On Friday, Feb. 18, California Assemblymember Evan Low (D) introduced two bills (AB 2871 and AB 2891) that propose to extend the CCPA’s HR and B2B data exemptions, one through Dec. 31, 2026 and the other indefinitely. These proposed amendments were introduced just 10 months prior to the main provisions of the California Privacy Rights Act (“CPRA”) coming into effect, particularly the CPRA’s consequential provisions which cause HR and B2B data – specifically, personal information of HR data subjects (e.g., employees, applicants and independent contractors) and collected in certain B2B transactions and communications – to become subject to the full scope of California’s omnibus privacy law. It’s not yet clear whether either of these bills has widespread support. However, if either does pass, it is almost certain that the legislature’s authority to do so will be challenged by privacy advocates on a constitutional basis, as we analyze below. Organizations for now should therefore proceed as if the HR and B2B will be in full scope of the CPRA starting Jan. 1, 2023.

The California Constitution prescribes when the legislature can amend a statute that was passed through a ballot referendum (the CPRA was approved as a referendum by California voters on Election Day 2020). In particular, Article II, Section 10(c) of the California Constitution states that “The Legislature may amend or repeal an initiative statute by another statute that becomes effective only when approved by the electors unless the initiative statute permits amendment or repeal without the electors’ approval.” The initiative statute – here the CPRA – does permit amendment or repeal without elector approval,

provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act. CPRA, Section 25(a).

The purpose and intent of the CPRA as to the extension of the HR and B2B exemption is stated directly: “It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.” It’s not clear whether further extending the exemption as these proposed bills would are consistent with this purpose and intent, or if doing so could arguably serve to enhance privacy, especially  in the absence of corresponding efforts to establish statutory privacy protections for these types of data subjects. Notably, the preamble of the CPRA additionally states, “The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” This additional proviso leaves open the door for legislation that treats at least HR data subjects somewhat differently than traditional consumers.

These amendments will almost certainly tee up a challenge. Even if one or both of the amendments gain steam, organizations should be reluctant to forego preparation for compliance with the CPRA as it relates to HR and B2B data because of the potential challenges these bills could face even if passed into law.

We head into the fourth quarter on the heels of the first public California Consumer Privacy Act (CCPA) civil penalty, while also looking ahead to the new state privacy laws in Virginia, Colorado, Connecticut, and Utah and the significant updates that the California Privacy Rights Act (CPRA) will bring to the CCPA. Considering that regulations are yet to be finalized in both California and Colorado, it is no surprise that some businesses are uncertain regarding how to proceed. To help businesses address both current risks, as demonstrated by recent enforcement, as well as the “new” 2023 privacy requirements, we have developed guidance materials, including high-level workstreams, covering the following topics:

  1. Preparing for the 2023 State Privacy Laws
  2. HR and B-to-B Data CCPA/CPRA Compliance Primer
  3. Lessons from the First CCPA Civil Penalty Case
  4. Takeaways from the First Draft of Revised CCPA/CPRA Regulations

Click here to download the guidance. More detailed guidance and workstreams, as well as model materials with customization support, are available to clients. Contact your SPB relationship partner for more information.

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

SEC Set to Consider Cybersecurity Proposal to Amend Regulations, Likely Affecting Public Companies | Consumer Privacy World

Privacy Continues to be Top of Mind Issue With President Biden’s State of the Union Address and Movement on FTC Nominee Today | Consumer Privacy World

UPDATED: Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

CPW on the Speaking Circuit in March: Warren to Speak at PrivSec China on China’s Data Privacy Law | Consumer Privacy World

Maryland Considering Biometrics Bill That Could Shift Compliance Landscape and Contains Private Right of Action | Consumer Privacy World

Georgia Considering Broad Privacy Bill With Private Right of Action and Liquidated Statutory Damages That Would Exceed Scope of California Law | Consumer Privacy World

CPW on the Speaking Circuit in March: Golding to Speak at 31st National HIPAA Summit | Consumer Privacy World

Utah One Step Closer to a Consumer Privacy Bill | Consumer Privacy World

Squire Patton Boggs (US) LLP and CPW Welcomes Privacy Pro David Oberly | Consumer Privacy World

ICO, CMA and Google Reach Agreement on Privacy Sandbox Proposals | Consumer Privacy World

The Metaverse Social and Economic Implications: A Do-Not-Miss CTO Circle Event | Consumer Privacy World

Federal Judge Refuses Second Time to Approve Class Action Settlement, Rejecting Plaintiffs “You Can Lead a Horse To Water” Explanation Upon Identifying Notice Deficiencies | Consumer Privacy World

Squire Patton Boggs Continues Growth of Acclaimed Data Privacy, Cybersecurity & Digital Assets Practice With Promotion of Kyle Fath and Litigator Kristin Bryan to Partner | Consumer Privacy World

President Biden to Nominate DC Circuit Judge Ketanji Brown Jackson to Supreme Court-What Impact Will This Have on Data Privacy and Cybersecurity Cases Going Forward? | Consumer Privacy World

