Top Privacy and Cybersecurity Trends of 2021Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Year in Review: 2021’s Top Privacy and Cybersecurity Trends

Despite the ongoing COVID-19 pandemic, 2021 proved to be another incredibly busy year for consumer privacy and cybersecurity. In this blog post, we revisit some of the most important domestic and international privacy and cybersecurity trends of the past year. 


New State Consumer Privacy Laws 

On the heels of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), Virginia and Colorado became the next two states to enact comprehensive consumer privacy laws. Signed into law by Governor Ralph Northam back in March, the Virginia Consumer Data Protection Act (VCDPA) becomes effective on January 1, 2023 and applies to all companies who operate a business or produce products or services that are targeted to residents of Virginia and meet certain thresholds. Months later in July, Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. Set to go into effect on July 1, 2023, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and meet certain thresholds. Both the VCDPA and the CPA carve out several exemptions for entities that are already covered under the privacy and security requirements of other federal laws. Unlike the CCPA and the VCDPA, however, the CPA does not provide an exemption for non-profit organizations. Furthermore, neither the VCDPA nor the CPA offer a private right of action. 

Other notable state privacy developments include New York’s new rules on employee electronic monitoring as well as Nevada’s SB260 amendment, which expanded the right to opt-out of sales and created new requirements for “data brokers”. 

As we head into 2022, we anticipate that the patchwork of state consumer privacy laws will continue to grow. Beckage recommends that businesses take proactive steps to first evaluate what laws and regulations apply to their business and then develop a comprehensive roadmap and plan to mature their data privacy and security posture both internally and externally.   


Continued Focus on Cybersecurity 

Threat actors in 2021 continued to launch increasingly sophisticated ransomware and cyberattacks against businesses of all sizes and in all industries. In the wake of highly disruptive attacks such as SolarWinds and the Colonial Pipeline ransomware attack, both the federal government and also state governments sought to increase their focus on cybersecurity standards. For example, the New York State Department of Financial Services (NYDFS) issued guidance to cyber insurers in the form of the Cyber Insurance Risk Framework. The Cybersecurity and Infrastructure Security Agency (CISA) also regularly issued advisories informing businesses of vulnerabilities. In an effort to secure critical infrastructure, President Biden signed an Executive Order on “Improving the Nation’s Cybersecurity” in May. The new Civil Cyber-Fraud Initiative announced by the Department of Justice back in October further indicates the increasing importance of developing and maintaining resilient cybersecurity protocols.  

The federal government’s response to this year’s exponential increase in ransomware attacks has led several high-profile threat actors – such as DarkSide, REvil, and Black Matter – to take their dark web platforms offline.  At the same time, however, new variants of ransomware are constantly emerging and there is significant evidence that experienced cyber criminals are rebranding to evade law enforcement rather than shutting down their operations.   

In this complex threat landscape, companies across industries are wisely seeking to secure or renew cyber liability coverage in an increasingly competitive market.  Insurers are asking meaningful questions about applicants’ security programs and expecting strong safeguards in place.  For organizations of all sizes, the past year has shown that cybersecurity incidents are now a question of when rather than if.  

Beckage’s Incident Response Team urges businesses to develop plans and procedures to mitigate cyber and legal risk. Beckage recommends businesses continue to dedicate internal resources to refining compliance programs and testing incident response plans through tabletop training exercises. 


Health Privacy and Compliance Challenges 

Our lives have become increasingly digitized, and 2021 was no different – especially with the COVID-19 pandemic. The proliferation of apps and technologies handling personal health data led the FTC to confirm back in September that the requirements contained in the agency’s Health Breach Notification Rule extend to health apps and connected device companies. And as the world continued to operate under the shadow of the COVID-19 pandemic, businesses faced – and will continue to face – uncertainty regarding new federal vaccination and testing policies. Beckage’s Data Security and Privacy Compliance and Health Law Teams recommend businesses take stock of their employee data collection practices in their efforts to prevent the spread of COVID-19. 


