Cybersecurity and Privacy Law Developments in Q4 of 2020



Practice Areas

Attorneys of the Cybersecurity and Privacy Practice Group
Robinson Bradshaw Publication
Jan. 20, 2021

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

The fourth quarter of 2020 was marked by a heated U.S. presidential election and contentious transfer of power, the worst phase yet of the COVID-19 pandemic, the discovery of a massive cyberattack against the U.S. government and the addition of Justice Amy Coney Barrett to the U.S. Supreme Court. These events will no doubt influence how cybersecurity and privacy law will evolve in the future. In the meantime, there were plenty of legal developments in the fourth quarter of 2020 as described in our update summaries. For example, among other U.S. developments, California voters approved the California Privacy Rights Act to further strengthen and enforce that state’s consumer privacy protections; various federal regulators rolled out new requirements for cybersecurity and individual access to protected information; outgoing President Trump signed into law the Internet of Things Cybersecurity Improvement Act; and the U.S. Supreme Court heard oral argument in two cases expected to resolve circuit splits regarding the scope of the Computer Fraud and Abuse Act and the Telephone Consumer Protection Act. Meanwhile, the implications of the Schrems II decision by the EU Court of Justice continued to unfold in Europe, with new guidance on cross-border data transfers and new requirements for Standard Contractual Clauses under the General Data Protection Regulation. Finally, Canada has proposed legislation that would dramatically revise its national privacy laws to implement a more stringent framework similar to GDPR. If you have questions about any of the legal developments that are described below in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.

State Law Developments

[1] The third set of modifications to the CCPA regulations is available here:

[2] The full text of the CPRA may be found here:

[3] The fourth set of modifications to the CCPA regulations is available here:

Federal Law Developments

[4] The OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments may be found at

[5] The CFPB’s advance notice of proposed rulemaking is available here:

[6] The text of the CFPB’s advance notice of proposed rulemaking on consumer access to financial records may be found in the Federal Register at The CFPB’s press release may be found at

[7] The DOD’s interim rule is available here:

[8] The IoT Cybersecurity Improvement Act of 2020 is available here:

[9] A copy of the proposed rulemaking by the Office of Civil Rights for the Department of Health and Human Services may be found at

[10] The financial regulators’ press release about a proposed cybersecurity incident notification requirement, including a link to the text of the proposed rule, may be found at

Foreign Law Developments

[11] The EDPB’s “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” are available here: edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf (

[12] The European Commission’s draft implementing decision on the SSCs is available here:

[13] The proposed legislation is available here: Government Bill (House of Commons) C-11 (43-2) - First Reading - Digital Charter Implementation Act, 2020 - Parliament of Canada.

[14] The Counsel of the EU’s resolution on encryption may be found at and the accompanying press release may be found at

[15] The announcement of this agreement by the U.K.’s Information Commissioner’s Office was available here (has since been removed):

Litigation and Enforcement

[16] The FTC’s announcement of the settlement with Zoom, including links to the settlement document and the dissenting statements, may be found here:

[17] The Illinois federal court’s decision may be found at Hazlitt v. Apple Inc., Case No. 3:20-CV-421-NJR: 

[18] The U.S. Supreme Court oral arguments for Van Buren v. United States are available here:

[19] The U.S. Supreme Court oral arguments for Facebook, Inc. v. Duguid are available here:

[20] The FTC announcement can be found here: The FTC Commissioner statement can be found here:

[21] The FTC announcement can be found here: The proposed settlement can be found here:

Additional Developments

Main Menu