Cybersecurity and Privacy Law Developments in Q2 of 2020



Practice Areas

Attorneys of the Cybersecurity and Privacy Practice Group
Robinson Bradshaw Publication
Aug. 5, 2020

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

The second quarter of 2020 was marked by privacy and cybersecurity legal developments related directly or indirectly to the COVID-19 pandemic. For example, these include the Department of Health and Human Services Office of Civil Rights announcement to exercise enforcement discretion to allow certain uses of protected health information to combat the pandemic; European Data Protection Board guidelines and proposed federal legislation in the United States designed to address privacy challenges related to contact-tracing and related public health measures; and even the New York attorney general’s announcement of a letter agreement with Zoom Video Communications, Inc., to address cybersecurity concerns which came to light due to the service’s widespread usage during the pandemic. In addition, the legal landscape has continued to evolve in California, whose attorney general submitted a final copy of his proposed regulations to implement the California Consumer Privacy Act (CCPA), and where privacy advocates announced collecting sufficient signatures to qualify their proposed California Privacy Rights Act (CPRA) for the November 2020 ballot in California. Finally, the growth of privacy and cybersecurity litigation has continued apace, with the Seventh Circuit joining the Ninth Circuit to recognize standing to sue for violations of Illinois’s Biometric Information Privacy Act (BIPA); with Equifax reaching major settlements to resolve claims related to its 2017 data breach; and with a Virginia federal court ordering Capital One to disclose a forensic report about its data breach last year despite the bank’s assertion of privilege.

If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance. This quarterly update was prepared with the assistance of Cecilia Rambarat, a rising 3L student at UNC School of Law.

State Law Developments

[1] The text of the proposed California Privacy Rights Act may be found here:

[2] The text of the final proposed California Consumer Privacy Act may be found here:

Federal Law Developments

[3] The enforcement discretion notification can be found here:

[4] The FTC’s guidance on using artificial intelligence and algorithms may be found here:

[5] The text of the proposed COVID-19 Consumer Data Protection Act of 2020 may be found here:

[6] The text of the proposed Public Health Emergency Privacy Act may be found here:

[7] The text of the proposed Exposure Notification Privacy Act may be found here:

[8] OCR’s guidance on contacting former COVID-19 patients can be found at:

Foreign Law Developments

[9] Details about the EDPB guidelines on COVID-19 research and contact tracing can be found here: Details about the EDPB’s follow-up letter guidance can be found here:

[10] The EDPB’s guidelines on consent under the GDPR can be found here:

[11] Details about the European Commission’s two-year report on the GDPR can be found here:

Litigation and Enforcement

[12]  The Seventh Circuit’s decision may be found at Bryant v. Compass Grp. USA, Inc., 958 F.3d 617 (7th Cir. 2020). 

[13] The New York attorney general’s letter agreement with Zoom may be found here:

[14] The Illinois federal court’s decision may be found at Acaley v. Vimeo, Inc., No. 19 C 7164, 2020 WL 2836737 (N.D. Ill. June 1, 2020). 

[15] For the FTC’s announcement of the settlement with HyperBeard and links to the complaint and to the statements of FTC Commissioner Philips and FTC Chairman Simons, see

[16] For a copy of the complaint, see

[17] The court’s decision may be found at In re Capital One Customer Data Security Breach Litigation, No. 1:19-md-02915 (June 25, 2020). 

Main Menu