Illinois Appellate Panel Ruling Findings Union Workers Biometric Claims Preempted by Labor Law and Subject to Binding Arbitration | Consumer Privacy World

Federal Court Dismisses California Cybersecurity Litigation Concerning Alleged Disclosure of Information in Website Hack | Consumer Privacy World

Early FTC Action in 2022 on Data Privacy, Facial Recognition and AI Less Likely Following Commissioner Remarks to U.S. Chamber of Commerce | Consumer Privacy World

Loyalty Program CCPA Compliance: Kyle Dull Talks to Law360 | Consumer Privacy World

Federal Court Gives Rare Refusal for Final Sign Off on Data Privacy Class Action Settlement, Faulting Low Take Rate and Excessive Fees | Consumer Privacy World

CCPA/CPRA Proposed Amendments Would Extend HR and B2B Data Exemptions, or Would They? | Consumer Privacy World

EDPB Coordinated Enforcement Action on Cloud under the CEF and the French CNIL’s 2022 Investigation Program | Consumer Privacy World

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation.  Please reach out to the authors if you are interested in additional information.

Squire Patton Boggs Continues Growth of Acclaimed Data Privacy, Cybersecurity & Digital Assets Practice With Promotion of Kyle Fath and Litigator Kristin Bryan to Partner | Consumer Privacy World

President Biden to Nominate DC Circuit Judge Ketanji Brown Jackson to Supreme Court-What Impact Will This Have on Data Privacy and Cybersecurity Cases Going Forward? | Consumer Privacy World

Illinois Appellate Panel Ruling Findings Union Workers Biometric Claims Preempted by Labor Law and Subject to Binding Arbitration | Consumer Privacy World

Federal Court Dismisses California Cybersecurity Litigation Concerning Alleged Disclosure of Information in Website Hack | Consumer Privacy World

Early FTC Action in 2022 on Data Privacy, Facial Recognition and AI Less Likely Following Commissioner Remarks to U.S. Chamber of Commerce | Consumer Privacy World

Loyalty Program CCPA Compliance: Kyle Dull Talks to Law360 | Consumer Privacy World

Federal Court Gives Rare Refusal for Final Sign Off on Data Privacy Class Action Settlement, Faulting Low Take Rate and Excessive Fees | Consumer Privacy World

CCPA/CPRA Proposed Amendments Would Extend HR and B2B Data Exemptions, or Would They? | Consumer Privacy World

EDPB Coordinated Enforcement Action on Cloud under the CEF and the French CNIL’s 2022 Investigation Program | Consumer Privacy World

Federal Court Reaffirms State Privacy Law Not a Shield From Discovery In Federal Litigation Concerning Theft of Client Database and Other Proprietary Information | Consumer Privacy World

NIST Publishes New Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products | Consumer Privacy World

California Privacy Agency Announces Rulemaking Details –July Deadline to be Missed and Process Will Bleed Into Q4 or Beyond | Consumer Privacy World

California and Colorado Privacy Regulators Provide Updates on Rulemaking | Consumer Privacy World

Privacy regulators in California and Colorado recently made announcements regarding rulemaking for their respective state privacy laws. Last week, the California Privacy Protection Agency (“CPPA”) announced that it will hold its next public meeting this Thursday, February 17, during which it will discuss updates on the rulemaking process, including a timeline. On January 28, Colorado Attorney General Phil Weiser publicly announced the intent of the Colorado Office of the Attorney General (“COAG”) to carry out rulemaking activities to implement the Colorado Privacy Act (“CPA”), providing an indication of focus areas and a rough timeline. We discuss each of these developments in further detail below. Continue Reading California and Colorado Privacy Regulators Provide Updates on Rulemaking

On December 9, 2021, Alan Friel, Co-Chair of the SPB Global Data Privacy, Cybersecurity & Digital Assets Practice, led a fireside chat between U.S. Congresswoman Suzan DelBene and Alastair Mactaggart, as part of the session on Privacy, Security, Data Protection and Trust at the International Institute of Communications’ (“IIC”) Washington DC Telecommunications & Media Forum (“TMF”).  A recording of the discussion is available here.

Congresswoman DelBene serves as the Vice Chair of the powerful House Ways and Means Committee, is the co-chair of the Women’s High-Tech Coalition, and has introduced a federal consumer privacy legislation, the Information Transparency & Personal Data Control Act (“H.R. 1816”).  Mr. Mactaggart is the force behind California’s privacy laws and is the Board Chair and Founder of the Californians for Consumer Privacy, the organization that sponsored Proposition 24 (the California Privacy Rights Act or the “CPRA”) and the California Consumer Privacy Act of 2018 (“CCPA”).

The panelists discussed recently enacted U.S. state privacy laws and Congresswoman DelBene’s privacy bill, H.R. 1816, which was referred to the Subcommittee on Consumer Protection and Commerce in March 2021.  While the two policymakers agreed on the importance of consumer privacy legislation, their points of view on what that should mean for consumers and businesses diverged, and a spirited debate ensued.  Highlights are as follows:

A National Privacy Standard?

