This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.


The Virginia Consumer Data Protection Act Passed on March 2, 2021

Canada USA Europe Rest of World

Type: Regulation
Effective Date: January 1, 2023

Summary: The Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021 and will take effect on January 1, 2023. The CDPA establishes principles and obligations for controlling and processing personal data in the state, such as transparency, data minimization, data security, data protection assessment, and data processing agreement. Like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), CDPA grants consumers the rights to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data used for targeted advertising. Although the CDPA creates a 30-day cure period for violations, the Virginia Attorney General has the authority to investigate and to impose civil penalties of up to $7,500 per violation.

Analyst Perspective: Organizations that fall within the scope of the CDPA might need to start the compliance journey by working with business units to understand what and why personal data is collected. Organizations shall conduct and document data protection assessments if sensitive data is processed, data is used for purposes of targeted advertising or profiling, or activities involve the sale of personal data or present a heightened risk of harm to consumers. Establishing a holistic privacy program is recommended to manage privacy risks in a cost-effective manner and address major regulatory obligations with respect to data minimization, third-party management (i.e. data processing agreements), sensitive data processing, and security provisions, etc.

Analyst: Alan Tang, Principal Research Director – Security, Privacy, Risk & Compliance

More Reading:


Attorney General Announces Approval of Additional Regulations That Empower Data Privacy Under the CCPA

Canada USA Europe Rest of World


Type: Regulatory Amendment
Effective Date: March 15, 2021

Summary: When CCPA came into effect on August 14, 2020, some of the law’s provisions were removed to provide time to redraft and clarify requirements for businesses in scope for CCPA. However, the Office of Administrative Law has now approved amendments, effective immediately, that require companies doing business in California to simplify the opt-out process for consumers seeking to prevent the sale of their personal data. Confusing language and unnecessary steps in the opt-out process are now prohibited.

Analyst Perspective: Make your privacy program and policies comprehensible to all. Time and time again, we see that trying to get around consumer-focused privacy requirements is not a viable strategy. Convert your business into a privacy-first organization and take advantage of the market edge it gives you while others are playing catch-up.

Analyst: Logan Rohde, Research Analyst – Security, Risk & Compliance

More Reading:


Commissioner Encouraged by Proposals to Modernize the Public Sector Privacy Act

Canada USA Europe Rest of World


Type: Development
Announcement Date: March 22, 2021

Summary: The Government of Canada recently concluded a public consultation aimed at modernizing Canada’s Public Sector Privacy Act, which has not been substantially updated in nearly 40 years. The consultation elicited three major areas to address with regards to personal information: interpretations and definitions, institutional obligations, and regulatory effectiveness. In response to these themes, the following recommendations were provided:

  • Revised definitions for what constitutes personal information and revised criteria for its lawful collection and use.
  • New obligations to conduct privacy impact assessments (PIAs).
  • Sharing results with the Office of the Privacy Commissioner (OPC) as well as expanding OPC powers to resemble other geopolitical regions (i.e. UK, Australia, New Zealand).

Analyst Perspective: Classify your data and designate someone to monitor compliance to prepare for inevitable changes to Canadian privacy laws. Clearview AI was recently in the headlines for using publicly available personal information for its facial recognition program, a controversy that has since drawn into question the relevance and effectiveness of Canada’s current laws, which do not provide the legal authority to enforce removal of such data. For federal and federal-adjacent institutions, this is a space to watch closely, as new legislation may affect your lawful use of data, regulatory obligations, and more.

Analyst: Cameron Smith, Research Director – Security, Privacy, Risk & Compliance

More Reading:


CNIL Clarifies Cookie Use

Canada USA Europe Rest of World


Type: Regulatory Guidance
Announcement Date: March 18, 2021

Summary: The Commission nationale de l'informatique et des libertés (CNIL), France’s data protection authority, recently published new information on March 18 to clarify its guidelines on cookies and tracking technologies originally published on September 17, 2020. These new guidelines seek to account for the GDPR’s definition of consent and are meant to clarify expectations in advance of the second phase of implementation, effective April 2, 2021.

These clarification documents outline how the CNIL will apply sanctions in response to violations of the GDPR, and they offer best practices for organizations seeking to obtain user consent for cookies and other tracking data. Although the clarification is not formally binding, it provides additional information for organizations in their use of cookies and the granularity of consent organizations must obtain as well as additional details regarding consent methods, cookie banner content, withdrawal of consent, consent exceptions, and other aspects of cookie management.

Analyst Perspective: Ensure your implementation of cookies and tracking technologies adhere to the CNIL September 2020 guidelines to avoid GDPR-noncompliance penalties. CNIL’s clarification documents minimize the possibility of misinterpretation of the guidelines and the subsequent enforcement of GDPR. Nevertheless, all website administrators should take careful note of the changes.

Analyst: Jimmy Tom, Research Advisor – Security, Privacy, Risk & Compliance

More Reading:


New Chinese Provisions Define the “Necessary” Personal Information Mobile Apps Can Collect

Canada USA Europe Rest of World



Type: Regulation
Effective Date: May 1, 2021

Summary: Four departments of the Chinese government have jointly issued a regulation, which will take effect on May 1, 2021, that sets forth new provisions for personal data collection through mobile apps. The National Law Review reports: “Under the Provisions, ‘necessary personal information’ is defined as personal information that is necessary for the regular operation of mobile applications (‘apps’), (i.e., personal information without which apps could not provide their intended basic functions).”

Article 5 of the regulation explicitly lays out 39 app categories of varying functions and services, including map navigation, ride hailing, instant messaging, online shopping, payments, short video, livestream, and mobile games. As an example of category-specific definitions, within map navigation only location, departure, and destination information are considered necessary information under this regulation.

Analyst Perspective: Follow this regulation’s guidance closely if your organization operates mobile apps in China. Because it is the first of its kind in its scope and prescriptive measures, authorities will likely be more focused on this regulation’s enforcement. To comply with this regulation, organizations must:

  • Assess and identify which app category their app falls into.
  • Strictly follow the requirements and minimize personal data collection by capturing only necessary personal information as defined in the regulation.
  • Develop mobile apps to collect the necessary personal information required to access basic functions and services while allowing users to decline to provide data outside what is deemed necessary and continue to use certain apps without obstruction.
  • Update their privacy notices accordingly to be compliant as well as transparent.

Analyst: Alan Tang, Principal Research Director – Security, Privacy, Risk & Compliance

More Reading:


If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: February 1, 2021

Social

Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019