Today, we are all facing a public health crisis unlike any other we have seen in our lifetime. In addition to serious consequences to global health, the COVID-19 pandemic has created significant disruption in the legal system and privacy law initiatives have not been immune to the virus’s impact. With many state legislatures nearing or at the end of legislative sessions taken over by pandemic priorities, state privacy bill initiatives across the country are grinding to a halt. However, some lawmakers are pushing forward with targeted proposals to protect individual privacy in the face of COVID-19 and some states, particularly California, continue public and private efforts to bolster privacy in their jurisdiction. Below is a summary of the 2020 privacy legislative efforts to date and the impact COVID-19 has had on their progress.
COVID-19 Halts State Comprehensive Privacy Law Initiatives
Similar to last year, the 2020 state legislative session saw many states considering comprehensive privacy laws drawing inspiration from the California Consumer Privacy Act (“CCPA”). Fifteen states in particular proposed privacy laws that closely track the rights and obligations introduced in California by the CCPA. However, over half of these states were unable to make meaningful progress on the proposed privacy laws before their current legislative sessions adjourned or were disrupted by the recent pandemic. The remaining proposed privacy laws face a significant uphill battle with the COVID-19 pandemic shifting legislative attention and disrupting lawmakers’ efforts. The below chart identifies the current status of those privacy laws most like the CCPA in breadth and potential impact.
Still Waiting for the Final California Consumer Privacy Act Regulations
We are still waiting for the CCPA regulations to become final. The first draft of the CCPA implementing regulations were published on October 10, 2019. On February 7 and on February 10, 2020, the California Attorney General, Xavier Becerra, released an updated draft of proposed regulations pursuant to the CCPA. Then, on March 11, 2020, the California Attorney General published a second set of modifications to the proposed regulations. The public comment period for the second set of modifications concluded on March 27, 2020. The California Attorney General can now either issue another draft of the proposed regulations or finalize the regulations as currently written. If the California Attorney General makes further substantive changes in response to the comments filed during this comment period, another public comment period will follow. The most recent draft of the proposed regulations had fewer modifications than previous drafts. This may indicate that the California Attorney General is getting closer to finalizing the regulations. Additionally, a senior official in the California state legislature, Drew Liebert (chief of staff for California Senate Majority Leader, Bob Hertzberg) said at a virtual privacy and data security conference on May 8 that the most recent draft of the proposed regulations will likely be the last. Due to the COVID-19 crisis, officials in the California Attorney General’s Office have been forced to work from home, creating delays and unexpected difficulties to the review process, making it “highly unlikely” the California Attorney General’s Office will release another set of modifications to the regulations.
Once the California Attorney General is ready to issue the final regulations, the California Attorney General will prepare and submit the final rulemaking record to the Office of Administrative Law (“OAL”) for approval. This record will include the Final Statement of Reasons, in which the California Attorney General will summarize and respond to each public comment received. Usually, the OAL will then have thirty (30) working days to determine whether the record satisfies all procedural requirements. However, California Governor Gavin Newsom, issued an executive order (available here) linked to the COVID-19 crisis on March 30, 2020, extending this deadline for a period of sixty (60) calendar days. As of the date of this article, it does not appear that the final regulations have been sent to the OAL for approval, as the regulations are neither listed on the OAL’s Regulations Under Review list (available here), nor has there been a press release on the topic on the California Attorney General’s website. Once the OAL has received, reviewed and approved the final regulations, the final text of the regulations must be filed with the Secretary of State for adoption.
One additional consideration to take into account when attempting to determine when the CCPA regulations are likely to become final is that regulations typically only may become effective on one of four dates throughout the year depending upon the date the OAL files the final regulations with the Secretary of State:
- January 1 effective date, if filed between September 1 and November 30;
- April 1 effective date, if filed between December 1 and February 29;
- July 1 effective date, if filed between March 1 and May 31; and
- October 1 effective date, if filed between June 1 and August 31.
The actual effective date can vary, however, if a different effective date is provided for in statute or other applicable law, if the adopting agency requests a later effective date, or if the adopting agency demonstrates good cause for an earlier effective date.
That generally means the earliest effective date of the final CCPA regulations will depend on the date that the OAL files the regulations with the Secretary of State. As of the date of this article, it is likely that the earliest effective date will be October 1, unless the California Attorney General shows good cause for an earlier effective date or requests a later date.
For now, businesses subject to the CCPA should ensure that they have implemented a CCPA compliance program aligned with the first and second set of modifications to the proposed regulations in order to be well-positioned for when the regulations are finalized, as it is likely that the current version of the proposed regulations are near final. If a business is still in the process of implementing its CCPA compliance program, it would be wise to start thinking about how to incorporate the new requirements between now and the anticipated effective date of October 1.
CCPA 2.0: The California Privacy Rights Act Ballot Initiative
Californians for Consumer Privacy, the same group responsible for the creation of the CCPA, proposed the California Privacy Rights Act (“CPRA”) last year as a new ballot initiative to “strengthen” California privacy law and address what it describes as efforts by companies to “actively and explicitly prioritize weakening the law” and the evolution of “technological tools . . . that exploit a consumer’s data with potentially dangerous consequences.” Amending the CCPA, the CPRA proposes a number of changes addressing ambiguities in the law and overly burdensome privacy requirements, while simultaneously introducing new privacy and security obligations for covered businesses.
