Data privacy laws in 2021

Introduction

2020 has brought several important developments in the field of data protection legislation. In particular, the California Consumer Privacy Act (CCPA) went into effect in the United States in January, and the Court of Justice of the European Union (CJEU) ruled in the Schrems II case that the EU-US Privacy Shield of the European Commission was invalid, which effectively ended the free data flows between the United States and the European Union.

As we enter 2021, the shadow of these important developments looms over the field of data privacy, as the Schrems II judgment of the Court of Justice of the European Communities shows that the legalization of the transfer of sensitive personal data outside of the EU is more than just paperwork.

At the same time, China will pass its first comprehensive data protection legislation this year, and one of its main concerns is also cross-border transmission. Several other countries/regions will implement or revise their data privacy laws in 2021, and the UK has lost its privileges for the free flow of data in Europe.

The General Data Protection Regulation (GDPR)

The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). GDPR is the most well-known law and was the first one for data protection. Then other countries followed it to make their own laws. It manages the collection, use, transmission, and security of data collected from any of the 28 member states of the European Union.

This law applies to all EU residents, regardless of where the entity that collects the personal data is located. Organizations that do not comply with the GDPR can be fined up to € 20 million or 4% of total global turnover. Some important requirements of the GDPR include:

Consent

The data subject (the customer in the Shopify case) must be able to give clear and explicit consent before collecting personal data. Personal data includes information collected through the use of cookies. Certain information that is not normally considered “personal information” in the United States, such as the IP address of the user’s computer, is considered “personal data” under the GDPR.

Notification of data breach

In most cases, if there is a data breach that affects the user’s personal information, the organization must notify the supervisory authority and the data subject within 72 hours.

Data subject rights

Data subjects (the persons whose data is collected and processed) have certain rights over their personal information. These rights must be communicated to the interested party through a clear and easily accessible privacy policy on the organization’s website.

1. The right to be informed. When obtaining data, the data subject must be informed of the collection and use of personal data.
2. The right to access their data. A data subject can request a copy of their personal data via a data subject request. Data controllers must explain the means of collection, what’s being processed, and with whom it is shared.
3. The right of rectification. If a data subject’s data is inaccurate or incomplete, they have the right to ask you to rectify it. 
4. The right of erasure. Data subjects have the right to request the deletion of personal data related to them for certain reasons within 30 days.
5. The right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data (though you can still store it).
6. The right to data portability. Data subjects can safely transfer their data from one electronic system to another at any time without interrupting its availability.
7. The right to object. Data subjects can object to how their information is used for marketing, sales, or non-service-related purposes. The right to object does not apply when performing legal or official authorization, performing public interest tasks, or when an organization needs to process data to provide you with the services you registered.

Learn more about them here.

California Consumer Privacy Act (CCPA)

The most comprehensive state data privacy legislation to date is the California Consumer Privacy Act (CCPA). The CCPA became law on June 28, 2018, and entered into force on January 1, 2020. Similar to the EU General Data Protection Regulation, the CCPA creates a number of privacy rights for consumers of California, as well as the obligations of companies that collect information and handle personal information.

The CCPA implementing regulations were approved in August 2020. However, the California Attorney General (AG) proposed changes to the regulations in October and December 2020. Although the Attorney General has not yet initiated CCPA enforcement actions, dozens of lawsuits have been filed to file claims under the Act’s limited private litigation rights.

California Privacy Rights Act (CPRA)

Less than a year after the CCPA came into effect, California passed another consumer privacy law: the CPRA. The California Privacy Act (CPRA) is a statewide data privacy act that became law on November 3, 2020, setting off a new wave on the Pacific border of US data protection. The California Privacy Rights Act (CPRA) will come into effect on January 1, 2023, and will be fully applicable on July 1, 2023. The retrospective period starts on January 1, 2022.

In short, the California Privacy Rights Act (CPRA) functions as an appendix to the CCPA: it strengthens the rights of California residents, tightens business regulations on the use of personal information (PI), and establishes a new statewide government mechanism. The data privacy enforcement agency of the California Privacy Protection Agency (CPPA) is one of the key changes in the Golden State data privacy system.

