The Implications of the Most Recent CCPA Amendments
October 22, 2020
Recently, California Governor Newsom signed two bills into law that would amend the California Consumer Privacy Act (“CCPA”) by further altering the extensive data privacy legislation which went into effect earlier this year. The first, AB-1281, extends the employment and business-to-business (“B2B”) exemptions to the CCPA for an additional year until January 1, 2022. The second, AB-713, creates new exemptions for de-identified health information otherwise subject to regulation under the Health Information Portability and Accountability Act (“HIPAA”).
AB-1281 resolves uncertainty regarding the status of the CCPA’s employment-related and B2B exemptions by extending the employee and B2B exemptions from January 1, 2021 until January 1, 2022. Further, the exemptions could be further extended to Jan. 1, 2023 if California voters pass Proposition 24, the Consumer Personal Information Law and Agency Initiative, which is on the ballot in the November 3, 2020 election.
Both the employee exemption and the B2B exemption exclude certain categories of what would otherwise be personal information from falling within the scope of the CCPA. Under the employee exemption, information collected about a natural person in their capacity as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business is exempt from most of the key provisions of the CCPA. While a business is still required to provide notice of collection of personal information from an employee, it does not need to provide an employee with a Right to Know, Right to Deletion or Right to Opt-out.
Under the B2B exemption, the CCPA also generally exempts personal information reflecting a written or verbal communication or a transaction between the business and a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit or government agency, and whose communication or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit or government agency. The Right to Opt-out still applies with respect to this category of personal information but the Right to Know and Right to Deletion do not and there is no requirement to provide notice of collection.
AB-713 amends the CCPA to create expanded exceptions for: HIPAA business associates; information that has been de-identified in accordance with HIPAA; and information collected, used or disclosed in certain human subject’s research. AB-713 eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. AB-713 became effective immediately following Governor Newsom’s signature, as the bill included an urgency clause calling for immediate action to mitigate the CCPA’s potential negative impact on health-related research.
AB-713 presents three notable changes from prior versions of the CCPA:
- The amendment expands the prior exemption for clinical trials to now include information that is collected, used, or disclosed in “research”;
- The amendment expressly exempts information that is de-identified pursuant to either the expert determination method or safe harbor method provided for in Section 164.514 of HIPAA; and
- The amendment makes clear that information that is “re-identified shall no longer be eligible for the exemption” except under certain circumstances.
AB-713 also provides that beginning January 1, 2021, any contract for the sale or license of de-identified information must include language that (1) the information being sold or licensed includes de-identified information; (2) a statement that re-identification is prohibited; and (3) a statement that the purchaser or licensee may not further disclose the de-identified information to a third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
As the surge of data privacy regulation continues, it is vital from a corporate compliance standpoint for companies to assess the risks and liabilities under these laws. The CCPA has had a wide-reaching impact due to the extraterritorial nature of the regulation. Companies should pay close attention to current and future amendments to ensure that they are still compliant under the CCPA.
Here at Jackson Kelly, we regularly advise business clients on various data privacy and compliance matters. If you have questions about the CCPA or any other data privacy regulation, please feel free to reach out any time and we would be happy to do anything we can to help.