October 26, 2020

Volume X, Number 300


October 23, 2020

Subscribe to Latest Legal News and Analysis

Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19

During COVID-19, in certain areas of the law, we have seen significant flexibility from regulators and government agencies in how they are addressing typical approval processes and/or compliance requirements. In the context of privacy and cybersecurity regulations, largely, regulators are emphasizing that personal privacy and data security are important now more than ever. New information is being collected and used in new ways. Certain data security vulnerabilities may be more prevalent in this work-from-home environment.

The below summarizes the status of enactments, deadlines, and other public comments from regulators surrounding privacy and data security laws globally.

  • California Consumer Privacy Act (CCPA). CCPA became effective January 1, 2020. While the regulations are still not yet final, the Attorney General is permitted to begin bringing enforcement actions on July 1, 2020. Despite urging from various coalitions and trade associations to delay enforcement, a statement from the AG’s office said that CCPA has been effect since January 1, 2020 and that the agency is committed to enforcing the law starting July 1. The office also “encourage[s] businesses to be particularly mindful of data security in this time of emergency.”

  • 23 NYCRR Part 500. Financial services companies subject to New York’s cybersecurity law typically must file a Certification of Compliance annually by April 15. DFS announced that it has extended its original deadline to June 1, 2020.

  • HIPAA. As we reported on in more detail here, HHS has released a limited waiver allowing for certain PHI disclosures, provided other requirements under the business associate agreement are still met, and the BA informs the covered entity within 10 days after the use or disclosure occurs.

  • Brazil’s Data Protection Law. Brazil’s first comprehensive data protection law – LGPD –  was schedule to become effective August 2020. In early April, the Brazilian Senate approved a bill which would delay the effective date of the law until January 2021. In the bill, fines and sanctions for companies that fail to comply are now scheduled to become effective August 2021. The bill is now with the House of Delegates for consideration and if approved, will be sent to the President to be signed into law.

  • Global Data Protection Regulation (GDPR). The EDPB has stated that businesses are not exempt from complying with the GDPR and ensuring the protection of personal data “even in these exceptional times.” While there has been nothing to signal that requirements of the laws themselves should be lessened, certain regulators, such as the UK’s ICO, has signaled that when it comes to enforcement, they will take a pragmatic approach in the context of this crisis.

Putting it Into practice. Organizations should continue to be mindful of the laws that surround the collection, use, and sharing of information both in the US and abroad. While these are extraordinary times, regulators are continuing to signal that privacy and data protection laws still apply (even if certain deadlines may be extended in particular circumstances). For organizations subject to CCPA, a reminder that the AG can consider activity as early as January 1, 2020 when it comes to enforcement.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 115



About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums.

Ms. Rollins serves as a trusted advisor to her clients, bringing a focused, strategic approach to complex litigation and investigation matters alike. Her clients praise her ability to efficiently and effectively manage complex matters with multiple moving pieces, and to concisely and persuasively communicate the core issues of her clients’ cases to judges, regulators, and opposing counsel. These traits have enabled Ms. Rollins to successfully argue critical motions, procure dismissals, and achieve successful resolutions for her clients.