It’s January, which means two things: New Years’ resolutions being made (and probably already broken), and prognostications for the upcoming year. Given that 2020 was the year in which governments implemented data privacy regulations in the middle of a year in which more data than ever was being transferred, processed and stored, we thought that we’d get in on the latter with our 2021 predictions. Without further ado, here are Clym’s top 3 predictions for data privacy regulation in 2021:
1. The U.S. Congress will implement a weak federal data privacy regulatory framework.
As we’ve written before, to date there the federal government in the US has abdicated any true responsibility regarding federal data privacy regulation. Indeed, the EU-US Privacy Shield Framework, which governed transfer of data across the Atlantic, was deemed to be out of compliance with Europe’s GDPR. As such, many states have taken it upon themselves to enact or consider data privacy regulations for their residents (see below for an updated state-by-state chart from our friends at IAPP). Most notably, California implemented the California Consumer Privacy Act (“CCPA”), then residents of the state voted to implement more stringent, European-style legislation in the form of the California Privacy Rights and Enforcement Act (“CPRA”).
Given the uncertainty that state-by-state regulations may cause companies, business leaders have called for a federal framework. Meaningful legislation may result, however this will likely simply be a baseline upon which states can implement and enact their own state-specific regulations. Indeed, California’s former Attorney General and potentially soon-to-be U.S. Secretary of Health and Human Services, testified in November 2020 in front of Congress and requested that state laws not be pre-empted by a federal regulation (meaning that the federal government could set a minimum standard, and then individual states could decide to adopt just the federal standard or layer on additional measures). Instead of simplifying compliance, this will likely make the landscape more complicated.
2. The U.K. will extend their inclusion under GDPR’s regime into 2022
It’s not exactly a hot take to say that someone is going to do nothing. With that said, one of the biggest stories of 2020 was how the U.K. and E.U. were going to navigate Brexit and the related implications of separation. One major part of this transaction left undone was whether data transfers between U.K. and the E.U. would be considered to be transfers to a “third” (non-GDPR) country, subject to additional protective measures. When the U.K. left the E.U., the two regions were supposed to have a deal in place by the end of 2020; that didn’t happen. Over the holiday season, the two sides agreed to a four-month extension (with an optional two-month additional extension). Given all the delays related to Brexit, we’re anticipating that no significant agreement will be reached in 2021, and the two sides will still be hashing this all out next year.
3. There will be at least one COVID-related data privacy penalty over $100 million.
Work from home. Contact tracing. Businesses of all kinds going virtual. Given that companies, governments and individuals had to cobble together a quasi-functional existence in suboptimal circumstances in rapid time, this migration is ripe for data privacy violations for companies large and small. Awareness created by GDPR caused global scrutiny on the use of data.
Most organizations are collecting more and more data from varied sources, both off and online; many companies have not taken the proper precautions to capture, process and store that data in a compliant manner. The biggest tech companies with the most advanced technologies in the world have suffered enforcement for data privacy violations; do you really think that smaller ones, or non-tech companies have it dialed in?
It’s almost unheard of to have this size fine, but we expect fines and penalties to scale with the amount of data collected; the real question is whether the legal system will allow organizations to beg for forgiveness due to COVID-19 complications.
4. CCPA class action lawsuits will force at least one company into bankruptcy protection.
One of the most interesting provisions of CCPA is the right to private action; and plaintiffs’ attorneys are ravenous. At first glance, the private right of action doesn’t seem that onerous; the statutory fines for violations are limited to $750 per incident or actual damages. But in order to truly appreciate the possibilities, one needs to understand that one “incident” can be one compromised consumer record. What if a company has 10,000 consumers? What about 100,000? What about a million? Each of those compromised records could be considered an incident. Understand that, and you’ll see how quickly those private rights of action can add up. Even if state regulators won’t regulate CCPA, plaintiffs’ attorneys will be looking for an angle to get paid.
According to a friend of mine, everything in life is 50/50, so either these predictions will happen or they won’t. The only prediction we’re 100% sure of is that data privacy lws will continue to expand in scope and coverage, and businesses will still struggle to comply if they don’t get proper assistance
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.