Privacy and data security concerns for businesses continue to multiply. Here are 5 developments that should be on your radar screen for 2022:

1. The state-by-state patchwork of comprehensive privacy laws continues to grow

Twenty-three states introduced privacy bills in 2021 and additional states are expected to enact comprehensive privacy laws in the coming years. Three new laws become effective in 2023:

• The California Privacy Rights Act (“CPRA”) becomes effective January 1, 2023 and amends the already-existing California Consumer Privacy Act (“CCPA”). Both laws apply to for-profit businesses that do business in California and meet at least one of three other criteria.  As revised by the CPRA, the three criteria are:
  • Annual gross revenues of at least $25MM;
  • Buy, sell, or share personal information of at least 100,000 consumers or households (up from 50,000 consumers, households, or devices under the CCPA); or
  • Derive 50% or more of their revenue from selling or sharing consumers’ personal information (the CCPA did not include the reference to “sharing”).
• The Colorado Privacy Act (“CPA”) becomes effective July 1, 2023 and applies to for-profit businesses that do business in Colorado or target products and services to Colorado residents and either:
  • Control or process personal information of at least 100,000 consumers; or
  • Derive revenue from and control or process personal information of at least 25,000 consumers.
• The Virginia Consumer Data Protection Act (“VCDPA”) becomes effective January 1, 2023 and applies to businesses that do business in Virginia or produce products or services targeted to Virginia residents and either:
  • Control or process personal data of at least 100,000 consumers; or
  • Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Each of these laws provides consumers with certain rights to protect their personal data (such as the right of access, the right of portability, and certain opt-out rights) and requires that businesses disclose their privacy practices to consumers and have contractual arrangements in place with their contractors and service providers to protect consumers’ personal data.

How a business collects, stores, uses, and shares personal data are topics that demand increasing attention. While the 3 states listed above have already adopted comprehensive privacy laws, many other states are considering them. In the absence of preemptive federal legislation, the state laws that are adopted are likely to include dissimilar – if not outright conflicting – provisions. Businesses across the country should be keeping privacy and data security front-of-mind when contracting with vendors, planning new products or services, or scoping any technology or infrastructure reconfiguration or upgrade.

2. Google Analytics has privacy and data security implications

Businesses that use Google Analytics should be aware of how their use of this product affects their privacy policy. The Google Analytics Terms of Service (to which every business that uses Google Analytics agrees) require users to (i) comply with all applicable laws (see preceding bullet on evolving state laws), (ii) adopt an appropriate privacy policy that discloses how the business collects data, (iii) comply with Google Analytics’ policies, and (iv) disclose in the business’s privacy policy the use of Google Analytics and how Google Analytics collects and uses personal data.

Businesses subject to the European Union’s General Data Protection Regulation (“GDPR”) should also be aware of challenges to Google Analytics across the EU. In decisions issued on January 13 and February 10, 2022, respectively, the Austrian and French Data Protection Agencies held that the use of Google Analytics violates GDPR. There are several similar cases pending in other EU jurisdictions. These cases could have a significant effect on the use of Google Analytics (or, for that matter, any analytics tool) on websites available to users in the EU.

3. There are new Standard Contractual Clauses for exporting personal information to the United States from the European Economic Area or the United Kingdom

The European Commission adopted new Standard Contractual Clauses (“SCCs”) that create “appropriate safeguards” for GDPR-protected personal data transferred from the European Economic Area. (The EEA consists of the 27 EU countries plus Iceland, Liechtenstein, and Norway.) The updated SCCs apply to new contracts entered into after September 27, 2021; existing contracts incorporating the prior version of the SCCs must be updated by December 27, 2022. Unlike the prior SCCs, the new SCCs are lengthy documents that must be customized based on whether the parties are controllers or processors.

The UK – which is no longer part of the EU as a result of Brexit – has its own version of the GDPR (the “UK GDPR”) that applies to personal data of persons in the UK. For transfers of such data out of the UK, the UK’s Information Commissioner’s Office (“ICO”) has developed the International Data Transfer Agreement (“IDTA”) to be used in lieu of the EU’s SCCs. For transactions involving the transfer of personal data out of both the EU and the UK, the ICO also developed an “Addendum” to the EU’s SCCs, so these transactions can be documented with the EU SCCs and the UK Addendum, rather than the SCCs and a full IDTA. The UK is a little behind the EU’s timing: the IDTA and Addendum were just submitted to the U.K. Parliament for approval on February 2, 2022 and, assuming no objections are raised, will become effective March 21, 2022 and mandatory for transactions entered into after September 21, 2022. Pre-existing contracts will need to be updated by March 21, 2024.

The substantive provisions of the SCCs and the IDTA are non-negotiable, although there are some clauses and annexes that present options. Businesses that are using these documents should seek counsel regarding the obligations they create.

4. Data Processing Agreements seem to be everywhere

Increasingly, businesses are being asked by their customers and other counterparties to sign Data Processing Agreements (“DPAs”) that protect both personal information and proprietary business information. Typically, these agreements contain an extremely broad definition of “Data Protection Laws,” which may include laws with which the party being asked to sign is not familiar. The DPA may also apply to information that will be delivered to and held by a subcontractor, where the business signing the DPA may never take possession of the information. If that’s the case, the business signing the DPA should have a contract in place with its subcontractor under which it can require the subcontractor to comply with the requirements of the DPA.

Businesses that are being asked to sign customers’ DPAs should think through (i) what information is protected under the DPA, (ii) whether the business can fulfill the obligations contained in the DPA (including any obligations that would need to be performed by a subcontractor), and (iii) whether the business should be requiring its subcontractors to sign DPAs that will make it easier for the business to sign the DPAs being requested by its customers.

5. Data breaches continue to pose a serious threat

As the business world’s reliance on cyber technology has increased, the opportunities for cybercrime have expanded exponentially. Identity theft, phishing scams, DDoS attacks, ransomware… the list goes on and on. One of the most common security breaches we have seen repeatedly over the last several months involves impersonating a legitimate employee’s email account to redirect customers’ payments to an account controlled by the threat actor. This type of attack can be expensive and frustrating for all parties, but there are things both vendors and customers can do to protect themselves from these attacks.

Privacy and data security considerations are evolving rapidly, with high customer expectations, varied state, federal, and international laws, and ever more creative cybercriminals.

Please call your Hinckley Allen lawyer if you would like our assistance with your privacy policy, data security, vendor contracts, DPAs, or other privacy or data security needs.

Back to Corporate Perspectives >>