Privacy Rights

Belo is the California Privacy Rights Act (CPRA) breakdown.

• CPRA establishes the California Privacy Protection Agency (CPPA) as the lead enforcer and supervisor of the CPRA/CCPA data privacy regime.
• CPRA changes the definition of a business to exclude smaller businesses and includes bigger businesses that generate a large income from the collection, sharing, and/or selling of Californians’ personal information (PI).
• CPRA empowers California residents with four brand-new rights and five modified rights.
• CPRA creates a new category of sensitive personal information (SPI) that is regulated separately and stronger than personal information (PI).
• CPRA changes the opt-out right to specifically regulate cross-contextual behavioral advertising and its use of personal information.
• CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place.
• CPRA adds GDPR-like provisions to the CCPA.
• CPRA expands the requirement for consent to cover more scenarios.

Virginia’s Consumer Data Protection Act (CDPA)

On March 2, 2021, Virginia became the second state in the United States to enact comprehensive privacy legislation. The Virginia Consumer Data Protection Act (CDPA) relies heavily on existing laws, such as the California Consumer Privacy Act (CCPA) and its extensions to the California Privacy Act (CPRA), and the European Union’s General Data Protection Regulation (GDPR). The Virginia CDPA program takes effect on January 1, 2023, on the same day as CPRA.

Virginia’s CDPA applies to all entities “who conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either:

1. control or process personal data of at least 100,000 Virginia residents, or
2. derive over 50% of gross revenue from the sale of personal data (though the statute is unclear as to whether the revenue threshold applies to Virginia residents only) and control or process the personal data of at least 25,000 Virginia residents.

Colorado Privacy Act (CPA)

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (“CPA”), making Colorado the third state after California and Virginia to pass comprehensive privacy legislative status. of the consumer. CPA will take effect on July 1, 2023.

It will also give Colorado residents the right to choose not to process their personal data for targeted advertising, sales of their personal data, and analysis to facilitate decisions that have a significant or similar legal impact on consumers. To ensure that they are prepared to comply with the CPA, many companies should be able to take advantage of the compliance measures they have established for California and Virginia laws to a large extent.

The CPA provides five main rights for the consumer:

Right of access. Consumers have “the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.”

Right to correction. Consumers have “the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”

Right to delete. Consumers have “the right to delete personal data concerning the consumer.”

Right to data portability. Consumers have “the right to obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.”

Right to opt-out. Consumers have “the right to opt-out of the processing of personal data concerning the consumer for purposes of:

• targeted advertising;
• the sale of personal data, or
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

While this right to opt-out is not substantially different from other bills this year, the CPA’s opt-out procedure is. The CPA requires the controller to provide consumers with the right to opt-out and general opt-out options so that consumers can click a button to exercise all of their opt-out rights.

The right to appeal. Like the CDPA, the CPA also gives consumers the right to appeal the company’s refusal to take action within a reasonable period of time. According to the CPA, companies must respond to consumer requests within 45 days of receiving consumer requests, and can then extend the deadline for another 45 days if reasonably necessary. When a business elects to extend this timeframe, it must notify consumers within the initial 45-day response period.

New York SHIELD Act

In July 2019, New York passed the “Stop Hacking and Improve Electronic Data Security (SHIELD) Act.” The law modifies New York’s existing data breach notification law and sets more data security requirements for companies that collect information about New York residents.

From March 2020, the law is fully applicable. The law expands the scope of consumer privacy and provides better protection for the personal information data leakage of New York residents. The SHIELD Act requires any individual or business (“covered business”) that owns or is licensed computerized data (including the private information of New York residents) to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the Private information.

Private Information means:

1. A username or email address and password or security questions and answers, which allow access to online accounts; o
2. Personal information (that is, any information related to a natural person, due to name, number, personal logo, or other identification, Any information that can be used to identify the natural person) consists of any information and one or more of the following combinations to form a data item. When the key is encrypted: (1) Social security number; (2) Driver’s license number or non-driver identification number; (3) Account number, credit card or debit card number, combined with any required security code, access code, password or other information will allow access to the personal financial account; (4) Account number, credit or debit card number, if there is a situation where the number can be used to access the personal financial account without additional identifying information, security code, access code or password; (5) Biometric information.

