This year has been, and continues to be, a rollercoaster for privacy laws and legislation in California. From CCPA to CPRA, and other new privacy legislation signed into law or vetoed by Governor Newsom, 2020 has shown a flurry of activity in the area of privacy rights, with more developments on the way. Here we provide a brief update of the status of privacy laws, existing and upcoming, and provide guidance to prepare businesses to comply with these varying regimes.
California Consumer Privacy Act (“CCPA”) Enforcement Begins Amid Pandemic
The CCPA went into effect on January 1, 2020 and enforcement began July 1, 2020. Promptly thereafter, California’s Supervising Deputy AG Stacey Schesser confirmed that initial compliance notice letters were sent to allegedly non-compliant businesses based on consumer complaints and publicly available information. Although the details of these compliance letters are not fully known, the AG has stated that its enforcement priorities include protecting minors and sensitive information such as health data, as well as use of the “Do Not Sell My Personal Information” link. Businesses, especially those “selling” information and handling sensitive data and data of minors, should evaluate their practices and take steps to comply with CCPA if they have not done so already.
Additionally, despite the CCPA’s own language that it should not be used as a basis to bring private claims (except with respect to a data breach), several class action lawsuits have been filed in the first few months of 2020 alleging violations of CCPA provisions. Allegations regarding the CCPA in these lawsuits range from failure to implement reasonable secure measures and safeguards, which resulted in unauthorized disclosures of unencrypted and unredacted personal information, to insufficient notice regarding the collection, use, and sharing of personal information. Violations of Unfair Competition law based on noncompliance with CCPA have also been consistently pleaded. How courts decide these cases remains to be seen, but in the meantime, we can expect to continue to see individuals and plaintiffs’ lawyers test the scope and boundaries of the new law.
Extension of the CCPA’s Exemptions for Employee and B2B Data
Under the CCPA, certain HR data collected about employees and job applicants (“Employee data”), and certain data collected about individuals acting as points of contact in business-to-business relationships (“B2B” data) are exempted from most of the requirements of the statute. However, those exemptions were set to expire at the end of 2020, pending further legislation on these issues, unless some action was taken.
On August 30, 2020, the California legislature passed AB 1281, which extended the Employee and B2B data exemptions for another year, with the caveat being that if the California Privacy Rights Act (“CPRA”) ballot initiative (see below) passes, the CPRA’s provisions extend these exemptions automatically for another two years, until January 1, 2023.
Either way, the Employee and B2B exemptions are extended, which is good news for most businesses.
CCPA Amendment Regarding De-identified Information under HIPAA
One of the many challenges to the CCPA’s broad reach is its intersection with other privacy laws such as the Health Insurance Portability and Accountability Act (“HIPAA”), particularly where the two statutes contain inconsistent provisions regarding standards for de-identification of personal information. To more closely align CCPA with HIPAA, Governor Newsom signed AB 713 into law on September 25, 2020. AB 713 exempts from the CCPA information that is de-identified under HIPAA, so long as it is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects (Common Rule), and so long as the information is not re-identified. The new law only permits re-identification of such exempted information for specific, limited purposes. It also imposes disclosure obligations on businesses selling or disclosing de-identified health information, and, beginning January 1, 2021, requires contracts for sale or license of de-identified information (where one of the parties resides or does business in California) to include specific provisions stating that the information includes de-identified patient information, prohibiting re-identification of such information, and prohibiting further disclosure of the information to a third party unless the third party is bound by the same or stricter conditions.
AB 713 went into effect immediately and businesses that deal with de-identified information under HIPAA should take a close look at their practices to ensure their contracts, disclosures, and policies are compliant with the new amendment.
The Attorney General’s Third Set of Proposed Modifications to CCPA Regulations
On October 12, 2020, the Attorney General proposed modifications to the finalized CCPA regulations. Consistent with the AG’s priorities to focus on the “sale” of personal information and protect minors’ data, the modifications provide guidance on: notice to opt-out of sale of personal information through offline methods; mechanics of requests to opt-out of sale of personal information; and proof a business may require from an authorized agent and a consumer to verify a request. The regulations also clarify the special rules that apply to businesses handling minors’ data. The comment period for the proposed modification is October 13, 2020 – October 28, 2020.
The proposed modifications are available at https://www.oag.ca.gov/privacy/ccpa/current
California Privacy Rights Act (“CPRA”)
As if businesses did not have enough to deal with in terms of CCPA compliance, there may be a new set of data privacy requirements coming. CPRA, dubbed as “CCPA 2.0,” is on the ballots for the November election. The CPRA would amend and expand the CCPA, keeping certain provisions in place while revising or adding new provisions. Current polling shows strong support for this initiative and it appears likely to pass.
Select key provisions of CPRA include the following:
- California Privacy Protection Agency (“CPPA”) – CPRA creates an independent agency – the first of its kind – with authority and jurisdiction to implement and enforce the CCPA. With an agency like this focused solely on enforcing privacy violations, businesses can expect much more rigorous enforcement of privacy laws in California. The CPPA would take over authority for issuing regulations from the Attorney General’s office, and it will be interesting to see how this new agency functions and what its priorities of enforcement will be.
- Sensitive Personal Information – CPRA introduces a new category of personal information called “sensitive personal information” encompassing health data, sexual orientation, race, origin, geolocation, financial data, genetic data, biometric data, social security number, driver’s license, etc. It also allows consumers the right to limit the use and disclosure of such sensitive personal information by businesses. Accordingly, businesses may need to add yet another link to their website homepage to allow consumers to exercise their rights to limit the use of their sensitive information.