Biometrics Class Actions, BIPA Claims Accrual, and Statute of Limitations 

In 2021, litigation under Illinois’ Biometric Information Privacy Act (BIPA) remained at the forefront of the data privacy landscape. As we noted back in JanuaryMarch, and April, BIPA’s private right of action has contributed in part to an increase in the number of class actions. In September, the First District of the Illinois Appellate Court found that the statute of limitations period could range from one year to as much as five years depending on the nature of the alleged violation. But as the year closed out, Illinois courts continued to wrestle with the issues of BIPA claims accrual and statute of limitations. As this blog post goes to press, the U.S. Court of Appeals for the Seventh Circuit had just issued its decision in Cothron v. White Castle, certifying the issue of BIPA claims accrual to the Illinois Supreme Court.  


Website Accessibility Litigation and What Counts as a Place of Public Accommodation 

The Beckage Accessibility Team continues to see a drastic increase in litigation filed under Title III of the Americans with Disabilities Act (ADA) as well as the rapidly evolving caselaw surrounding website accessibility claims. 2021 is set to be a record-breaking year, with approximately of 4,000 new lawsuits filed this year alone, with most of these cases filed against small to medium sized businesses. The issue of whether websites qualify as places of public accommodates under the ADA continued to take shape in 2021. For example, in May the Eleventh Circuit Court of Appeals held in Gil v. Winn-Dixie Stores that a website is not a “place of public accommodation” under Title III of the ADA, creating a clear conflict with 9th Circuit authority that has held a website is a place of public accommodation if there is a nexus to a brick and mortar location. In September, the United States District Court for the Eastern District of New York issued a decision in Winegard v Newsday LLC, which also concluded that a website is not a “place of public accommodation” under Title III of the ADA. Despite this unsettled landscape, we anticipate more litigation to come around the specific statutory definition of what constitutes a “public accommodation.” 

Nevertheless, there is no end in sight for companies facing lawsuits under the ADA. Accordingly, Beckage recommends that businesses with any online presence or mobile application take proactive steps and prioritize accessibility internally. Minimizing legal risk through a digital accessibility compliance buildout that includes both a full scale audit of digital assets and internal and external policy development is recommended for all businesses looking ahead in to 2022.  


Telephone Consumer Protection Act (TCPA) 

TCPA class actions are numerous. Beckage’s TCPA team has charted the complex legal landscape surrounding text message marketing and telemarketing throughout the course of 2021. In April, we covered the decision by the Supreme Court of the United States in Facebook v. Duguid et al., which narrowed the scope of the TCPA down to systems that utilize random number generators. In November, we covered Florida’s new telemarketer requirements. As we head into 2022, TCPA compliance will continue to be an important area of focus for businesses. Businesses that leverage text messaging marketing as part of their consumer outreach should evaluate compliance initiatives and stay up to date on this fast moving area of the law. 


More Global Privacy and Cybersecurity Developments 

Privacy and cybersecurity continued to be areas of significant focus on an international scale. For example, China’s new Data Security Law (DSL) and new Personal Information Protection Law (PIPL) became effective on September 1 and November 1, respectively. Along with the Cybersecurity Law (CSL) of 2017, these two new laws have added a set of new cross-border requirements for international companies seeking to do business in China. Furthermore, following the Schrems II decision, which invalidated the EU-US Privacy Shield, the EU Commission released new standard contractual clauses (SCCs) intended to provide more flexibility and options for cross-border data exchange. The new SCCs are applicable for all new contracts entered into as of September 27, and businesses have until December 27, 2022 to transition all contracts using the older SCCs to ones with the new SCCs. Additionally, Québec’s Bill 64, which received royal assent a few months ago, has a series of new requirements coming into effect within the next couple of years for businesses both within and outside the province. 

On the global data privacy class action front, the UK Supreme Court’s recent decision in Lloyd v. Google suggests that opt-out class action cases for data privacy claims will be very difficult to bring. 


Conclusion and Key Takeaways 

In the midst of the ongoing COVID-19 pandemic and a rise in sophisticated cyberattacks, 2021 saw many privacy and cybersecurity trends and developments. There were new laws and regulations on both a domestic and an international scale. Case law in relevant areas developed rapidly, with some issues still unresolved as we embark on 2022. Things do not seem to be slowing down at all in the realm of privacy and cybersecurity. Beckage’s team of attorneys and technologists work with businesses of all sizes and industries to develop comprehensive scalable data security and privacy infrastructures to navigate this fast moving area. 

*Attorney Advertising. Prior results do not guarantee similar outcomes. 

Subscribe to our newsletter. 

