Privacy Insider newsletter - Jan. 19

Washington, D.C. and capitals across the U.S. are bracing this week for what could be a dangerous and chaotic day. The moving trucks have arrived to usher President Donald Trump out of the White House as President-elect Joe Biden prepares to move in. While generally there's celebration and fanfare when a new president takes office, this transfer of power is tainted by threats of growing violence by extremists after a mob attacked the Capitol earlier this month. 

While the transition has a nation on edge, the privacy community has reason to look ahead to brighter days, many say. In this week's Privacy Insider, for example, privacy attorney Kirk Nahra repeats a refrain spoken by many once it was clear Biden would win the presidency: This could be a game-changer for U.S. privacy legislation. 

As noted in past Privacy Insiders, Vice President-elect Kamala Harris has a solid track record on privacy-forward initiatives, and Biden will likely be incentivized to take action because of increasing pressure to repair a fractured system between the EU and the U.S. on cross-border data transfers. For his part, Nahra predicts a federal privacy bill to be passed in U.S. Congress within Biden's first four-year term. 

But in the interim, much to many organizations' chagrin, states continue to take action on their own. Often referred to as "the laboratories of democracy," the states can move more nimbly than the federal government, crafting rules that satisfy the needs of their local constituencies and don't impede on local businesses' abilities to compete in the marketplace by imposing stringent restrictions and unfair fines. 

The most obvious example of this, of course, is the California Consumer Privacy Act (CCPA). Though it was, well, ripped to shreds during the rulemaking process after it was a signed deal in 2018, it emerged as the new golden standard in the U.S. Some businesses decided to simply allow all of their data subjects the same rights as Californians rather than create complicated data sets and processes. Now, we see other states creating laws that look very similar to the CCPA. Why not basically copy the text that successfully made it through to the governor's desk? 

This week's Insider includes a story on the latest state to introduce such legislation: Minnesota. Keep your eyes on legislative movement there, remembering that Washington State and New York are in the throws of pushing their own CCPA-like legislation through their own Congressional hearings. 

If states start to pass legislation one after the other in the early half of 2021, it will likely only add pressure on the Biden administration to remedy what many call the dreaded "patchwork" of privacy laws from state to state, an expensive and messy operation for organizations aiming to comply. 

Enjoy reading, and we'll see you next week! 

Here are the top stories you might have missed:

1. Walmart settles for $10 million over alleged biometric privacy violation

   Walmart will pay $10 million in a class-action lawsuit settlement over biometric privacy rights, the Chicago Tribune reports. The store’s Illinois former and current employees who signed on to the 2019 lawsuit, some 21,677 people, could each see “a couple hundred dollars,” the report states. The case stems from a complaint by a former employee who said the store’s requirement that he use a palm-scanning device, without his written consent, to check cash register drawers violated the state’s Biometric Information Privacy Law.
   Read Story

   2. Will a Biden administration help accelerate a federal privacy bill?
   In an interview with Information Security Media Group, WilmerHale privacy attorney Kirk Nahra says the potential for the U.S. to finally pass a federal privacy law is more likely under a Biden administration and predicts we could see action sooner than later. “But 'soon' isn't tomorrow. It's not that the first priority of the new administration and new Congress,” he said. “My prediction is that there is a reasonable likelihood of a national privacy law during the first term of the Biden administration, but that's four years long."
   Read Story

   3. Minnesota joins list of states aiming to pass privacy bills

   JDSupra reports on the ongoing proliferation of privacy bills in U.S. states. While Washington state is currently legislating its third attempt, New York and Minnesota have introduced their own versions. Both of them are similar to California’s Consumer Privacy Act (CCPA), the report states, and “It is expected that CCPA-like legislation will be filed in more states over the coming days.” Minnesota’s bill, enforced by the attorney general and containing a private right of action, which allow consumers to opt out of the sale of their personal information, among other guarantees.
   Read Story

   4. Privacy search engine sees massive growth in 2020

   Privacy-focused search engine DuckDuckGo increased its average number of daily searches by 62 percent in 2020, USA Today reports, as users increasingly become concerned about online tracking. The company, founded in 2008, doesn’t share user data with third-parties. “People are coming to us because they want more privacy, and it’s generally spread through word of mouth,” said DuckDuckGo Vice President of Communications Kamyl Bazbaz. 
   Read Story

   5. What do I need to know about COPPA? 

   The Children’s Online Privacy Protection Act is the U.S. law that protects children’s online data. Passed in 1998, its corresponding rule, the COPPA rule, was enacted in 2000 and dictates how the Act must be followed. It requires website operators and online services directed at children under the age of 13 to get parental consent from users before they can collect, use or disclose that information. That phrase, “directed at children,” is an important one. In this primer, learn about COPPA’s requirements and where companies sometimes mess up.
   Read Story

   6. European regulators adopt joint opinions on cross-border data-transfer mechanism

   The European Data Protection Board and European Data Protection Supervisor have adopted joint opinions on two sets of standard contractual clauses (SCCs). The draft SCCs will replace existing SCCs allowed for cross-border data transfers under the EU General Data Protection Regulation. The changes aim to reinforce data subjects’ data protection rights and provide clarity to data controllers and processors. 
   Read Story

   7. Health insurer to pay $5.1 million for breach

   A health insurer will pay $5.1 million for a breach affecting more than 9.3 million people, Targeted News Service reports. In the incident, hackers installed malware on Excellus Health Plan’s information-technology systems and gained access to health information protected by the Health Insurance Portability and Accountability Act, including names, Social Security numbers, treatment information and bank account information.
   Read Story

   8. Brazilian organizations past deadline to appoint data protection officers

   ZDNet reports on ongoing developments in Brazil under its newly enacted privacy law. The General Data Protection Regulation (LGPD in Portuguese) requires government organizations to appoint a data protection officer (DPO), a similar mandate to the requirement under the EU General Data Protection Regulation. Approximately 55 percent of government bodies have complied thus far, which Brazil’s Digital Government Secretariat called unsatisfactory.
   Read Story