2022 is gearing up to be another pivotal year for data privacy. Organizations, both large and small, will have to prepare for newly enacted laws and regulations and increased regulatory enforcement. A flurry of domestic and international regulatory action is expected in 2022, so we have highlighted five significant key areas of focus.
Comprehensive State Privacy Laws
When it comes to U.S. state privacy laws, considerable preparation will be needed in 2022 in order to comply with the laws that come into effect in 2023. On January 1, 2023, the California Privacy Rights Act of 2020 (CPRA) and the Virginia Consumer Data Protection Act (VCDPA) come into effect, closely followed by the Colorado Privacy Act (CPA) which comes into effect on July 1, 2023. We’ve outlined each of these state’s newly enacted laws below to help you identify whether these laws will apply to your business.
The CPRA amends the California Consumer Privacy Act of 2018 (CCPA) and will apply to for-profit “businesses” that collect personal information from California residents, do business in the state of California and either (1) had $25 million or more in annual revenue during the prior calendar year; (2) buy, “sell” or “share” the personal information of 100,000 or more consumers or households; or (3) earn at least half of its annual revenue by “selling” or “sharing” consumers’ personal information. Importantly, the CPRA expands the definition of covered businesses, whereas the CCPA limited the scope of covered businesses by only applying to businesses that share personal information “for commercial purposes.” The CPRA has removed the “commercial purposes” qualifier and will now apply to businesses that merely share personal information of 100,000 or more consumers or earn at least half of their annual revenue by sharing consumers’ personal information.
The VCDPA will apply to organizations that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
The CPA will apply to organizations that do business in Colorado and either (i) process or control the personal data of 100,000 or more Colorado residents or households in a calendar year, or (ii) derive revenue or discounts from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents or households.
All three states include varying exemptions in their privacy laws, for example excluding non-profit organizations from their remit, and excluding certain data covered by federal laws such as HIPAA and GLBA. Once an organization identifies whether it is subject to these laws, it will need to implement various operational mechanisms to comply with such laws, including responding to data subject requests, conducting privacy risk assessments and analyzing the transfer of personal data to third parties. 2.
Recent actions of the European Data Protection Board (EDPB) and the Federal Trade Commission (FTC) indicate that the privacy aspects of AI and machine learning will be under increasing focus in 2022.
In June 2021, the EDPB and European Data Protection Supervisor (EDPS) issued a joint opinion to address the data protection implications of AI. The joint opinion aimed to, among other things, (1) harmonize the rules surrounding AI; and (2) identify certain risk areas and prohibit certain uses of AI.
With regard to harmonizing rules surrounding AI, the joint opinion aims to set up a legal framework that aligns with existing laws and regulations, such as GDPR. Primarily, this includes identifying the appropriate legal basis for AI use, ensuring data subject rights are not infringed upon, and promoting transparency in how companies use AI technologies to process personal data. The joint opinion also sets out to identify certain uses of AI that present high levels of risk, focusing on those that may impact human dignity, such as police observation, social scoring and remote biometric identification. In all of these cases, the joint opinion aims to limit these uses to ensure that the private aspects of people’s lives are not intruded upon and to avoid discriminatory effects.
Similarly, the FTC has announced that it is considering rulemaking on the commercial use of AI. The FTC has many of the same concerns highlighted in the EDPB and EDPS’ joint opinion. FTC’s primary goal (and authority) is to curb unfair and deceptive practices. In sticking with this directive, it wants to ensure that the outcomes of AI use remain fair and ethical, and ensure commercial use of AI remains transparent, which includes notifying consumers of the types of data used and the purpose of AI use.
Regulations related to AI are still very much in the infancy stage, but clearer guidelines and restrictions from regulatory authorities are quickly approaching.
Global Dealmaking and Due Diligence
Over the past few years, there has been an increased emphasis on privacy due diligence in corporate transactions and global dealmaking. This increased emphasis is due to three main factors: (1) an increase in privacy-related laws and regulations; (2) the costs and fines related to non-compliance with such laws and regulations; and (3) heightened public concerns around the uses of personal data.
International Data Transfers
Cross-border data transfer will continue to be a hot topic in 2022 due to recent guidelines published by the EDPB and the implementation of China’s new privacy law, the Personal Information Protection Law (PIPL).
The guidelines published by the EDPB clarify the criteria for data transfers that occur pursuant to GDPR. First, the EDPB made clear that personal data collected by a non-EU organization directly from data subjects is not considered a data transfer (and therefore does not require a transfer mechanism as required by GDPR). Second, and perhaps most importantly, the EDPB has identified the three criteria that qualify a processing activity as being a transfer:
A controller or a processor is subject to the GDPR for the given processing.
This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data subject to this processing available to another controller, joint controller or processor (“importer”).
The importer is in a third country or is an international organization, irrespective of whether or not this importer is itself subject to the GDPR in respect of the given processing.
The above criteria clarify a few points. First, a transfer of personal data to a non-EU importer that is subject to GDPR is still considered a transfer. While this is still considered a transfer for GDPR purposes, the EDPB recognizes that fewer protections are needed considering that the importer is already subject to GDPR and as such the European Commission will publish updated standard contractual clauses that contemplate this type of transfer. Second, a transfer of personal data by an EU processor back to a non-EU controller is also considered a transfer. This second point is not entirely surprising given the extraterritorial scope of GDPR, and the new processor to controller SCCs (published in June 2021) contemplate such transfers.
Further, cross-border transfers that involve the personal data of Chinese data subjects will also be subject to heightened scrutiny. Certain companies, depending on the size of the company and the type and quantity of personal data transferred, will be subject to the PIPL’s security assessment requirement, which includes identifying potential risks, ensuring proper safeguards are in place and entering into data processing agreements that address the protection, security and liability surrounding the processing of personal data.
Privacy of Children’s Data
Enforcement in the children’s privacy space has continued to increase. The FTC, in general, has put greater emphasis on data privacy, which has included the continuation of its analysis on public comments related to the Children’s Online Privacy Protection Act (COPPA). As a refresher, COPPA aims to protect the personal information of children under 13 years old. While the FTC is reviewing COPPA to ensure its protections are robust enough for today’s privacy climate, it has also been active in its enforcement actions. For example, an online advertising platform was recently subject to a two million dollar fine for failing to collect consent from parents for the processing of their children’s personal information. A second company (an operator of a coloring book app) settled with the FTC for the misuse of children’s personal information, which involved the use of such personal information for behavioral advertising purposes.
Similarly, under the GDPR, the Irish Data Protection Commission has also published guidance on the processing of children’s personal data. While the guidance outlines several fundamentals, there are a few key aspects that companies should pay attention to. First, it directs companies to know their audiences. This means companies should take steps to identify their users, and if these users will be children, ensure that child-specific data protection measures have been implemented. Second, when a company directs its products/services to children, it should ensure that any notice should be concise, transparent and intelligible. This does not differ from GDPR’s general requirements regarding notice to individuals, but this is especially important when the information is specifically addressed to children.
The above is just a snippet of the regulatory hurdles that organizations face in 2022. As states and countries adopt new laws, increase enforcement and attempt to navigate new technology and trends, organizations will need to adopt a comprehensive and sophisticated approach to identify risk areas and maintain compliance.
Aaron A. Ogunro also contributed to this article.