What's next for UK Data Privacy?UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

UK Decision Further Restricts Potential Class Privacy Actions and Sheds Light on Required Damages for Data Protection Claims

On November 10, 2021, a unanimous decision by the UK’s Supreme Court in Lloyd v. Google in favor of Google rejects an attempt to bring opt-out class action cases for data privacy claims in the UK.

In the UK, a robust class action regime for the field of data protection does not currently exist, and the Lloyd decision reflects a rejection of class action or representative actions in the data privacy realm Unlike the UK, a class action regime that allows for mass claims (including opt-out cases) has long existed in the US. Further, class action claims in the US have extended beyond traditional privacy tort claims to other claims related to data privacy (e.g., for violations of consumer protection laws and recently enacted data privacy laws such as the CCPA).

Background of Lloyd v. Google LLC  

Plaintiff Richard Lloyd filed an opt-out mass privacy action in English courts against Google relying on an old Civil Procedure Rule 19.6 which permits representative actions. Lloyd sought to bring the mass privacy action on behalf of 4.4 million allegedly affected iPhone users as a representative action for breach of Section 4(4) of the Data Protection Act 1998 (“DPA”).

Lloyd alleged that Google had breached its duties as a data controller under Section 4(4) of the DPA. Google allegedly used a workaround to capture user browser data from iPhone users when visiting a site with Google content after Apple enabled the automatic blocking of third-party cookies in its Safari browser. Lloyd alleged that the use of Google’s Safari workaround secretly tracked and captured data from millions of Apple iPhone users (between late 2011 and early 2012) without the users’ knowledge or consent.

Further, Lloyd argued that an individual is entitled to compensation under Section 13 of the DPA whenever a data controller fails to comply with any of the requirements of the DPA in relation to that individual’s personal data without proof of damages, provided that the breach is not trivial or de minimum. Lloyd sought a uniform amount of damages for all individuals without proving damage for all on basis of “loss of control” (or “user”) damages, a lowest common denominator of loss suffered by every individual by reason of the breach. Lloyd argued that because the loss of control of data has value, the users were entitled to compensation for that value of that loss.

In the High Court, Lloyd had to show a reasonable prospect of success to serve Google out of jurisdiction to move the case forward.  Google contested Lloyd’s claim on two grounds:

  • damages cannot be awarded under the DPA for “loss of control” of data without proof that it caused financial damage or distress; and
  • the claim, in any event, is not suitable to proceed as a representative action.

The High Court held in favor of Google on both issues and refused permission to serve Google.

Then, Lloyd appealed and the Court of Appeals which allowed it, reversed the High Court’s decision, and granted permission to serve Google.

Finally, Google appealed to the Supreme Court where the case captured more attention and triggered various intervening parties including UK’s Information Commissioner’s Office (ICO).

UK Supreme Court Decision

The issue brought before the Supreme Court on whether Lloyd should have been refused permission included three key questions:

  • Whether members suffered damages within the meaning of section 13 of the DPA 1998?
  • Did the class share the “same interest,” as required for a representative action to proceed?
  • Should the court exercise its discretion to disallow the representative action?

1. Damages for Loss of Control

The Supreme Court rejected Lloyd’s argument that “loss of control” damages without proof was within meaning of the DPA.    

Meaning of Damages

The Supreme Court held that to recover compensation under the DPA proof of material damage or distress are required: “to recover compensation [under the DPA] for any given individual, it would be necessary to show both that Google made some unlawful use of personal information relating to that individual and the individual suffered some damage as a result.”

The Supreme Court considered the wording of Section 13 of the DPA which states that a person who suffers damage from contravention by a data controller of any requirements of the act (or damages suffered from distress meeting specific conditions of Section 13) is entitled to compensation for that damage or distress.  It also noted that the intent behind the wording of Section 13 of the DPA was to implement Article 23 of the GDPR which provided compensation from a controller for damages suffered, i.e., material damage.

Thus, requiring only proof of breach would be inconsistent with the DPA.

Loss of Control Damages for Data Protection Violation

Lloyd argued that the same rule for “loss of control” or “user” damages without proof of damages permitted for claims for the tort of misuse of private information should apply to the claim for the violation of the DPA. Lloyd claimed this was appropriate because they are based on the same right to privacy.  In the tort cases, loss of control compensation was available for wrongful use of property, even without financial/physical damage.

