Privacy & Cybersecurity

We previously provided insights into this important portion of the regulations here.  In this installment we address important revisions provided by the AG’s office to Article 3 of these regulations, several of which will have far reaching implications. 

Back in October, we provided a summary of Article 2 of the California Attorney General’s Initial Proposed CCPA draft regulations, which specify certain notices that must be given to consumers at the time of collection of their personal information, including consumers’ rights to opt-out of the sale of their personal information, and notices of financial incentives a business may offer in exchange for consumers’ personal information.

As the coronavirus remains to be an active outbreak with cases increasing within the United States, this is a good time to review how HIPAA applies in a public health emergency, including its restrictions and flexibility in these types of situations. Accordingly, last week, the Office for Civil Rights (OCR) released a helpful bulletin on how the HIPAA Privacy Rule comes into play with the coronavirus outbreak and other public health emergencies.

The revised draft regulations to the California Consumer Privacy Act were issued by the California Attorney General’s office on February 7, and then modified on February 10.   These amendments are open for public comment under Tuesday, February 25, 2020 at 5 pm PST. Starting tomorrow, we will update our October 2019 series of analyses of the various provisions of the draft regulations and operational impacts.

Late in the afternoon on Friday, the California Attorney General dropped the long-awaited revised draft regulations implementing the California Consumer Privacy Act of 2018 (CCPA).  The AG’s office provided a redline to the initial draft regulations, which we have previously discussed.

Representative Kathy Castor (D-FL) has introduced the Protecting the Information of Our Vulnerable Children and Youth Act (PRIVCY ACT), which is a significant rewrite of the Children’s Online Privacy Protection Act (COPPA). In so doing, the bill expands the scope of COPPA’s protections and creates new enforcement mechanisms. The children advocacy groups, Common Sense Media and the Campaign for a Commercial-Free Childhood, have come out in public support of the bill, as has the privacy advocacy group, the Center for Digital Democracy.

The companies Salesforce.com, Inc. and Hanna Andersson, LLC are on the receiving end of a novel lawsuit, which appears to be the very first data breach class action ever filed with alleged violations of the California Consumer Privacy Act (“CCPA”).  The case is styled as Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.

Aristotle first suggested that “nature abhors a vacuum,” meaning that where there is a void, the universe seeks to fill it.  Although there has been some movement in Congress towards comprehensive federal privacy legislation states like California have taken up the gauntlet to fill the vacuum. We now have the California Consumer Privacy Act (CCPA) in force and expect to see other states take up similar laws this year. 

Some US companies who do business in the UK are wondering whether they need to update their GDPR notices or take other steps now that the UK has officially left the European Union.  The answer is: Not yet.  The threat of a “Hard Brexit” with immediate changes to UK laws has passed.

Now that the United Kingdom has officially withdrawn from the European Union as of January 31, you should look at your transfers of personal data in light of Brexit.   Under the Withdrawal Agreement between the UK and the EU, EU law (including GDPR) will continue to apply to and in the UK during the transition period from January 31, 2020 to December 21, 2020.   

With the CCPA having just become effective January 1st, 2020, affected entities and consumers may not have expected that actions are already being taken to dramatically amplify the consumer protections put in place by the CCPA.  Yet Alastair Mactaggart, who led the effort that resulted in the CCPA, via the advocacy group Californians for Consumer Privacy, has put forth a ballot initiative, to be known as the California Privacy Rights Act (CPRA), to do just that. 

The House is taking a different approach to drafting a federal privacy bill.  On December 18, Democratic and Republican staff for the House Energy & Commerce Committee released a bipartisan staff draft for circulation.  The “staff” in “staff draft” is key – the document does not necessarily reflect the policy positions of Members, particularly committee Chairman Frank Pallone (D-NJ) and Ranking Member Greg Walden (R-OR).

As 2020 gets underway, Congress will continue to deliberate on federal privacy legislation in the second session of the 116th Congress.  The California Consumer Privacy Protection Act (CCPA) went into effect on January 1, and the state will begin enforcing the law on July 1.  State Attorney General Xavier Becerra (D) is expected to release final regulations implementing CCPA within six months (although business certainly hopes sooner….). 

As more and more states seek to expand biometric privacy protection, plaintiffs begin to explore new claims under these legislative schemes. Companies, therefore, must proactively monitor their compliance with emerging privacy laws.

If you haven’t been paying attention to all the Microsoft warnings for the past year and your company is still running Windows 7, time’s up.   After January 14, 2020, Microsoft will stop pushing out security updates to Windows 7 for free.  You’ll still be able to run those Windows 7 systems, but they will be more susceptible to security problems and there will be no patches pushed out for these vulnerabilities.  

The short answer is “no”.    The CCPA has a specific definition for “service provider” at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title” and more.

As the decade winds down, it’s hard to believe that the HIPAA Privacy and Security Rules are almost twenty years old.  It has been ten years since the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the first breach notification rule – the one based on the harm standard.   And the Omnibus Rule’s “low probability of compromise” standard is almost seven years old!   Regulators and regulated entities are heading into the new year and decade with a lot of momentum on some important issues.  As we prepare to welcome 2020, we’d like to indulge in a bit of hindsight – as well as speculation – about what the new decade might hold for HIPAA-regulated entities. 

Because the term “consumer” is so broad in the CCPA (remember:  it’s any California resident), it would have applied to employee and job applicant data and all business contact information across the board.  After much negotiation, the legislature enacted (and the Governor signed) two amendments dealing with this information.  Until January 1, 2021, the CCPA will not apply to information collected about employees or job applicants, or in typical business-to-business (B2B) transactions by a business otherwise required to comply with CCPA.

Unless you have been living off the grid for the past year, you likely know that we are now down to 13 days and counting to the effective date of the California Consumer Privacy Act (CCPA).   We have received hundreds of questions and concerns from clients over the past few weeks in the preparations of compliance programs and thought we would share a question of the day (QOTD).

The European Data Protection Board (EDPB) recently published an updated version of its guidelines on the territorial scope of the GDPR, which were initially issued just over a year ago.  The revised Guidelines do not significantly change the EDPB’s essential framework for determining whether or not the GDPR applies to a given data processing activity.  The revised Guidelines do provide a few additional (and reasonably useful) examples as well clarifying a few points that were a bit hazy in the original formulation of the EDPB’s framework.