Despite the far-reaching consequences of the COVID-19 pandemic, California privacy law continues to evolve. Apart from the California Consumer Privacy Act (CCPA), there is a new statewide ballot initiative, the California Privacy Rights Act (CPRA), which would modify and build onto the CCPA. In addition to this, 2020 has brought new privacy legislation signed into law or vetoed by Governor Newsom. This amount of activity in the area of privacy rights proves that there will be more developments on the way. Therefore, businesses need to prepare and take the necessary steps to comply with varying California privacy law.
California Consumer Privacy Act Enforcement
When the California Consumer Privacy Act enforcement period started on August 14, 2020, many companies expected that the final regulations were in place. However, the California Attorney General’s office released a third set of proposed modifications to the CCPA Regulations on October 12, 2020.
This third set of proposed modifications of California privacy law makes the following revisions to the regulations:
- Requiring businesses that interact with consumers offline to provide notice of the right to opt-out through an offline method and giving examples of such methods,
- Requiring the methods for submitting requests to opt-out to be easy for consumers to execute and require minimal steps to opt-out. This includes not requiring consumers to provide information that is not necessary to implement the request,
- Clarifying how businesses may require authorized agents and consumers to submit proof to verify their request, and
- Clarifying that businesses subject to either Rules Regarding Consumers under 13 Years of Age, Rules Regarding Consumers 13 to 15 Years of Age, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.
CPRA as the Newest Addition to California Privacy Law
In addition to dealing with CCPA compliance, there is a new set of data privacy requirements to prepare for. As a new addition to California privacy law, the CPRA would amend and expand the CCPA, keeping certain provisions in place while also revising or adding new ones.
Highlights of the CPRA include:
- Creating an independent agency, California Privacy Protection Agency, with authority and jurisdiction to implement and enforce the CCPA;
- Introducing a new category of personal information called sensitive personal information, encompassing health data, sexual orientation, race, origin, geolocation, financial data, genetic data, biometric data, social security number, driver’s license, etc.;
- Attempting to address whether opt-out rights applicable to data sales apply to the sharing of personal information for behavioral advertising;
- Modifying the definition of a business to include those businesses that collect information of 100,000 California consumers or households;
- Giving consumers additional rights such as the right to correct their data, right to not be retaliated against for exercising their rights, right to prevent companies from storing the data longer than necessary, right to opt-out of companies tracking precise geolocation within less than 1/3 of a mile, etc.;
- Leaving in place the CCPA’s private cause of action for data breaches, but adding consumer login credentials to the types of data that trigger the private right of action.
Extension of the CCPA’s Exemptions for Employee and B2B Data
Under the CCPA, certain data collected about employees and job applicants, and data collected about individuals acting as points of contact in business-to-business relationships are exempted from most of the requirements. However, those exemptions were set to expire at the end of 2020, unless some action was taken.
That is why the legislature passed two amendments that will affect California privacy law:
- AB 1281 will extend the CCPA’s exemptions for personal information collected and shared in the employment and business-to-business contexts through 2021 if the CPRA does not pass. The CPRA contains the same extensions but through 2022.
- AB 713 exempts from the CCPA de-identified consumer health or medical data handled in accordance with the federal Health Insurance Portability and Accountability Act (HIPAA), thus eliminating concerns that businesses would have to comply with conflicting privacy regimes. This amendment provides additional exemptions regarding the use of personal information in medical research and by business associates of healthcare entities already covered by federal privacy, security, and data breach notification laws. Finally, it sets forth certain requirements regarding the sale of de-identified information.
Ensuring Compliance with California Privacy Law
2020 has given businesses a lot to deal with, including new additions to California privacy law and compliance, and there is much more to come. Given these developments, it is more and more likely that other states will draft their own data privacy laws in the near future. Therefore, it is necessary that businesses put mechanisms in place to support them as soon as possible.
The best way for businesses to align their data security and privacy practices with California privacy law, as well as other privacy laws looming on the horizon, is to integrate proper programs and technologies. This would allow them to classify personal data, protect it, and monitor and analyze for threats, thus ensuring constant and simplified compliance.