The Supreme Court rejected Lloyd’s argument that the same rules for loss of control or user damages should apply. It emphasized distinctions between the common law tort claim of violation of privacy for misuse of private information a claim for a violation of a data protection law (e.g., the tort claim requires a reasonable expectation of privacy).  Further, the court noted that Lloyd did not bring a claim for misuse of the data collected by Google but rather a violation of the DPA.

Thus, loss of control damages without proof did not apply.

2. Representative Action

Most critically, the Supreme Court found that a representative action, in this case, would fail.

The Supreme Court held that recovery under the DPA requires proof of unlawful use and material damage or distress suffered as a result. The Supreme Court said that Lloyd had to show that each of the individuals of the class had both suffered a breach and suffered damages as a result of that breach. Thus, the use of a representative action as a method for recovery without proving either will fail.

In the decision, the Supreme Court rejected the argument for a representative action for breach of the DPA. Further, the Supreme Court determined that a representative action for damages without an individualized assessment for damages would fail.

Representative Action for Breach – Same Interest Test

The Supreme Court evaluated the representative action to establish breach of the DPA and entitlement to compensation based on that breach. The CPR 19.6 permits claims to seek recovery on behalf of a group of individuals where all individuals have “the same interest” in the claim. The court noted that the CPR 19.6(1) requires proof that all individuals  have the “same interest” in claim as the representative and this test was not met.

However, the court noted that Lloyd could have framed the claim differently and adopted a bifurcated process for the representative action under the Act and individual claims for damages separately. As Lloyd did not seek a bifurcated action, the Supreme Court stated that the only other option for Lloyd was a representative action for damages.

Representative Action for Damages – Uniform v. Individual

The Supreme Court evaluated a representative action for damages and Lloyd’s claims for damages for each class member on “uniform per capita basis.” The court stated that this option fails because the effect of Safari Workaround was not uniform across the class and likely varied by types of users (i.e., super/heavy users v. limited users) and different types and amounts of affected data. Thus, individualized assessment of damages would be required for all class members.

Lloyd argued for no assessment requirement relying on the proposition that the class was entitled to compensation for any (non-trivial) contravention of DPA without the need to prove individual damages. Lloyd argued that all members suffered a loss (damages or distress under the Art) based either on general damages on uniform per capita basis, or the amount that could reasonably be charged for releasing Google from duties.  The Supreme Court rejected both arguments.

Key Takeaways

The Supreme Court unanimously allowed Google’s appeal and restored the dismissal of the case by the High Court.

This decision provides some key takeaways:

  • Claims for Violations of the DPA:
    • Proof of material damages or distress are required for claims for violation of the DPA brought by individuals and groups
    • Representative actions are not suitable for claims for violation of the DPA without evidence of misuse or material damages/distress
  • Other Mass Privacy Claims:
    • Opt-out representative action for damages requires an individualized assessment of damages

Further, the Supreme Court’s decision to reject Lloyd’s attempt to bring an opt-out case against Google shows that opt-out representative actions are likely not possible (or at least very difficult) for data protection actions.

How will this impact future data privacy claims in the UK?

This much anticipated and landmark decision will drastically reduce the number of mass privacy claims brought in the UK due to the heightened evidentiary burden, and deter cases where only minimal evidence of harm as a result of breach exists.

For plaintiffs/claimants, this decision makes it even more difficult for individuals and class counsel to bring a mass privacy claims in the UK without obtaining proof of damages for all potential class members. This could be costly and likely deter many cases but does not completely prevent these types of cases where individuals have suffered actual damages.

For businesses, this decision provides some relief from potential frivolous claims or claims lacking evidentiary support for businesses processing personal information in or about individuals in the UK.

Other pending potential representative actions (awaiting this decision) will likely be prevented from moving forward in UK courts.   However, note, the Lloyd decision focused on the DPA as applied during the claim period (2011 to 2012) and not recent developments in the data privacy framework in the UK (i.e., updates to the DPA and the UK GDPR).

Even in light of the Lloyd decision, the international data privacy landscape remains complex.  Beckage works with its clients on developing international privacy compliance strategies and programs to implement proactive measures to protect personal data and thus reduce the risk of litigation.  Our team of experienced attorneys, who are also devoted technologists, are specially equipped with the skills and experience necessary to provide guidance to navigate the complexities of international privacy frameworks and handle any resulting enforcement actions or litigation matters.

