Privacy Updates for 2021
December 17, 2020 | 7 minutes read
What’s New for 2021
If you thought 2020 was a challenging year for privacy solutions given the pandemic, just wait until 2021, which is expected to be filled with turmoil and upheaval. Businesses around the world will have to prepare for changes to current legislation, as well as new federal laws coming into effect all over the globe. There are many battles to come between privacy advocates and national demands. By 2021, companies can expect an onslaught of rapid changes, compliance dates, and penalties if unable to meet the new needs.
Some new things to watch out for are new legislation coming into effect, backdoors in encrypted communications, and new privacy-focused technologies. According to Heidi Shey, principal analyst for security and risk at Forrester Research, upcoming changes will not only have companies staying clear of penalties. The new strategy will be to become more customer-focused with privacy policies.
“Consumers may not pay attention if there is news of a data breach that was the result of a security incident. There is a greater willingness to forgive those types of things,” she says. “But if your company makes the news because of an unethical practice, or you are using data in the way that people did not expect, then they will have concerns about how else you are using their data.”
While this article can’t cover all the future predictions, the goal is to bring light to some upcoming changes or new policies that privacy professionals and business owners may want to consider as the new year approaches.
Daniel’s Law
A New Jersey law, which will likely become federal law in short order, is Daniel’s law. It was named for Daniel Anderl, the 20-year-old son of US District Judge Esther Salas, who was shot and killed after someone was able to get her home address off of the internet. In New Jersey, this law was passed by a 39 – 0 vote. The bill prohibits disclosing personal data, such as home addresses and phone numbers, of current or retired federal, state, and municipal judicial officers, prosecutors, law enforcement officers, their spouses, and their children over the internet.
Changes for the CCPA
In January, businesses will be looking at the first anniversary of the California Consumer Privacy Act (CCPA). Privacy advocates forced the state to take privacy seriously when the threat of having it put on the ballot was put forth. It is the first comprehensive data protection law in the United States. It is an effort to provide government regulation of personal information that belongs to citizens and enforce data security.
Along with the first anniversary, there are some final changes to the law that will impact businesses. Many will require further investment to stay ahead of compliance. All moratoriums on previously classified data such as business contact data or employee personal data as personal information subject to CCPA compliance will be coming to a close.
Current CCPA requires companies to allow the consumer rights to request access to or deletion of their data. It also requires an opt-out mechanism for customers to be included in third-party sales of data. There are also new notice requirements that have easy access to up-to-date privacy policies and a visible “Do Not Sell My Personal Information” link for customer access on every site that collects personal data that is sold.
In October 2020, regulation amendments AB 25 and AB 1355 were signed into law to make some changes. These new amendments create some exceptions for some of the CCPA requirements. Some of these exceptions revolve around privacy rights requests, personal data of employees, and business contacts.
The exceptions were given a sunset provision, and the exceptions for these types of personal information will no longer apply as of January 1, 2021. To comply with the updates, businesses should be assessing and tracking this type of data now and applying the same controls that they use for customer data.
The GDPR – World’s Most Influential
The EU General Data Protection Regulation, or GDPR, is standing tall and looking to become the most influential data protection legislation worldwide. Several other countries have followed their example, and these laws have either taken effect or are in progress. These countries have decided that it is best to have federal-level legislation that protects people’s data constitutionally.
Many more countries are expected to jump on the bandwagon. Is this leading to a global policy? Some privacy advocates believe so. While each country may have different penalties or specifics, the legislation’s basics will be similar across the globe.
According to Gartner’s studies, 65% of the world’s population will have their data covered under modern privacy regulations by 2023, up from 10% today. Over 60 jurisdictions worldwide have enacted or proposed legislation to handle data privacy for its citizens following the introduction of the GDPR in 2018. Some of these areas include Argentine, Australia, Brazil, Egypt, India, Indonesia, Japan, Kenya, Mexico, Nigeria, Panama, the US, Singapore, and Thailand.
Watch for new changes on the horizons during 2021 and beyond as the GDPR set the example. To get to a unified global standard will help businesses compete worldwide and modernize their data handling processes.
Russian Federal Law on Personal Data
Russia? Yes, Russia has had a federal privacy law (No. 152-FZ) since July 2006. The basic premise of the Russian privacy law is that it requires that data operators take “all the necessary organizational and technical measures required for protecting personal data against unlawful or accidental access.”
As of January 2021, the law will now require the addition of a specific Russian software package. Federal law No. 425-FZ was passed in December 2019. It was slated to come into effect in July 2020, but perhaps due to the COVID19 pandemic, the decision was made to set off the start date to January 1, 2021. Businesses in Russia will now be required to have a pre-installed software package to monitor their data protection strategies.
Australia’s Privacy Act
Australia passed its federal privacy act in 1988. It has had updates to keep up with technology several times. Australia is looking to overhaul and make some changes to its data privacy laws for 2021. The changes will include a focus on consent, expanding the definition of personal identifiers like cookies and other tracking technologies. Anna Johnston, Principal of Salinger Privacy and considered one of the most respected experts in Australian privacy law, has noted that she has seen signals in some speeches of privacy leaders questioning the legality of the collection of personal data in trade for customer loyalty schemes, tracking customers, ad targeting and tech profiling. “They’ve actually started to query if some of that kind of tracking and profiling behavior breaches Australian privacy principle 3.5, which is the rule that says collect only by fair means. Especially if the practices are opaque – so consumers don’t actually know what’s going on.” It looks like more stringent consent rules are on the horizon.
Japan Initiates Protection of Personal Information
Technically savvy Japan has had protections for personal data for some time; however, in June 2020, an amendment to the law was passed. It may take effect in the last quarter of 2021, though the date has not yet been clearly defined. Under the amendment, the data will be made available to the “subjects,” and the previous 6-month rule that gave an exception to data destroyed or removed after six months will no longer apply. The new amendment will make privacy rules easier for individuals to understand and access the information being collected about them.
South Korea Joins the Privacy Revolution
South Korea has made some significant updates to its privacy laws for 2021. One of the important changes is that the regulator will ban what is known as “privacy coins” or “bitcoin.” It was decided that this type of currency has a high chance of abuse and fraud. South Korea’s financial services department will start requiring exchanges to confirm the real identity of their users. South Korea has taken a negative view of this type of currency, denoting them as “dark coins.”
South Korea’s Personal Information Protection Act prohibits local firms from asking for specific data from users such as social security numbers or other personally identifiable data. This new change requires particular financial institutions to obtain this information that some privacy advocates are declaring against the previous legislation. It is a no-go; of course, the amendment will go into effect in March 2021. South Korea wants privacy, but it does not wish to allow criminal activity.