The panelists agreed it would be valuable to have a national privacy standard for safeguarding consumers’ personal data.  Congresswoman DelBene explained that a national privacy standard would:

  • curtail consumer confusion by making it so that consumers’ privacy rights do not change as much as they currently do when consumers travel from state to state;
  • alleviate the burden on businesses, especially small businesses, who may have to use considerable resources to comply with the requirements of each state privacy law; and
  • help to establish the U.S. as a key player in shaping global privacy policy—the Congressperson expressed that it is challenging for the U.S. to weigh in on international privacy issues when we lack a unified national standard.

Mr. Mactaggart agreed, explaining that a national privacy standard would grant privacy protections to people around the country.  However, he raised that H. R. 1816 in its current form would preempt state privacy laws by prohibiting states from adopting, enforcing (or continuing to enforce) laws and regulations related to data privacy, with exceptions.  Mr. Mactaggart recommended that a national privacy standard “should be a floor, not a ceiling,” and should not preempt stricter, non-conflicting state laws so states have an opportunity to strengthen privacy protections to meet the needs of their constituents.  He pointed to the Health Insurance Portability and Accountability Act (“HIPAA”) and Sarbanes-Oxley Act of 2002 as examples of federal laws that have created legal baselines by establishing minimum consumer protection requirements while also allowing states to strengthen protections for their constituents.

Transparency and Enabling Choice Regarding Use

H.R. 1816, as currently drafted, does not include an express right of access (other than with respect to sensitive information), transportable copies, or rights of correction or deletion.  The Congressperson explained that her intent was to propose a bill focused on fundamental policy and consumer rights that sets a solid foundation on which federal legislators can continue building.  Mr. Mactaggart expressed that although he understands the Congressperson’s goal, the effect of H.R. 1816 (which, in its current form, preempts state laws) would be to deprive consumers in states with existing privacy laws (e.g., California) of  rights they currently enjoy.  For example, according to Mr. Mactaggart, passing H.R. 1816 as currently drafted would deprive Californians of their rights to see, delete, or correct their information, among other things.  He recommended that a national privacy standard not remove existing privacy protections granted to consumers under state laws.

Scope of Rulemaking

The panelists agreed that an independent agency should be granted rulemaking authority. H.R. 1816, if passed, would grant rulemaking authority to the Federal Trade Commission (FTC) for privacy issues.  In California, the California Privacy Protection Agency (CPPA) has rulemaking authority for privacy.

Enforcement Authorities and Penalties for Non-Compliance

The panelists agreed that the FTC is the most qualified federal agency to lead privacy enforcement.  H.R. 1816, if passed, would be enforceable by both the FTC, a federal agency that has experience and expertise to lead meaningful privacy enforcement, and state attorneys general (but only if the FTC has not acted).  In California, the CPPA has administrative enforcement authority to enforce the CCPA/CPRA.

Private Right of Action

The panelists agreed that granting a private right of action creates challenges for covered businesses.  The Congressperson explained that H.R. 1816 does not have a private right of action because the threat of litigation can be very costly, especially for small businesses.  Mr. Mactaggart agreed and clarified that although there is a private right of action under the CCPA, the right is limited to a specific subset of personal information, and only for instances where a business is negligent in its data security practices.

Public Policy Balance Between Transparency and Choice in Digital Advertising

The panelists agreed that advertising is an important tool in commerce, but that it should be balanced with consumer protection considerations.

  • Mactaggart advised that privacy laws should contemplate including a distinction between contextual advertising and behavioral advertising, which he believes to be a more invasive form of advertising.
  • The Congressperson added that consumers should have the ability to opt-in and opt-out of information sharing depending on the context of their relationship and interaction with a business, and consumers should be provided with tools to help them understand their privacy rights, such as privacy notices that are easy to understand.

Sensitive Personal Information

The panelists agreed that certain types of information are more sensitive, and therefore, should be subjected to a heightened protection standard.

  • The Congressperson explained that companies should be required to obtain affirmative express consent before they can collect and share sensitive personal information (e.g., financial information, health or genetic information, information about children, citizenship or immigration status, gender, religious beliefs, etc.).
  • Mactaggart added that in California, the new category of “sensitive information” was added to balance giving consumers meaningful privacy rights with the need to enable businesses to utilize data to provide services to consumers.

Where to go from here?

Interestingly, the Congressperson expressed an openness to learn more and noted that her bill was merely a first draft to get the legislative process moving and welcomed input from stakeholders.  Mr. Mactaggart offered to sit down with her staff.  Where this will go next is unclear, but it appears that the discussion will continue.  A recording of the discussion is available here.  The IIC/TMF also covered international privacy issues.  A blog post on that is available here.

Updates: California Privacy Rights Act (“CPRA”)

Last month, we reported on the California Privacy Protection Agency’s (“CPPA”) engagement of an Executive Director and its proposal for a rulemaking framework. The CPPA’s efforts are assisted by provisions of Assembly Bill 694 (“AB 694”), which California Governor Gavin Newsom signed last month. AB694 includes changes to California’s consumer privacy law and clarifies the CPPA’s rulemaking process. You can find the changes here. Continue Reading CPRA Amended and Updates Regarding the CDPA