Subscribe to our newsletter.

*Attorney Advertising; prior results do not guarantee similar outcomes. 


New Federal COVID-19 Vaccination Policies Trigger Data Privacy ConsiderationsNew Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

New Federal COVID-19 Vaccination Policies Trigger Data Privacy Considerations

UPDATE:  On November 6th, the U.S. Court of Appeals for the Fifth Circuit issued a temporary stay of OSHA’s latest vaccine rules in BST Holdings, L.L.C., et al. v. OSHA, noting that “there are grave statutory and constitutional issues with the Mandate.” On November 12th, the Fifth Circuit issued an order in continuance of its November 6th stay, stating that enforcement of OSHA’s latest vaccine rules “remains STAYED pending adequate judicial review of the petitioners’ underlying motions for a permanent injunction.” The Fifth Circuit further ordered “that OSHA take no steps to implement or enforce the Mandate until further court order.”

However, with several other similar lawsuits pending in other federal circuits, the Judicial Panel on Multidistrict Litigation has selected, by lottery on November 16th, the U.S. Court of Appeals for the Sixth Circuit to be the tribunal to hear the consolidated cases. The Sixth Circuit will thus have the authority to issue the controlling opinion on OSHA’s latest vaccine rules, though many expect litigation to continue up to the Supreme Court of the United States for a final decision.

Businesses should stay up to date with current developments regarding OSHA’s latest vaccine rules and related lawsuits and should understand existing and intended data collections practices within their organizations.  Evaluating what is being collected, how it is being retained, how this information can be accessed and by whom remains a very important part of an organization’s data security and privacy infrastructure in light of this climate. The Compliance Team at Beckage is experienced in navigating such changes and can assist businesses with their data security and privacy programs as the landscape continues to evolve within the next couple of months.

Email Beckage Privacy Compliance Team Lead Kara L. Hilburger, Esq., (CIPP/US)  at khilburger@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in this space.

Continue reading initial post regarding The OSHA Rule below.


On Thursday, November 4, 2021, the Occupational Safety and Health Administration (OSHA) published an Interim Final Rules (OSHA Rule) requiring employers with 100 or more employees to implement plans to confirm employees are vaccinated, and if not to test their employees weekly and require face masks. The OSHA Rule, published in the Federal Register on November 5, 2021, requires employers subject to the OSHA Rule to implement testing protocols for unvaccinated employees starting January 5, 2022.

Although the Fifth Circuit Federal Court of Appeals temporarily blocked the OSHA Rule on November 6, 2021, employers should still prepare a plan in the event the OSHA Rule is not permanently blocked given the pending compliance deadlines. This may require employers to revise existing procedures or create new policies and procedures. As employers develop and implement these policies, it’s important to carefully consider data privacy and security implications of maintaining this sensitive information about employees.

Below are just a few questions employers should ask as they develop these new policies.

Does the OSHA rule apply to me?

The answer depends on your company’s size, operation, and industry. Importantly, the new OSHA Rule does not apply to health care providers, which have even more stringent rules announced by the Centers for Medicare and Medicaid (CMS) on the same day.  The OSHA Rule applies to businesses with 100 or more employees.  To determine whether an employer meets this 100-person threshold, companies should count all full- and part-time employees at all locations and worksites. Employers do not have to count employees who are contractors, employees from a staffing agency, or franchisee employees if the employer is the franchisor.

What does the OSHA Rule require?

Employers that are subject to the OSHA Rule must:

  • Determine vaccination status. Determine the vaccination status of each employee, accept proof of vaccination, and maintain records of each employee’s vaccination status. The OSHA Rule outlines forms of acceptable proof of vaccination, which includes COVID-19 Vaccination Record Cards, a copy of medical records documenting vaccination, and employee attestations in limited circumstances.
  • Test unvaccinated employees and require masks. If an employer elects to not mandate COVID-19 vaccinations, the company must test each employee who is not fully vaccinated at least once every 7 days. If an employee has not been tested within a 7-day period, the employee must telework for two weeks before reporting back to a location with other employees and be tested within 7 or fewer days before returning. Employees will have to provide documentation of their test results and employers must maintain these test result records. Unvaccinated employees must wear face masks at the workplace.
  • Require employees to notify the employer of a positive COVID test or diagnosis. Companies must require employees to provide prompt notice of positive COVID-19 tests and diagnoses and take steps to remove them from the workplace until they meet the criteria for returning.

