Authors: Scott Hall and Foram Dave.
This year has been, and continues to be, a rollercoaster for privacy laws and legislation in California. From CCPA to CPRA, and other new privacy legislation signed into law or vetoed by Governor Newsom, 2020 has shown a flurry of activity in the area of privacy rights, with more developments on the way. Here we provide a brief update of the status of privacy laws, existing and upcoming, and provide guidance to prepare businesses to comply with these varying regimes.
California Consumer Privacy Act (“CCPA”) Enforcement Begins Amid Pandemic
The CCPA went into effect on January 1, 2020 and enforcement began July 1, 2020. Promptly thereafter, California’s Supervising Deputy AG Stacey Schesser confirmed that initial compliance notice letters were sent to allegedly non-compliant businesses based on consumer complaints and publicly available information. Although the details of these compliance letters are not fully known, the AG has stated that its enforcement priorities include protecting minors and sensitive information such as health data, as well as use of the “Do Not Sell My Personal Information” link. Businesses, especially those “selling” information and handling sensitive data and data of minors, should evaluate their practices and take steps to comply with CCPA if they have not done so already.
Additionally, despite the CCPA’s own language that it should not be used as a basis to bring private claims (except with respect to a data breach), several class action lawsuits have been filed in the first few months of 2020 alleging violations of CCPA provisions. Allegations regarding the CCPA in these lawsuits range from failure to implement reasonable secure measures and safeguards, which resulted in unauthorized disclosures of unencrypted and unredacted personal information, to insufficient notice regarding the collection, use, and sharing of personal information. Violations of Unfair Competition law based on noncompliance with CCPA have also been consistently pleaded. How courts decide these cases remains to be seen, but in the meantime, we can expect to continue to see individuals and plaintiffs’ lawyers test the scope and boundaries of the new law.
Extension of the CCPA’s Exemptions for Employee and B2B Data
Under the CCPA, certain HR data collected about employees and job applicants (“Employee data”), and certain data collected about individuals acting as points of contact in business-to-business relationships (“B2B” data) are exempted from most of the requirements of the statute. However, those exemptions were set to expire at the end of 2020, pending further legislation on these issues, unless some action was taken.
On August 30, 2020, the California legislature passed AB 1281, which extended the Employee and B2B data exemptions for another year, with the caveat being that if the California Privacy Rights Act (“CPRA”) ballot initiative (see below) passes, the CPRA’s provisions extend these exemptions automatically for another two years, until January 1, 2023.
Either way, the Employee and B2B exemptions are extended, which is good news for most businesses.
CCPA Amendment Regarding De-identified Information under HIPAA
One of the many challenges to the CCPA’s broad reach is its intersection with other privacy laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), particularly where the two statutes contain inconsistent provisions regarding standards for de-identification of personal information. To more closely align CCPA with HIPAA, Governor Newsom signed AB 713 into law on September 25, 2020. AB 713 exempts from the CCPA information that is de-identified under HIPAA, so long as it is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (Common Rule), and so long as the information is not re-identified. The new law only permits re-identification of such exempted information for specific, limited purposes. It also imposes disclosure obligations on businesses selling or disclosing de-identified health information, and, beginning January 1, 2021, requires contracts for sale or license of de-identified information (where one of the parties resides or does business in California) to include specific provisions stating that the information includes de-identified patient information, prohibiting re-identification of such information, and prohibiting further disclosure of the information to a third party unless the third party is bound by the same or stricter conditions.
AB 713 went into effect immediately and businesses that deal with de-identified information under HIPAA should take a close look at their practices to ensure their contracts, disclosures, and policies are compliant with the new amendment.