Other State data privacy laws

Although there is no general federal legislation that affects data protection, there are many federal data protection laws that target specific industries or focus on specific types of data. California and New York were the first states to enact extensive legislation to have a national impact, but many other states in the United States are also considering data privacy laws. They will not look identical to CCPA or SHIELD bills but may contain similar requirements for specific state needs.

The Massachusetts legislature is reviewing several bills related to the protection of biometric information, and some states, including New Hampshire and Virginia, have introduced comprehensive privacy bills. Although Washington’s Privacy Act failed in 2019 and 2020, a new version of the bill is likely to be introduced in 2021. Connecticut’s Insurance Data Security Act went into effect on October 1, 2020. The Department of Connecticut Insurance issued a law in July 2020 with guidelines for law enforcement.

Brazil’s General Law for the Protection of Personal Data (LGPD)

Brazil’s Lei Geral de Proteção de Dados (or LGPD) provided much-needed clarification to the Brazilian legal framework. LGPD attempts to unify more than 40 different regulations that currently manage personal data online and offline by replacing certain regulations and complimenting others. The unification of previously different and often contradictory regulations is just a similarity between this and the EU General Data Protection Regulation and was clearly inspired by it.

On August 26, the Brazilian Senate decided to make the LGPD active on Thursday, August 27, 2020. So Brazil’s LGPD data privacy law is already in effect. The Brazilian data protection agency Autoridade Nacional de Proteção de Dados (ANPD) was also established on August 26 but has not been active until the appointment of its board of directors by Brazilian President Jair Bolsonaro on Monday, November 9. The administrative sanctions of the LGPD will not be implemented until August 1, 2021. However, civil lawsuits based on LGPD can be initiated and executed immediately, in fact, the Ministry of Public Affairs of the Federal District of Brazil has filed a lawsuit against LGPD violations.

Article 18 is another section of the LGPD that will look familiar to businesses that have dealt with GDPR compliance. It explains the nine fundamental rights that data subjects have, which include:

• The right to confirmation of the existence of the processing;
• The right to access the data;
• The right to correct incomplete, inaccurate, or out-of-date data;
• The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
• The right to the portability of data to another service or product provider, by means of an express request
• The right to delete personal data processed with the consent of the data subject;
• The right to information about public and private entities with which the controller has shared data;
• The right to information about the possibility of denying consent and the consequences of such denial; and
• The right to revoke consent. 

Fines

The fines under LGPD are much lighter. Article 52 stipulates that the maximum fine for infringement is “2% of the previous fiscal year’s income of a Brazilian private legal entity, group or joint enterprise, excluding taxes, and the maximum total is 50 million reals” (this works out to roughly €11 million). The LGPD fine is consistent with GDPR fines for less serious violations, but 11 million euros will not affect the world’s largest data processor.

Importance of privacy policies 

Any website should have a privacy policy that explains to its users what information is collected, how to use it, how to share it, and how to protect it. Shopify provides a privacy policy generator for your store but in most cases, you need to modify the content of the policy to apply to your needs and the way you use any information on your business.

To fully comply with the data protection laws of the United States and the European Union, all data subjects should have the opportunity to agree to the collection of personal information. Although users will voluntarily provide a lot of information about users when they subscribe to newsletters, fill out forms, or submit email requests, they must also disclose information collected from third parties and through the use of cookies and must provide users with the opportunity to You agree to block or disable cookies.

Data privacy law compliance with Pandectes GDPR Compliance

With our application, you ensure you are in compliance with the GDPR and other data privacy laws. It provides a cookie manager, cookie compliance & data subject requests portal. You can modify the banner and its behavior based on your needs and based on the rules you want to apply.

Almost all the processing of personal data and confidential information on your Shopify store is done through cookies and trackers. They also share user data with third parties such as Google and Facebook.

Pandectes GDPR Compliance is based on a powerful scanner, which can find and control all cookies and trackers on your store, and provide your end users with automatic and fine-grained consent and opt-out solutions, which are plug-and-play in deployment. The true compliance and data protection brought to your store come directly from the cloud making the application perform in the best way without affecting your store loading time.