Are there any exceptions?

Yes. The OSHA Rule does recognize certain exceptions and exemptions to these requirements.

  • Employees who work exclusively remotely or at outside locations are not subject to the requirements.
  • The OSHA Rule also does not apply to workplaces covered by the Safer Federal Workforce Task Force COVID-19 Workplace Safety: Guidance for Federal Contractors and Subcontractors.
  • The OSHA Rule does not apply to health care providers, which are covered by the CMS interim final rule.
  • The OSHA Rule has exceptions for employees who cannot receive the vaccine for medical reasons, or who are legally entitled to a reasonable accommodation under federal civil rights laws because of disability or sincerely held religious beliefs that conflict with the vaccination requirement.

Do I need to provide paid leave for vaccinations?

Yes. Companies subject to this rule must provide employees with up to four hours of paid time to receive their vaccination. They must also allow for reasonable time and paid sick leave for the employee to recover from vaccine side effects.

Do I need to pay for the cost of testing if an employee isn’t vaccinated?

No, the OSHA Rule does not require covered employers to cover the costs of testing. However, other laws, regulations, collective bargaining agreements, or collective negotiation agreements may require the employer to pay for testing.

How does the OSHA rule impact state vaccination and testing laws?

The OSHA Rule pre-empts any state law that has less restrictive standards regarding vaccination and testing for COVID-19 in the workplace. States can impose greater vaccination requirements; for example, some employers may be subject to state laws that do not include medical or religious exceptions.

What needs to be addressed in the vaccination policy?

Companies must develop, implement, and enforce mandatory policies that address COVID-19 vaccination procedures or mandatory testing if the company does not mandate vaccinations.  These policies must be provided to employees in a language and literacy level that employees understand.

Are there any additional documentation and reporting requirements?

Yes. Companies must provide employees and their designated representatives with their vaccination and testing records by the end of the next business day following the request for such records. Companies must also be able to provide policies and procedures to OSHA within four business hours and must provide an aggregate number of total vaccinated employees upon request by the next business day.  Finally, companies must report work-related COVID-19 fatalities to OSHA within 8 hours of learning about them. Covered employers must report a COVID-19 related in-patient hospitalization within 24 hours of learning about it.

Are there penalties for non-compliance?

OSHA Officials have stated they will use OSHA’s authority to inspect workplaces and investigate complaints received from employees. Failure to comply with OSHA regulations can lead to a $13,653 penalty per violation for serious or failure to abate violations and a $13,532 per violation for willful or repeated violations.

How should companies prepare?

Companies subject to the OSHA Rule should review the new requirements and develop a strategy on how to document and implement the mandatory procedures most effectively and efficiently. The new rule requires employers to collect and maintain sensitive employee data. Policies and procedures addressing how these records will be maintained and protected will be necessary, and in tandem with developing procedures, companies may want to evaluate whether they need to update record retention procedures and determine whether existing data security and privacy protocols are sufficient.  It is also recommended that companies work with legal counsel to review whether and how state laws interplay with the new OSHA requirements.  Many state laws have statutes and regulations requiring companies to safeguard medical information held on behalf of clients and employees. This is particularly important for employers that have not previously held sensitive employee information such as health records and may not have proper procedures in place for safeguarding such records.

Beckage continues to monitor this evolving landscape and provide updates on important topics that impact data privacy and security, which have a very real impact on business operations. Regardless of the legislative landscape, a robust data security and privacy program that can stand the test of time is a wise investment. Our team is available to assist your team in the evaluation of legal implications of current requirements and legislative changes in the data privacy field.

Email Beckage Health Law Team Lead Sarah L. Rugnetta, Esq., (CIPP/E) at srugnetta@beckage.com or call 716.898.2102 for assistance in analyzing this and other regulatory and legislative matters in the Health Law space.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

Québec's Bill 64Québec’s Bill 64 – What Businesses Need to Know Now

Québec’s Bill 64 – What Businesses Need to Know Now

In Canada, the main laws governing personal data protection and privacy at the federal level are the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On November 17, 2020, the former Minister of Innovation, Science and Industry, Navdeep Bains, introduced An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (Bill C-11, or the Digital Charter Implementation Act) for consideration in the House of Commons. Bill C-11 was slated to update Canada’s private-sector data privacy laws. However, it died on the Order Paper in August.

