2021 Privacy Law Checklist for Your Business

Privacy Law

Fast-changing data privacy laws and regulations govern how companies must obtain and protect personally identifiable or other sensitive information.  The challenge is to establish and maintain compliance to avoid exorbitant expense and penalties in addressing such issues upon notice of noncompliance.

January 28th is recognized as International Data Privacy Day in the United States and over 47 other countries.  The purpose is to raise privacy law awareness, and promote privacy and data protection best practices.  The day serves as an annual reminder for companies to re-evaluate their data privacy and security practices to ensure compliance with current standards and to prepare for coming changes in privacy and data protection laws.

With that in mind, below are significant changes and other issues relating to data privacy and cybersecurity to consider in 2021 and beyond.


  • Changes to CCPA, (California Privacy Rights Act (CPRA), Proposition 24). California passed Prop. 24 in November 2020 to amend the California Consumer Privacy Act (CCPA) that is in effect as of January 1, 2020, to a more comprehensive privacy regime. The CPRA changes take effect January 1, 2023, and most notably include a look back provision affecting collection of personal information on or after January 1, 2022.  The CPRA also creates an agency dedicated solely to privacy enforcement and similar to the supervisory authorities under the European Union’s General Data Protection Regulation (GDPR).  Below are a few of the other changes under the CPRA.

    Within Lerner David’s full-service IP practice, the firm assists companies ranging from start-ups to large multinationals with privacy law compliance. 

    • Companies will be required to maintain reasonable security of personal information and to limit data retention.  Outdated data that no longer serves a purpose should be destroyed.
    • High risk data processor companies will be required to conduct regular privacy risk assessments and cybersecurity audits, and submit them to regulators.
    • New notification requirements will give individuals the right to opt out of both the sale and sharing of their personal information.  Companies that use or disclose sensitive personal information for purposes other than those authorized under the CPRA will now be required to provide links on their homepages to allow opt-out or limited use regarding selling or sharing personal information.
    • Protection is given for a new category of “sensitive data.”  This new category is broader than the definition of “special categories of personal data” found in the GDPR and expands the scope of protected data.
  • GDPR-BREXIT Changes.  With the transition period for the UK’s exit from the EU having ended on January 1, 2021, companies should re-evaluate EU data transfer protection and privacy.
    • Governing Law. The UK remains subject to the same regulations as those under the GDPR even after the withdrawal from the EU, but companies should be aware that the UK laws could diverge from the GDPR over time.
    • EU Representative. Non-EU based companies that previously selected an EU representative based in the UK should consider selecting a new one in the EU to ensure compliance with GDPR requirements.
    • New Lawful Basis. A lawful basis is required to process personal data.  Personal data transfers between the UK and EU may now need to use standard (model) contractual clauses/contracts.
    • UK Regulatory Authority.  The ICO is UK’s public body responsible for upholding information rights that includes data protection under the GDPR. Due to the expiration of the Brexit transition period, UK companies may want to consider what resources are needed to deal with multiple inquiries from various EU and EEA supervisory authorities and the ICO. UK based companies should modify privacy and data protection polices accordingly.
  • Cybersecurity Under the CPRA. Data breaches continue to be the leading cause of privacy litigation, penalties, and fines. The CPRA now contains a private right of action for a breach of any customer’s email address and password or security question if a business fails to maintain reasonable security.  Increased security measures may be required to avoid future litigation and fines.
    • Make sure data breach response and notification procedures and data retention policies are up-to-date.
    • Sensitive information should be encrypted and/or redacted.  Data retention should be limited to only data that has purposeful use.  Outdated data should be destroyed.
    • Oversight of all third party vendors that provide data services on your company’s behalf should be maintained.  Due diligence and audits of third party vendors should be conducted to avoid possible ramifications of how they collect and use your customer’s personal information.

Within Lerner David’s full-service IP practice, the firm assists companies ranging from start-ups to large multinationals with privacy law compliance.