Throughout 2020 we saw many enforcement actions brought by EU and U.S. regulators. Whether for allegations of deception (misleading privacy representations) or unfairness (failure to protect information), COVID did not appear to slow down regulatory action. Laws that many companies forget about -or don’t know as well- were enforced by regulators, as well as through class action lawsuits. This included the Children’s Online Privacy Protection Act, Illinois’s Biometric Information Privacy Act, and the Telephone Consumer Protection Act.

There are other laws that create a patchwork of requirements for organizations. They range from laws based on the type of entity (HIPAA, GLBA), to those that regulate the activities in which the entity engages (CAN-SPAM, TCPA), and laws designed to protect individuals from whom the company is collecting information (COPPA, FERPA).

Putting it Into Practice: That enforcement did not slow down during 2020 signals that it likely will continue into 2021, and companies developing internal compliance programs will want to keep these actions –and the wide variety of laws that govern them– in mind (an upcoming publication we anticipate publishing with Thomson Reuters next year should help on this front).