While efforts to enact reforms at the federal level have been halted for the moment, businesses should still be keeping a close eye on what is happening at the provincial level.

On September 22, 2021, Québec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received royal assent in the National Assembly of Québec. Beckage will continue to monitor these provisions to Québec’s new privacy law and will provide updates prior to the effective date. With broad implications and with substantive provisions becoming effective in 2022, 2023, and 2024, private-sector businesses should take proactive steps to prepare for Québec’s new privacy law starting now.

Here are some of the important changes to be aware of:

Provisions effective starting September 22, 2022:

Designation of the Person in Charge of the Protection of Personal Information

Section 95 of Bill 64 adds Section 3.1 to Québec’s Private Sector Act.

By default, the person exercising the highest authority in a business, such as the chief executive officer, will be the person in charge of the protection of personal information. This responsibility may be delegated to another person, and that person’s title and contact information must be posted on the website of the business.

Confidentiality Incident Notifications to the Commission d’accès à l’information (CAI).

Section 95 of Bill 64 adds Sections 3.5-3.8 to Québec’s Private Sector Act.

Bill 64 defines a “confidentiality incident” as: (1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach in the protection of such information.

Businesses must promptly notify the CAI about confidentiality incidents that “present a risk of serious injury” and must also notify any person whose personal information is concerned in such an incident.

The determination of a “risk of serious injury” depends on certain factors, such as “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.”

Businesses must also keep a register of all confidentiality incidents for the CAI upon request.

Changes Concerning Personal Information in Commercial Transactions

Section 107 of Bill 64 adds Sections 18.3-18.4 to Québec’s Private Sector Act.

Bill 64 defines a “commercial transaction” as involving:

  • the alienation or leasing of all or part of an enterprise or its assets;
  • a modification of its legal structure by merger or otherwise;
  • the obtaining of a loan or any other form of financing by the enterprise; or
  • the obtaining of a security taken to guarantee any of its obligations.

When necessary for concluding a commercial transaction, businesses may communicate personal information without the consent of the person concerned. However, prior to such transactions, businesses must enter into an agreement ensuring that the other party will only use the information for concluding the commercial transaction, will not communicate the information without consent, will take measures required to protect the confidentiality of the information, and will destroy the information if the transaction does not go through or if the information is no longer necessary.

Please note that the new Section 18.4 on entering into an agreement prior to such transactions becomes effective in 2022, while the new Section 18.3 becomes effective in 2023.

Changes Concerning Personal Information in Research Studies

Section 110 of Bill 64 amends Section 21 of Québec’s Private Sector Act.

When using the information for study or research purposes or to produce statistics, businesses may communicate personal information without the consent of the person if a privacy assessment concludes that:

  • the objective can only be achieved if the information is communicated in a form allowing the persons concerned to be identified;
  • it is unreasonable to require obtaining consent;
  • the objective outweighs with regard to the public interest;
  • the personal information is used in such a way to ensure confidentiality; and
  • only necessary information will be communicated.

Businesses wishing to use personal information in studies and research must request in writing and enclose several other pieces of required materials/information. If applicable, businesses must also describe the different technologies to be used. If applicable, businesses must also send documented decisions of a research ethics committee.

Bill 64 also lists several requirements that businesses must work into an agreement with the persons or entities receiving the personal information.

Provisions effective starting September 22, 2023:

Governance Policies and Practices Regarding Personal Information

Section 95 of Bill 64 adds Section 3.2 to Québec’s Private Sector Act.

Businesses must establish and implement governance policies and practices regarding personal information. Such policies must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, provide a process for dealing with complaints, be proportionate to the nature and scope of the business, and be approved by the person in charge of the protection of personal information.

Businesses must publish detailed information about these policies on their websites in simple and clear language.

Privacy Assessments

Section 95 of Bill 64 adds Sections 3.3-3.4 to Québec’s Private Sector Act.

Businesses must conduct privacy assessments for the acquisition, development, or overhaul of information or electronic service delivery systems involving the collection, use, communication, keeping, or destruction of personal information.

The person in charge of the protection of personal information may suggest measures such as:

  • the appointment of a person to be responsible for implementing the personal information protection measures;
  • measures to protect the personal information in any document relating to the project;
  • descriptions of the project participants’ responsibilities regarding the protection of personal information; or
  • training activities for project participants on the protection of personal information.

