This year has been, and continues to be, a rollercoaster for privacy laws and legislation in California. From CCPA to CPRA, and other new privacy legislation signed into law or vetoed by Governor Newsom, 2020 has shown a flurry of activity in the area of privacy rights, with more developments on the way. Here we provide a brief update of the status of privacy laws, existing and upcoming, and provide guidance to prepare businesses to comply with these varying regimes.
The CCPA went into effect on January 1, 2020 and enforcement began July 1, 2020. Promptly thereafter, California’s Supervising Deputy AG Stacey Schesser confirmed that initial compliance notice letters were sent to allegedly non-compliant businesses based on consumer complaints and publicly available information. Although the details of these compliance letters are not fully known, the AG has stated that its enforcement priorities include protecting minors and sensitive information such as health data, as well as use of the “Do Not Sell My Personal Information” link. Businesses, especially those “selling” information and handling sensitive data and data of minors, should evaluate their practices and take steps to comply with CCPA if they have not done so already.
Additionally, despite the CCPA’s own language that it should not be used as a basis to bring private claims (except with respect to a data breach), several class action lawsuits have been filed in the first few months of 2020 alleging violations of CCPA provisions. Allegations regarding the CCPA in these lawsuits range from failure to implement reasonable secure measures and safeguards, which resulted in unauthorized disclosures of unencrypted and unredacted personal information, to insufficient notice regarding the collection, use, and sharing of personal information. Violations of Unfair Competition law based on noncompliance with CCPA have also been consistently pleaded. How courts decide these cases remains to be seen, but in the meantime, we can expect to continue to see individuals and plaintiffs’ lawyers test the scope and boundaries of the new law.
Under the CCPA, certain HR data collected about employees and job applicants (“Employee data”), and certain data collected about individuals acting as points of contact in business-to-business relationships (“B2B” data) are exempted from most of the requirements of the statute. However, those exemptions were set to expire at the end of 2020, pending further legislation on these issues, unless some action was taken.
On August 30, 2020, the California legislature passed AB 1281, which extended the Employee and B2B data exemptions for another year, with the caveat being that if the California Privacy Rights Act (“CPRA”) ballot initiative (see below) passes, the CPRA’s provisions extend these exemptions automatically for another two years, until January 1, 2023.
Either way, the Employee and B2B exemptions are extended, which is good news for most businesses.
One of the many challenges to the CCPA’s broad reach is its intersection with other privacy laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), particularly where the two statutes contain inconsistent provisions regarding standards for de-identification of personal information. To more closely align CCPA with HIPAA, Governor Newsom signed AB 713 into law on September 25, 2020. AB 713 exempts from the CCPA information that is de-identified under HIPAA, so long as it is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (Common Rule), and so long as the information is not re-identified. The new law only permits re-identification of such exempted information for specific, limited purposes. It also imposes disclosure obligations on businesses selling or disclosing de-identified health information, and, beginning January 1, 2021, requires contracts for sale or license of de-identified information (where one of the parties resides or does business in California) to include specific provisions stating that the information includes de-identified patient information, prohibiting re-identification of such information, and prohibiting further disclosure of the information to a third party unless the third party is bound by the same or stricter conditions.
AB 713 went into effect immediately and businesses that deal with de-identified information under HIPAA should take a close look at their practices to ensure their contracts, disclosures, and policies are compliant with the new amendment.
On October 12, 2020, the Attorney General proposed modifications to the finalized CCPA regulations. Consistent with the AG’s priorities to focus on the “sale” of personal information and protect minors’ data, the modifications provide guidance on: notice to opt-out of sale of personal information through offline methods; mechanics of requests to opt-out of sale of personal information; and proof a business may require from an authorized agent and a consumer to verify a request. The regulations also clarify the special rules that apply to businesses handling minors’ data. The comment period for the proposed modification is October 13, 2020 – October 28, 2020.
The proposed modifications are available at https://www.oag.ca.gov/privacy/ccpa/current
As if businesses did not have enough to deal with in terms of CCPA compliance, there may be a new set of data privacy requirements coming. CPRA, dubbed as “CCPA 2.0,” is on the ballots for the November election. The CPRA would amend and expand the CCPA, keeping certain provisions in place while revising or adding new provisions. Current polling shows strong support for this initiative and it appears likely to pass.
Select key provisions of CPRA include the following:
If the CPRA passes, all businesses, especially those collecting sensitive personal information or information of minors, will need to again re-evaluate their data mapping, collection, sharing, and use practices in light of the new law and make necessary changes.
While Governor Newsom signed AB 1281, extending the Employee and B2B data exemptions under the CCPA, he vetoed two other laws that would have imposed fairly onerous requirements on businesses collecting data of minors and certain genetic information.
No discussion of privacy laws would be complete without a check on the status of federal privacy law. A federal privacy regime has been in the works for quite some time, and the current state of affairs – including the COVID pandemic’s acceleration of remote work and online schooling and other activities, greater use and concern over the use of health data, invalidation of the EU–US Privacy Shield based on cybersecurity concerns, and the ban on TikTok – have brought privacy concerns front and center and prompted lawmakers to revisit this important topic. However, the path to national privacy legislation remains murky.
Implementing a federal law presents complex problems such as enforcement (whether federal, combined federal and state, or private), harmonizing the current patchwork of federal, state, and industry laws, and potential preemption of state laws, particularly where those laws provide higher standards of privacy protections such as in California.
Thus, while national privacy legislation appears inevitable, the timing of when it will arrive remains uncertain.
In sum, 2020 has given businesses a lot to deal with, including in terms of privacy laws and compliance, and there is much more to come. Stay tuned for further developments. If your company needs assistance with any privacy issues, Coblentz Cybersecurity and Data Privacy attorneys can help. Please contact Scott Hall at email@example.com for further information or assistance.