On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit
On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations. As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution. Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the authority to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.
Re-issued Proposed CCPA Regulations
After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations. The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020. These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies. These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review. The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20 related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.
CCPA Proposed Regulatory Framework
The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Businesses that hit the thresholds will be covered even if they are located outside the state of California.
Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company. In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information” and then to enable consumers to opt-out of the sale of their data to third parties. CCPA also establishes a wide-range of rights to consumers (as specified below). Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.