Privacy assessments must be conducted proportionately to the sensitivity of the information concerned, the purposes for which  the information will be used, the quantity and distribution of the information, and the medium on which it is stored.

Personal Information Concerning Minors Under 14 Years of Age

Section 96 of Bill 64 replaces Section 4 of Québec’s Private Sector Act.

Businesses may not collect personal information concerning a minor under 14 years of age without parental or tutor consent unless collecting the information is clearly for the minor’s benefit.

Necessary Purposes

Section 97 of Bill 64 amends Section 5 of Québec’s Private Sector Act.

Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.

Source of the Personal Information

Section 98 of Bill 64 amends Section 7 of Québec’s Private Sector Act.

Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.


Section 99 of Bill 64 replaces Section 8 of Québec’s Private Sector Act.

When collecting information and upon request, businesses must provide, in clear and simple language, the purposes of collection, the means of collection, the rights of access and rectification under law, and the right to withdraw consent.

Persons concerned may also request the categories of persons who have access to the information within the business, the duration of time the information will be kept, and the contact information of the person in charge of the protection of personal information.

Businesses must also inform individuals of any collection of personal information using a technology that includes functions allowing the individual to be identified, located, or profiled and the means available to deactivate such functions.

Businesses collecting personal information through technological means must publish on their websites a confidentiality policy in clear and simple language.

Any person who provides his or her personal information in accordance with this new Section 8 of Québec’s Private Sector Act consents to its use for the stated purposes.

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Unless the person concerned gives his or her consent, personal information may not be used within the business except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.

Personal information may, however, be used for another purpose without consent, but only if:

  • its use is necessary for preventing and detecting fraud or assessing and improving protection and security measures;
  • its use is necessary for providing or delivering a product or providing a service requested by the person concerned;
  • its use is necessary for study or research purposes or to produce statistics and if the information is de-identified.

Privacy by Default

Section 100 of Bill 64 adds Section 9.1 to Québec’s Private Sector Act.

Businesses that collect personal information when offering a technological product or service must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.

Automated Decision-Making

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Businesses that use personal information to render a decision based exclusively on automated processing of such information must inform the person concerned accordingly and not later than at the time it informs the person of the decision.”

The person concerned must be given the opportunity to submit observations to a member of the business who is in a position to review the decision.

Third Parties

Section 102 of Bill 64 replaces Section 12-14 of Québec’s Private Sector Act.

No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to, or this Act provides for, such communication. Such consent must be given expressly when it concerns sensitive personal information.

Cross-Border Data Transfers

Section 103 of Bill 64 replaces Section 17 of Québec’s Private Sector Act.

Before communicating personal information outside Québec, businesses must assess privacy-related factors. They must consider:

  • the sensitivity of the information;
  • the purposes for which it is to be used;
  • the protection measures, including those that are contractual, that would apply to it; and
  • the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles, apply in that State.

The information may be communicated if the assessment establishes that it would receive adequate protection, in light of generally recognized principles regarding the protection of personal information.

Destruction of Personal Information

Section 111 of Bill 64 replaces Section 23 of Québec’s Private Sector Act.

Where the purposes for which personal information was collected or used are achieved, businesses must destroy or anonymize the information, subject to any preservation period provided for by an Act.


Section 113 of Bill 64 replaces Section 28 of Québec’s Private Sector Act.

The person to whom the personal information relates may require a business to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means if the dissemination of the information contravenes the law or court order.

This new section lists several situations in which hyperlinks may be re-indexed.

Provisions effective starting September 22, 2024

Copies of Personal Information Upon Request

Section 112 of Bill 64 amends Section 27 of Québec’s Private Sector Act.

Businesses must, upon request, confirm the existence of personal information, communicate it in a structured and commonly used technological format, and allow people to obtain copies of their personal information.


Many of the provisions of Québec’s new privacy law do not become effective until 2023 and 2024. However, there are a few notable provisions that become effective starting on September 22, 2022. Beckage continues to monitor this area and will provide updates as the effective date approaches. Our Compliance Team recommends that businesses both within and outside Québec’s, take proactive steps to prepare for the full implementation of Bill 64 starting now, especially now that there will be new enforcement and penalties regime.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.


Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.


Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).


Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Beckage retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Beckage attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

1 2 3 10