Privacy never sleeps in California. In recent days and as California’s legislative session comes to a close, there have been a number of significant legislative and regulatory developments in the state, each of which will likely (again) change the privacy landscape in California and, by extension, the rest of the country. For businesses operating in California or whose websites, products or services reach California residents, these changes mean new compliance obligations, some of which could require significant investments of time and resources. The impact of these changes highlight once again how the United States lacks a consistent national policy on privacy that could be set by a comprehensive federal privacy law. Highlights of the developments are summarized below, accompanied by a deeper dive into CCPA-related developments:
- In a surprise to many observers, the California legislature failed to extend the employee- and B2B-exemptions. The exemptions will now expire at the end of 2022 and require businesses to extend CCPA rights to all California residents whose personal information they collect, without regard to their employment status.
- The California Attorney General issued its first CCPA fine based on a company’s alleged failure to provide sale opt-outs for third-party advertising cookies and not recognize the Global Privacy Control signal. News of the first public enforcement action was accompanied by OAG guidance highlighting enforcement priorities around the Global Privacy Control, loyalty programs and financial incentives, and privacy policies that are both easy to read and functional.
- The California legislature passed the California Age-Appropriate Design Code Act (AADCA) which, if signed into law (as many expect will be the case), will impose a variety of obligations and restrictions on businesses that develop and provide online services, products or features that minors under 17 are “likely to access.” Modeled after a similar law in the UK, the AADCA would first come into effect on July 1, 2024 and would require businesses to configure privacy settings to high levels of privacy, and restrict their ability to profile minors and collect geolocation information. Data protection impact assessments would also be required, including for products in existence when the law would come into effect. Just like the original version of CCPA, the Attorney General has sole enforcement powers (e.g., no private right of action) and statutory penalties are authorized (up to $7,500 per “affected child”). Unlike CCPA, there is a mandatory 90-day cure period for businesses that are in “substantial compliance” with the law.
- The California legislature also passed another bill that would classify providers of mental health apps as healthcare providers under the California Confidentiality of Medical Information Act (CMIA). As a provider subject to CMIA, mental health apps would be subject to HIPAA-like constraints on their ability to use and share data collected and will have increased litigation exposure, as CMIA includes a private right of action. Passage of the bill comes on the heels of US Congressional inquiries about the use and protection of health data collected by mental health apps and an uptick in private litigation in the area. If this bill becomes law, it will be effective beginning January 1, 2023.
Governor Newsom has until September 30th to sign theses bills into law, let them become law without his signature, or issue a veto. There is no indication a veto is anticipated on any of the bills highlighted above.
Below we take a deeper dive into CCPA-specific developments.
CCPA Employee and B2B Exemptions Will Expire on December 31, 2022
In news that surprised many, labor and business interests were not able to reach consensus to codify or extend the exemptions in the California Consumer Privacy Act (CCPA) that apply to employees, independent contractors, job applicants (“employee data”), or individuals who are acting as representatives of companies that do business with California businesses subject to CCPA (“B2B data”). This means all of the CCPA consumer rights will now be available in full to California residents acting in the employment/job applicant role. Business will need to make CCPA-required disclosures in privacy policies regarding employee and B2B data. Data minimization and restrictions on secondary use of personal information introduced by amendments to CCPA coming into effect on January 1, 2023 will now apply to such data. Moreover, contractual requirements for service providers, contractors and third parties required by CCPA (including those required by new amendments to the law) will now also apply to employment and B2B data that is disclosed, sold or shared with other entities.
The employee- and B2B-extensions have been in a tenuous position since 2019, when legislators first passed amendments to CCPA carving out these categories of data with a two-year sunset clause, which was intended to allow labor and business interests to work out a compromise about how to provide some level of transparency and data rights with respect to employee and B2B data without burdening businesses. Amendments to CCPA passed by voters at the end of 2020 through the California Privacy Rights Act (CPRA) extended the sunset date an additional year through the end of 2022. Indeed, consumer privacy laws in Virginia, Colorado, Connecticut and Utah that will come into effect in 2023 all explicitly recognize these differences and broadly exempt all employment and commercial data (e.g., B2B data).
It is possible the California Privacy Protection Agency (CPPA) could issue draft regulations that address these differences as part of their CPRA rulemaking which is underway. CPRA expressly recognizes that while privacy interests of employees should be protected, there are “differences in the relationship” between employees and businesses as compared to the relationship between consumers and businesses. CPPA did not take a position on whether the employee or B2B exemptions should or should not have been extended, and the first tranche of proposed regulations certainly contemplates that the legislature could change the law to codify the exemptions or at least treat employee and B2B data differently than consumer data.
California Attorney General Issues First CCPA Fine and Underscores Need to Comply with Global Privacy Control
New CCPA Enforcement Case Examples – Opt Outs, GPC, Clarity & Functionality Are Top of Mind. On the same day the OAG filed the complaint against Sephora, it published a dozen new examples of “Enforcement Cases” on its CCPA webpage, reflecting anonymized examples of notices to cure issued by the OAG that were informally resolved to the OAG’s satisfaction. The examples provided show the OAG has been investigating businesses whose data we would expect to be largely exempt from CCPA. Targets of OAG investigations included several entities in the healthcare space (HIPAA exemption), a financial services firm (GLBA exemption) and a medical device manufacturer (B2B exemption).
Short-Term CCPA Compliance Tune Up. Businesses that are subject to CCPA already have long to-do lists to prepare for implementation of expanded obligations under CPRA amendments, which will be further lengthened by the demise of the employee and B2B exemptions. Nevertheless, these recent announcements from the OAG suggest the office is moving full steam ahead on CCPA enforcement, even before CPRA amendments come into effect. Businesses may therefore want to consider conducting a CCPA compliance tune up in the months ahead. Below is a list of potential areas to consider based on the OAG’s recent announcements:
- Review status of Service Provider agreements.
- Consult with IT re Global Privacy Control signals.
- Review functionality of opt outs and other data subject request tools.
- Review financial incentive disclosures.
- Monitor social media for comments about data subject rights.
Sidley’s data privacy team is always here to help clients navigate complexities and nuances in compliance with CCPA and other data privacy laws, including amendments to CCPA and new U.S. state data privacy laws that will be coming into effect in 2023.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.