- Behavioral Advertising – Importantly, the CPRA attempts to address the gray area in the CCPA regarding whether opt-out rights applicable to data “sales” apply to the sharing of personal information for behavioral advertising. The CPRA explicitly extends consumer opt-out rights to the sharing of personal information by a business to a third party for “cross-context behavioral advertising.” Many companies may already have been treating such data sharing as a potential “sale” under the CCPA, in which case, the CPRA may not require further significant modifications to current practices. But companies that were taking the position that the opt-out right did not apply to behavioral advertising will have to alter their practices.
- Definition of Covered Businesses – CPRA modifies the definition of a “business” to only include those businesses that collect information of 100,000 California consumers or households. This threshold is double the current 50,000 California consumers or households trigger. However, even if passed, CPRA will not be effective until 2023, requiring businesses falling in that 50K threshold to comply with the CCPA in the interim. Additionally, the CPRA expands its application to businesses that derive 50% of their revenue from selling – or “sharing” – personal information.
- Expanded Consumer Rights – CPRA will give consumers additional rights such as the right to correct their data, right to not be retaliated against for exercising their rights, right to prevent companies from storing the data longer than necessary, right to opt-out of companies tracking precise geolocation within less than 1/3 of a mile, etc. Consumers’ Right to Know will also be expanded under the CPRA to include all information collected about them as opposed to only information collected by the business in the past 12 months.
- Increased Liabilities – The CPRA leaves in place the CCPA’s private cause of action for data breaches, but adds consumer login credentials, such as email and password or security questions and answers, to the types of data that trigger the private right of action. The CPRA also triples fines related to the collection and sale of personal information of minors.
If the CPRA passes, all businesses, especially those collecting sensitive personal information or information of minors, will need to again re-evaluate their data mapping, collection, sharing, and use practices in light of the new law and make necessary changes.
Governor Newsom Vetoes Two Privacy Bills
While Governor Newsom signed AB 1281, extending the Employee and B2B data exemptions under the CCPA, he vetoed two other laws that would have imposed fairly onerous requirements on businesses collecting data of minors and certain genetic information.
- Parent’s Accountability and Child Protection Act – In the wake of several large tech companies paying hefty fines for misuse of data obtained from minors, and in an effort to protect minor’s privacy on social media platforms, the California legislature passed AB 1138, titled “Parent’s Accountability and Child Protection Act.”If this Act had been signed by Governor Newsom, it would have required operators of social media websites or applications, who actually know the person attempting to create an account on their platform is under 13 years of age, to explicitly obtain consent from a parent or guardian before creating the account. “Social media” was defined broadly. Methods to obtain consent would have required reasonable measures to ensure that the person giving consent is the parent or legal guardian of the minor trying to create an account, such as through a signed consent form, provision of a credit or debit card, calling a toll-free number or connecting via videoconference with trained personnel, or other methods providing valid proof of parental identity and consent.
Social media platforms should be relieved that they do not have to revisit their consent procedures just yet. However, businesses should continue to be aware of the Children’s Online Privacy Protection Act (“COPPA”), which is still in force to protect the rights of minors.
- Genetic Information Privacy Act (“GIPA”) – DNA testing has gained popularity in recent years as companies like 23andme and Ancestry DNA have provided consumers with an easy way to trace their familial roots. Recognizing the sensitivity of genomic data and the huge potential for misuse, the California legislature passed GIPA in an effort to protect genetic privacy.If Governor Newsom had signed GIPA into law, it would have applied to direct-to-consumer genetic testing companies and any company that collected, used, maintained, or disclosed genetic data collected or derived from a direct-to-consumer genetic testing product or service or provided directly by a consumer. The law would have required transparency about such companies’ data practices and procedures — collection, use, maintenance, and disclosure of genetic data — through clear privacy notices.
Significantly, GIPA would have required companies to obtain express and separate consent for the collection, use, or disclosure of the consumer’s genetic data. GIPA would also have mandated implementation and maintenance of reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure. It also gave consumers the rights to access the genetic data, delete an account and genetic data (subject to exceptions), and destroy the biological sample.
While Governor Newsom’s veto takes this law off the table, we can expect privacy concerns regarding genetic data to continue to be an area of focus for privacy rights advocates.
National Privacy Law Update
No discussion of privacy laws would be complete without a check on the status of federal privacy law. A federal privacy regime has been in the works for quite some time, and the current state of affairs – including the COVID pandemic’s acceleration of remote work and online schooling and other activities, greater use and concern over the use of health data, invalidation of the EU–US Privacy Shield based on cybersecurity concerns, and the ban on TikTok – have brought privacy concerns front and center and prompted lawmakers to revisit this important topic. However, the path to national privacy legislation remains murky.
Implementing a federal law presents complex problems such as enforcement (whether federal, combined federal and state, or private), harmonizing the current patchwork of federal, state, and industry laws, and potential preemption of state laws, particularly where those laws provide higher standards of privacy protections such as in California.
Thus, while national privacy legislation appears inevitable, the timing of when it will arrive remains uncertain.
In sum, 2020 has given businesses a lot to deal with, including in terms of privacy laws and compliance, and there is much more to come. Stay tuned for further developments.