Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on Tuesday, March 2, 2021. Virginia now joins California as the second state to have a data privacy law. The law takes effect on January 1, 2023, so businesses have some time to get ready. In our previous article on the proposed legislation, we described the new consumer rights available, the lack of a private right of action, and detailed which businesses will have to comply with the new law.  In addition to providing consumers with their rights regarding their data, the CDPA requires transparent processing of personal data through a privacy notice, which must include the following:

  • The categories of personal data collected by the controller;
  • The purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • The rights that consumers may exercise via the new law;
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

In addition, if a controller sells personal data to data brokers or processes personal data for targeted advertising, controllers must disclose such processing to consumers and inform them about how a consumer may exercise the right to object to such processing, in a clear and conspicuous manner.

Finally, the new law requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.

The California Consumer Privacy Act (CCPA) requires businesses covered by the CCPA to notify their employees of the categories of personal information the business collects about employees and the purposes for which the categories of personal information are used. The categories of personal information are broadly defined in the CCPA and include personal information such as medical information, geolocation data, biometric information, and sensory data.

As a result of the COVID-19 pandemic, many businesses are conducting screenings of employees for COVID symptoms. In many states, it is either required or recommended that businesses conduct such screenings of employees prior to entering the workplace. These employee screenings vary across the country but many include documenting an employee’s temperature, whether they have any COVID-related symptoms or exposure to individuals with COVID-19, or documenting travel out of state or out of the country. States vary too, in the method of collection of this information, with employees completing a written questionnaire via email, text, or mobile application. COVID-19 screening and temperature data is recorded and kept daily to demonstrate compliance with state and local public health requirements.

So, what does this mean for CCPA compliance? None of us could have predicted a year ago that employers would be collecting temperature data, lists of symptoms, and travel information from our employees. If you drafted your CCPA employee notice prior to the start of the pandemic, you may want to review the categories of personal information you now collect in light of these COVID-19 data collection requirements and recommendations. For example, depending upon the type of temperature check, this data could be considered biometric information or sensory data. Your employee notice may also need to disclose how such categories of personal information are used by the business, such as to comply with state and local public health requirements.

While the CCPA requires notice to employees of the categories of data collected, in light of the pandemic, businesses may wish to review their employee notice to determine if it needs to be updated to accurately reflect any additional categories of personal information collected and how the business is using that personal information.

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

According to the Los Angeles Times and other media outlets, Californians passed Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). With 71.61 percent of precincts reporting, the measure passed with 56.1 percent of the vote. We wrote about the CPRA last week, and we provided an overview of this new privacy law in California that expands on the California Consumer Privacy Act (CCPA).

The CPRA has some new privacy provisions that pull from other privacy laws. Of particular interest in the CPRA are provisions to expand the restrictions on the sale of personal information to include the sharing of personal information, the regulation of automated decision making, the requirement of additional security and risk assessments for certain businesses, additional requirements for third parties, and the creation of a new regulatory agency for enforcement actions.

We will continue to review the CPRA and will provide more details soon regarding this new California privacy law and what it means for businesses.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.

Binary Check Ad Blocker Security News

Recently we wrote about two amendments to the California Consumer Privacy Act of 2018 (CCPA) that were awaiting signature on Governor Newsom’s desk: AB 1281, which extends the one-year exemptions for employee information and business to business information for another year until January 1, 2022; and AB 713, which provides an exemption from the CCPA to medical information that is governed by the California Confidentiality of Medical Information Act (CMIA) or to protected health information that is collected by a covered entity or business associate governed by the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH). Both amendments were signed by the Governor.

While AB 1281 extends the exemptions for employee information and business to business information from the CCPA for another year, AB 713 actually broadens the CCPA exemption for medical information to include business associates. Section 1798.146(a) now includes a business associate of a covered entity governed by HIPAA and HITECH, to the extent that the business associate maintains, uses, and discloses patient information.

Binary Check Ad Blocker Security News

The California Consumer Privacy Act of 2018 (CCPA) currently exempts from its provisions certain information collected by a business about a natural person in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. This exemption is set to expire on December 31, 2020. In addition, the so-called business-to-business exemption for transactions and communications with the business that occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency is also set to expire on December 31, 2020.

Recent legislation passed in California would extend both of the exemptions until January 1, 2022. Assembly bill 1281, (AB 1281) which was presented to Governor Gavin Newsom on September 8, 2020, extends the one-year exemption for employee information and business to business information for another year until January 1, 2022. The bill also provides that the extension of these exemptions is contingent upon voters not approving the ballot Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA). Should the CPRA pass on November 3, it would extend these exemptions until January 1, 2023. Some other highlights of the CPRA include the creation of a new category of sensitive personal information (SPI) that would give consumers the power to restrict its use, a provision that allows consumers to prohibit businesses from tracking their precise geolocation to a location of approximately 250 acres, and the addition of email and passwords to the list of defined “personal information” included in a data breach.

The key takeaway here is that if AB 1281 is enacted or if Proposition 24 passes, employee/job applicant information as well as business-to-business communications will continue to be exempt from the CCPA. Both AB 1281 and AB 713 regarding medical information, which we wrote about recently here, are currently on Governor Newsom’s desk.

Binary Check Ad Blocker Security News

DataGrail recently released a mid-year report on trends related to the California Consumer Privacy Act (CCPA) and how it has affected consumers and businesses. The report indicates that consumers are regularly opting out of the sale of their personal information, with the “do not sell” right being the most exercised right, occurring 48 percent of the time, more than access rights (at 21 percent) and deletion requests (at 31 percent).

Overall, according to this report, about 83 percent of consumers expect to have control over how businesses use their data, and this research confirms that people are taking action to control their privacy by exercising rights provided by the CCPA. 

When the CCPA first went into effect in January 2020, DataGrail found that Californians began exercising those rights right away. In January 2020, there was actually a surge of individual requests to exercise their rights granted under the CCPA. Since that initial surge, such requests have leveled off at about 13 requests per million records every month. Data from a recent Gartner report show that the manual processing of one single request costs an average of $1,406. If companies continue to process these requests manually, that could be upwards of $240,000 per million records. It seems like a call for a standardized process that can be implemented by companies across the board to handle these requests more efficiently.

DataGrail also found that 3 out of 10 requests go unverified (i.e., no fraud detection for requests that might be made for purposes of stealing personal information). This again shows a need for a scalable verification process to prevent harm to consumers, which the CCPA aims to protect against.