Data Security and Privacy Developments in 2019 and Looking Ahead to 2020

Individuals and companies alike continue to be impacted by the ever-evolving data security and privacy landscape. Laws continue to be enacted or strengthened, while enforcement actions provide some clarity regarding compliance obligations.

Recent State Law Developments (New York, California, Nevada, Washington and Oregon)

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act or “Act”) takes effect on March 21, 2020. It expands data breach notification requirements, strengthens Attorney General oversight and imposes a requirement that “reasonable safeguards” be used to protect certain information of New York State residents. Significantly, the Act seeks to apply even to individuals and companies that are located outside of New York State.

Meanwhile, New York State’s Identity Theft Prevention and Mitigation Services Act took effect on September 23, 2019. It requires consumer credit reporting agencies to offer identity theft prevention or mitigation services for up to five years at no cost to consumers if information such as Social Security numbers was breached or is reasonably believed to have been breached.

California continues to set the bar on privacy laws. The California Consumer Privacy Act (CCPA) took effect on January 1, 2020. As companies finalized compliance strategies towards the end of the year, seven amendments were signed into law that create limited exemptions and clarify certain provisions. The California Attorney General also released his highly anticipated draft regulations for CCPA implementation, which was closed to public comment in December. A new ballot initiative, named the California Privacy Rights and Enforcement Act of 2020 (CPRA), however, seeks to amend the CCPA and may have significant impact on CCPA requirements.

In Nevada, as of October 1, 2019, a new law requires certain online data collectors to permit consumer opt-outs from the sale of their personal information. Both Washington State and Oregon also amended their data breach notification laws. Washington’s amended law, taking effect on March 1, 2020, expands the definition of personal information, shortens the deadline to notify consumers affected by a data breach and adds notification obligations. Oregon’s law, which took effect on January 1, 2020, expands breach notification obligations.

GDPR Enforcement Trends

Since the General Data Protection Regulation (GDPR) took effect in May 2018, enforcement actions have been on the rise, focusing on, among other things, digital marketing practices, data access rights and transparency. There have been varying approaches to extraterritorial enforcement, but it is clear that even companies solely located in the United States should continuously track enforcement and evaluate their compliance strategies.

Looking Ahead to 2020

Law-making and regulatory enforcement are not expected to die down in 2020, but a comprehensive federal law remains unlikely. Significant laws passed in 2019 will take effect in 2020, and there are numerous states with pending data privacy legislation, particularly with respect to biometric data and blockchain-based technologies. In Europe, the ePrivacy Regulation (impacting electronic communications, cookies and online advertising) has stalled, but continues to be negotiated. Accordingly, enforcement efforts are likely to be on the rise in the coming year. Indeed, some authorities are beginning to look at the antitrust implications of data privacy issues.

Legal requirements as well as the threat landscape are increasingly complex and can become overwhelming even for the most sophisticated companies. Consequently, companies should prepare for the challenges ahead with the assistance of legal counsel who are well versed not only in the law, but also cutting-edge technology, and understand how to balance compliance obligations with business needs.

Anna Mercado Clark, CIPP/E is a partner at Phillips Lytle LLP and leader of the firm’s Data Security & Privacy and E-Discovery & Digital Forensics Practice Teams. She can be reached at aclark@phillipslytle.com or (716) 847-8400, ext. 6466.

Jeffrey D. Coren is an attorney at Phillips Lytle and a member of the firm’s Data Security & Privacy Practice Team. He can be reached at jcoren@phillipslytle.com or (716) 847-7024.