California’s privacy laws continue to be a shifting landscape, creating compliance challenges for companies doing business in California. The California Privacy Rights Act (CPRA) was approved by California voters on November 3, 2020, adding new requirements to the California Consumer Privacy Act (CCPA) that will go into effect on January 1, 2023. The ballot measure passed only two months after California’s Attorney General released amended regulations for the CCPA on August 27, 2020, and a month after Governor Gavin Newsom signed amendments to the CCPA into law in October.
RJO’s Cybersecurity and Privacy Group is dedicated to helping our clients work through the changing landscape of the CCPA and other privacy legislation and regulations and can provide customized and practical assistance with data privacy preparation and compliance efforts.
The most immediate impact of the CPRA is the establishment of a California Privacy Protection Agency, which will have responsibility for administering and enforcing the CCPA. This will include issuing new regulations, likely in late 2021 or early 2022, but that must be adopted by July 1, 2022, at the latest. California’s Attorney General has previously expressed that his office has limited ability to investigate and enforce California privacy laws given its other responsibilities, so a dedicated agency will likely mean an increase in investigations and enforcement actions. The agency is also likely to re-examine the CCPA regulations issued by the Attorney General in light of the changes brought on by the CPRA and will have to issue new regulations to implement those changes.
As we have previously discussed, the CPRA will tighten a number of areas covered by the CCPA and adds new compliance obligations that will apply to personal information collected by businesses on or after January 1, 2022. Some key changes include:
The California Privacy Rights Act also extends two key California Consumer Protection Act exceptions for personal information collected from employees and as part of business-to-business transactions. These exceptions will now be extended until January 1, 2023, and will be the subject of lobbying and legislation to set out a more comprehensive policy for employee data.
In September, Governor Newsom signed AB 713 into law, amending the CCPA to expand exemptions for personal health information, effective immediately. In particular, the amendment aligned the CCPA treatment of de-identified personal health information with HIPAA, providing that information that has been de-identified in accordance with HIPAA standards and is derived from patient information collected by an entity covered by HIPAA, CMIA, or the Federal Common Rule, is exempt from the CCPA. In doing so, AB 713 resolves the potential disconnect between the treatment of data that is sufficiently de-identified under HIPAA but would not meet the exemption standard under the CCPA, harmonizing compliance obligations for health companies. The amendment also adds exemptions for HIPAA business associates and for research carried out under appropriate industry standards and federal regulations that better align with HIPAA definitions.
AB 713 creates new obligations as well. The amendment requires that businesses that sell or disclose de-identified patient information add a new consumer disclosure describing the de-identification method used and further prohibits the re-identification of such information. Additional obligations include disclosure requirements for contracts for the sale or license of de-identified patient information, which must include new provisions disclosing that fact, and prohibiting re-identification and re-disclosure to a third party without parallel contract provisions in place. This particular obligation goes into effect on January 1, 2021.
Rogers Joseph O’Donnell specializes in working with corporate and business clients on compliance with complex laws and regulations that impact their business. RJO’s Cybersecurity and Privacy Group is comprised of experienced attorneys from each of its other practice areas, allowing us to understand and tailor our work to our clients’ business needs. For compliance advice or defense of claims, contact any of the Practice Group Chairs or the authors of this article at www.rjo.com.