer Privacy Act (CCPA) implemented only a few months before. The new California Privacy Rights Act of 2020 is expected to tighten requirements to minimize the collection of personal data, limit its archiving and ensure its security, while creating the California Consumer Privacy Agency to enforce these requirements.

    When the new agency begins operating in July 2021, companies doing business in California will have to submit risk assessments and cybersecurity audits related to safeguarding personal information.[6] In another change, the act establishes what legal experts are calling the broadest definition of personal information in the country.[7] Between existing and new categories of information, California’s definition now ranges from email addresses and the contents of some email and text messages, to social security numbers, geolocation, philosophical beliefs and more.

    More small businesses may be exempt under the new rule than under the original CCPA, if their annual revenue or the number of their California customers fall below certain thresholds. “Even so, small companies can get bigger — and in that respect the law is something to note,” Inc. magazine reported.[8]

    Data Privacy Regulation and Enforcement Advances in Many States

    After the CCPA passed in 2018, other states began following suit. The National Conference of State Legislatures recently counted legislative proposals in more than 30 states, but said many had stalled during the COVID-19 pandemic.

    Measures vary, and may include requirements for conducting risk assessments, minimizing the archiving of personal data, monitoring to prevent data breaches and reporting any breaches that occur. In another twist, proposed New York State legislation could apply to all companies small and large, with no minimum revenue or consumer threshold like in California.[9]

    Whether these measures delayed by COVID soon regain momentum is an open question. Observers say that some states may wait to see what happens in Washington.

    Meanwhile, enforcement is seen increasing in some states. In recent months, for example, the Massachusetts attorney general announced the creation of a Data Privacy and Security Division, charged with investigating and enforcing the Massachusetts Consumer Protection Act and Data Breach Law to protect consumer data.

    U.S.-Europe Data Privacy Provisions in Flux

    When the European Union’s top court recently invalidated the EU-U.S. Privacy Shield Framework, a rule governing the trans-Atlantic flow of data, negotiations were said to begin on a replacement. There has been little mention of the talks since then, though. Meanwhile, European officials have been collecting public comment on standard contractual clauses that can be used in place of the shield, which allowed companies to self-certify annually that they would uphold certain principles for protecting personal data, subject to enforcement.

    The Bottom Line

    Data privacy is expected to be a bigger focus of the new U.S. presidential administration, raising the possibility of a comprehensive national policy in 2021. Businesses should also brace for enforcement to ramp up at both the state and national levels.


    [1] “A Look at Where Joe Biden Stands on Key Tech Issues,” S&P Global

    [2] “By Passing Proposition 24, California Voters Up the Ante on Federal Privacy Law,” Brookings Institution

    [3] “BSA Releases Policy Recommendations for Biden-Harris Transition Team,” BSA|The Software Alliance

    [4] “U.S. Chamber Releases Model Privacy Legislation, Urges Congress to Pass a Federal Privacy Law,” U.S. Chamber of Commerce

    [5] “What Could a Biden Administration Mean for Privacy, Cybersecurity?”, International Association of Privacy Professionals

    [6] “Proposition 24,” Government of California

    [7] “Sensitive Personal Information — What Is It and What Does It Mean for California Privacy Rights Act Compliance?,” National Law Review

    [8] “Why Small Businesses Should Ignore California’s Newest Data Privacy Law,” Inc.

    [9] “Inside the Proposed New York Privacy Act,” New York Law Journal


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page