Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.
Continue Reading
California Attorney General’s Second Set of Modified CCPA Regulations: Undoing, Redoing, Clarifying
Here we go again. On March 11, 2020, the California Attorney General (AG) published a second set of modifications to its Regulations under the California Consumer Privacy Act. Unlike the AG’s modifications from just last month, the substantive changes this time are not quite so numerous. There are, however, a few provisions worth noting.
As a general matter, the most significant changes this time around consist of undoing some of the additions made in the first set of modifications. There is also some new language in the Regulations that provides further guidance for businesses that do not directly collect personal information as well as businesses working to draft CCPA-compliant privacy policies.
The California Genetic Information Privacy Act: How This Proposed Legislation Fits in the California Privacy Regulation Framework
There are many laws at the state and federal level that regulate the processing of genetic information. There may soon be one more.
Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.” As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA. Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination. However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.
Industry Insight: The CCPA’s Elusive “Reasonable Security” Safe Harbor
“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.” Karen Zacharia, Chief Privacy Officer at Verizon
The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy. The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information. In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.
California Attorney General’s Modified CCPA Regulations: Top Ten Changes
On February 7, 2020, the California Attorney General (AG) published a set of Modified Regulations under the California Consumer Privacy Act (CCPA). The Modified Regulations take into account some of the comments received from the public late last year and make key changes to multiple definitions and provisions, in at least some cases providing more clarity and specificity than the original version. The regulatory process is not yet done—the AG is accepting written public comments on the Modified Regulations until February 24, 2020—but it is unlikely there will be many more substantial revisions from this point forward. It also now seems possible that we will see final Regulations in advance of the July 1, 2020 deadline. The last step in the process is the AG’s submission of the final rulemaking record for approval by the CA Office of Administrative Law (OAL), which has 30 working days to approve the record before filing of the final Regulations with the Secretary of State.
Continue Reading
Virginia Punts Several Privacy-Related Bills to Out of Session Study
Last week a committee of the Virginia House of Delegates voted to send several privacy-related bills to a legislative commission for study after the current legislative session. Among those bills is the Virginia Privacy Act, proposed as a less onerous version of the California Consumer Privacy Act. Other bills referred for study address topics such as requirements for the destruction of records, online advertising and digital services directed to minors, and safe keeping of biometric data.
The Communications, Technology and Innovation Committee voted to “continue” the these privacy-related bills and directed the chairman of the committee to request the Joint Commission on Technology and Science (JCOTS) to study the legislation in advance of the 2021 legislative session. JCOTS consists of 13 legislators and its purpose is to evaluate emerging technology and science with the goal of promoting the development of sound public policies on those topics.
Will Virginia Follow California’s Lead on Consumer Privacy Legislation?
On January 8, 2020, the Virginia General Assembly will begin its 60 calendar day legislative session. Legislation relating to privacy will be on the agenda, including HB 473, titled the “Virginia Privacy Act,” that proposes to strengthen the data privacy rights of Virginians.
Scope of the Proposed Legislation
The provisions of the legislation apply to “any legal entity (i) that conducts business in the Commonwealth or produces products or services that are intentionally targeted to residents of the Commonwealth and (ii) that (1) controls or processes personal data of not fewer than 100,000 consumers; or (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” The bill has exceptions to its scope applicable to, among others, local and state governments, credit reporting agencies and financial institutions governed by other privacy laws, and also exempts certain health care related information governed by federal law and employment records.
The legislation focuses on the responsibilities of data controllers, who are primarily responsible for complying with the provisions of the legislation, and data processors, who must adhere to the instructions of the controller and assist a controller in meeting the requirements of the proposed act.
The IOT is Here and so is the Regulation
For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).
Continue Reading
Trends in Student Data Privacy
Across the country, school districts use technology to facilitate learning and assist in classroom management. From tracking grades and communicating with parents to monitoring bathroom breaks, technology is everywhere in our schools. But as technology becomes more prevalent in the classroom, what does that mean for student data privacy?
Federal Laws Governing Student Data Privacy
There are several federal laws that govern student data privacy. The Family Educational Rights and Privacy Act (FERPA) protects student educational records and requires the consent of parents or students age 18 or older to consent to the release of education records. The Protection of Pupil Rights Amendment (PPRA) requires parental consent for any federally funded student survey or evaluation that requires the student to provide sensitive information. Lastly, the Children’s Online Privacy Protection Act (COPPA) regulates companies collecting data about kids under the age of thirteen. Under the law, educational products may not require parental consent, and instead, schools can consent on behalf of parents. Importantly, the Federal Trade Commission (FTC) is considering updating COPPA’s regulations. The FTC requested comments on the rule in July and held a workshop in October.
CCPA Review: The CCPA May Prohibit Some, But Not All, State Consumer Protection Law Claims
In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.
For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.