Latest CCPA Developments Include Legislative Amendments on Health and Employee Data
Privacy in Focus®
The past year has been a sprint toward compliance for companies seeking to implement the California Consumer Privacy Act (CCPA). However, even though the law has only recently taken effect, change is already on the horizon. Below we summarize recent updates to CCPA implementation, as well as key developments that all businesses subject to the CCPA should be aware of. Of particular interest, businesses subject to the CCPA should know:
- The CCPA regulations are final and effective.
- The California Attorney General (AG) has begun enforcement activity.
- The state legislature has passed two bills impacting the CCPA – one that would extend the current employee and B2B exemptions and one that would clarify how the CCPA operates with the Health Insurance Portability and Accountability Act (HIPAA). Both bills are awaiting the Governor’s approval.
- A ballot initiative, to be voted on in November, may overhaul the CCPA framework, which would significantly impact businesses’ compliance programs.
Current CCPA Status: The Statute and the Final Regs Are Both in Effect, and the Attorney General Has Begun Enforcement Activity.
The CCPA took effect on January 1, 2020; however, the implementing regulations developed by the AG’s office remained in flux for most of this year, as the AG went through several versions of the draft regulations and took public comment. The final regulations were recently approved by the Office of Administrative Law (OAL). The final regulations – with certain edits, explained here – went into effect on August 14, 2020. Because the regulations underwent several rounds of revisions since they were first proposed, it is imperative that businesses revisit the status of their compliance efforts.
Additionally, the AG’s office has begun enforcement of the CCPA. Reports indicate that its first round of “notice” letters were sent on July 1, 2020, the first day the AG was permitted to enforce the law.
More Developments: While Legislators Continued to Tweak the CCPA, Businesses Should Be Aware That a Major Overhaul Is Being Considered on the November Ballot.
Legislative Developments. The California legislature remained active this year on CCPA issues. First, the legislature passed AB 1281, which is now awaiting the Governor’s signature. AB 1281 would extend the CCPA’s exemptions for employee and business-to-business personal information for an additional year. Under current law, the exemptions are scheduled to sunset on January 1, 2021, so if the Governor approves AB 1281, the exemptions will be extended until January 2022. That is, of course, if an upcoming ballot initiative is not passed. As drafted, AB 1281 would only extend the exemptions if the California Privacy Rights Act (CPRA), discussed below, is not passed, given that the CPRA would extend these exemptions until January 2023 when the law takes effect.
Second, AB 713 – which was also passed by the legislature and is now awaiting the Governor’s approval – affirms that HIPAA standards (not CCPA standards) control when evaluating the use of de-identified patient data. It also would create a ban on covered businesses or individuals relinking data to specific patients after it was de-identified for medical or research purposes.
CPRA. Despite the herculean efforts taken by businesses to implement the CCPA, the privacy law may be overhauled by a ballot initiative this November. A new privacy proposal – the California Privacy Rights Act – will be on the ballot in the November general election. If passed, the CPRA would significantly expand upon the CCPA, with its proposals bringing a mixed bag for covered businesses. For example, CPRA could bring relief for businesses, such as clarifications to the “sell” definition. But it would also introduce additional obligations, such as limitations on the use of sensitive data, forcing businesses to once again rework their privacy programs for California consumers. If voters approve the CPRA, it will take effect in January 2023.
Next Steps for Covered Businesses.
We encourage all businesses subject to the CCPA’s obligations to revisit their compliance efforts to ensure that current practices comply with the final version of the regulations, as approved by the OAL. Additionally, as discussed above, more changes may be coming soon to California’s privacy regime – stay tuned for developments.
Our team has helped entities of all sizes from various sectors parse through complicated CCPA issues – from determining whether the CCPA applies, to developing compliance programs. If your organization has questions about the CCPA or the possible impact of these developments, do not hesitate to reach out.
© 2020 Wiley Rein LLP