On May 4, 2020, the Californians for Consumer Privacy announced that it submitted well over 900,000 signatures to qualify the CPRA for the November 2020 ballot. If a sufficient number of the CPRA petition signatures are verified, the CPRA will qualify to be placed on the November ballot and a majority vote would pass the CPRA into law. At this time, the CPRA appears to have garnered sufficient statewide support to either become law on its own or to put sufficient pressure on the California legislature to make substantially similar amendments to the CCPA. As a result, it is likely the CPRA will impact businesses’ compliance with California privacy law, but the full extent of the impact remains unclear at this time.
Click here for an in-depth analysis of the key CPRA provisions and whether the CPRA is likely to become law.
U.S. Senators Introduce Competing Privacy Bills Targeting COVID-19 Tracking
In Washington, D.C., competing proposals have been introduced since the end of April targeting the potential data privacy concerns relating to contract tracing privacy concerns. First, on April 30, Senator Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation, along with four other Republicans, announced the introduction of the COVID-19 Consumer Data Protection Act (S. 3663), which specifically targets privacy concerns relating to “personal health information, proximity data, device data, and geolocation data.” In response to the Republican-backed bill, Democrats, led by Senator Michael Blumenthal, D-Conn., introduced the Public Health Emergency Privacy Act (S. 3749), aimed at protecting the privacy of health information, on May 14.
While both bills focus on health and location information relating to contract tracing, there are material differences that will make it interesting to watch their progression:
Scope of Covered Entities: The COVID-19 Consumer Data Protection Act, which applies to commercial entities, including nonprofits, has a narrower scope than the Public Health Emergency Privacy Act, which applies to both public and private entities.
Scope of Covered Data: The COVID-19 Consumer Data Protection Act has a narrower scope of covered health information and geolocation data due to its exclusion of “aggregated data; business contact information; de-identified data; employee screening data; and publicly available information.” The bill also exempts data covered by FERPA and HIPAA. The Public Health Emergency Privacy Act contains a potentially broad exemption for data processing done by “public health or scientific research” conducted by nonprofits, universities, or public health authorities.
Privacy and Security Requirements:
Use Restriction: Both bills would restrict the use of covered data to public health purposes, such as tracking of COVID-19, monitoring social distancing compliance, and contact tracing.
Consent Requirement: Both bills require affirmative, express consent prior to collection, processing, or use of the covered data and a mechanism for revocation of consent. The Public Health Emergency Privacy Act also specifically prohibits the collection, use, or disclosure of covered data for certain commercial purposes, such as commercial advertising, or for purposes of discriminating in any place of public accommodations.
Transparency and Reporting: Both bills require privacy policies be provided prior to or at the time of the collection of the covered data. Additionally, both bills require public reporting of specific metrics and data usage, with the Republican-led bill requiring such reporting every 60 days and the Democratic-led bill requiring it every 90 days.
Security: Under both bills, covered entities would be required to adopt reasonable data security policies and practices to address security and confidentiality concerns.
Data Disposal: The Public Health Emergency Privacy Act would require the deletion of emergency health data 60 days after the termination of HHS’s declared public health emergency, and within 30 days after an individual revokes consent. In contrast, the COVID-19 Consumer Data Protection Act is less prescriptive in its deletion requirements, requiring deletion of covered data when it is no longer being used for a COVID-19 response purpose or not necessary to comply with legal obligations or relevant to a legal claim.
Enforcement: The COVID-19 Consumer Data Protection Act allows for enforcement of the act by the Federal Trade Commission and state attorneys general. In addition to those enforcement mechanisms, the Public Health Emergency Privacy Act also includes an individual private right of action, with varied levels of statutory damages based on culpability of conduct (negligent ($100-$1,000); reckless, willful, or intentional ($500-$5,000))
Preemption: The COVID-19 Consumer Data Protection Act would preempt all differing state laws, regulations, rules, requirements, and standards in the area covered by the act. By contrast the Public Health Emergency Privacy Act would not preempt existing state laws that provide stronger privacy protections.
A side-by-side comparison of the key provisions of the COVID-19 Consumer Data Protection Act and the Public Health Emergency Privacy Act is available here.
As COVID-19-related issues dominate government agendas, privacy law progression will most certainly be affected. On the one hand, there are novel privacy implications relating to health information that likely will lead to some new government regulation and scrutiny. On the other hand, more general privacy legislation and regulation is likely to take a backseat to these emerging and urgent public-health-related concerns. What is certain is that privacy topics in some form will continue to be part of the public conversation and part of government agendas.
 The second set of modifications—available here (clean) and here (redline)—reflect input gathered during the public comment period for the first set of modifications that concluded on February 25, 2020. The first draft of the proposed regulations and the first set of modifications, as well as the public comments and the transcripts and audio of the public hearings, are available on the California Attorney General’s CCPA webpage. Our summary of the first set of modifications is available here. As with the first two drafts of the regulations, the second set of modifications to the proposed regulations included a public comment period which concluded on March 27, 2020. Our summary of the second set of modifications is available here.
 “I think you can pretty safely … assume that what you see in the second set of regulations is what will be the starting off point.” Drew Liebert, Five Months into CCPA: What’s Changed and What You Need to Know, Virtual Privacy + Security Forum (May 8, 2020).
 Drew Liebert, Five Months into CCPA: What’s Changed and What You Need to Know, Virtual Privacy + Security Forum (May 8, 2020).