During the California Consumer Privacy Act’s (“CCPA”) amendment process prior to enactment, personal information in the employment context was highly contested and has continued to be a point of deliberation even after the CCPA’s effective date last January 1, 2020.  CCPA excludes certain employment-related personal information from most of the act’s requirements until January 1, 2021. This exemption was extended by the California Privacy Rights Act (“CPRA”) (a ballot measure supported last week by a strong majority of  California voters) until January 1, 2023.[1]

Under CCPA, unlike consumers generally, employees, applicants, and independent contractors may not request: the deletion of their personal information; to opt-out of the sale of their personal information; or information concerning the categories of personal information collected, the sources from which personal information is collected, the purpose for collecting or selling personal information; or the categories of third parties with whom the business shares their personal information.  Additionally, prior to CPRA, employees, applicants, and independent contractors, did not have anti-discrimination/retaliation rights under the law.

Anti-Discrimination/Retaliation Provision

The CPRA expands the existing anti-discrimination rights to employees, applicants, and independent contractors.  Section 1798.125 (a)(1)(E) states that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights…including…retaliating against employee, application for employment, or independent contractor…”

Thus, although employees, applicants and independent contractors are temporarily excluded from most of the CCPA’s protections, two areas of compliance presently remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

In light of the expansion of this provision, employers now cannot discriminate and/or retaliate against employees, applicants, and independent contractors exercising their rights to: i) receive a notice at collection concerning their personal information , and ii) file a private right to action following a data breach involving their personal information caused by the failure of the employer to maintain reasonable safeguards.  Additionally, if CPRA is not amended to extend the exemption beyond December 31, 2022, employees, applicants and independent contractors will receive full rights under the CCPA.  If so, on and after January 1, 2023, employers subject to the CCPA will not be able to discriminate against their California employees if  they decide to exercise their right to know, right to delete, right to opt-out, as well as the new CPRA rights – to restrict disclosures and to correct personal information.

We will continue to update the status of the CPRA, its enforcement and any amendments to its current version.

[1] Prior to the passage of Prop 24 (CPRA), Governor Gavin Newsom signed AB1281 extending the exemption until January 1, 2022.

It goes without saying that November 3rd 2020 was an important day for the future of the nation, but it was also a significant day for the future of California privacy law.  On Tuesday, a strong majority of California voters supported Proposition 24, a ballot measure which aims to expand and enhance the California Consumer Privacy Act (“CCPA”).  The CCPA took effect in January and companies are still grappling with its compliance. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA, but now it looks like they will be back to the drawing board.

Proposition 24, titled the California Privacy Rights Act of 2020 (CPRA) (unofficially dubbed CCPA 2.0), amends the CCPA, which has been criticized for over broad definitions and ambiguous language. The CPRA expands the privacy rights of California residents and increases compliance obligations for companies.

Here are a few key aspects of the CPRA:

  • New type of personal information – “sensitive personal information”. This new subset of personal information includes data elements such as social security number, driver license number, and financial account number. However, perhaps following the General Data Protection Regulation (GDPR) in the European Union, the term also includes, without limitation, a consumer’s racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic information, and a consumers sex life and sexual orientation.
  • New rights for consumers: limiting uses and disclosures and correcting inaccurate personal information.  For the new subset of personal information, sensitive personal information, California consumers will have the right to request limitations on the use and disclosure of that information. Also, consumers also will have the right to ask businesses to correct inaccurate personal information maintained by the business.
  • Changes to the Notice at Collection. Several changes and clarifications were made to the requirement to provide consumers a notice at collection. For example, the notice must now include a retention period for each category of personal information and sensitive personal information, or include criteria for determining the retention period if setting a retention period is not possible.
  • Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
  • Creates enforcement arm. Establishes the California Privacy Protection Agency that, in addition to the California Department of Justice, will enforce and implement consumer privacy laws and impose fines.
  • Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
  • Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
  • Expands written agreement requirements. Businesses collecting personal information and then sharing/selling it to a third party, or disclosing it to a contractor or service provider will need to enter into written agreements that contain certain required provisions. A couple of the required provisions include (i) obligating the third party, contractor, or service provider to comply with CCPA/CPRA as applicable, and (ii) granting the business the right to take reasonable steps to ensure the third party, contractor, service uses the personal information consistent with CCPA/CPRA.
  • Increased exposure to liability in the event of a data breach. The CCPA included a private right of action in the event a business experienced a data breach affecting a subset of personal information due to the failure to have reasonable safeguards to protect that information, and the failure to cure following notice. The CPRA adds a consumer’s email with password or security question to the subset of personal information that, if breached, could trigger a private right of action, if a hacker was able to access a consumer’s email account. Also, the CPRA clarifies that implementing and maintaining reasonable security procedures and practices to protect personal information under Cal. Civ. Code 1798.81.5 following a breach will not be a cure with respect to that breach.
  • Extension of the employee personal information and “B2B” (business to business) exemptions. In September the California assembly passed AB1281, which extended the CCPA’s exemptions for employee personal information and “B2B” personal information to January 1, 2022 (both exemptions were set to sunset on January 1, 2021). The CPRA now extends that exemption until January 1, 2023. Note, that some employee and “B2B” personal information remains subject to the CCPA’s private right of action, if that personal information is involved in a data breach and reasonable safeguards were not put in place.

The CPRA becomes effective on or after January 1, 2022 (other than for access requests), but will not be operative until January 1, 2023.

“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” Alastair Mactaggart, chair of Californians for Consumer Privacy and Proposition 24 sponsor, said in a statement.

Companies will have to once again review their privacy programs and likely amend further to comply with CPRA’s new requirements. That said, the CPRA generally becomes operative January 1, 2023, and during that time California regulators are expected to provide additional information on compliance and enforcement implications of the new law.

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. The advisory provides technical details on the threat from Ryuk ransomware and new Trickbot malware modules named Anchor. The anticipated threat posed by this malware and ransomware is using encryption to interfere with a hospital’s access to its systems and ability to provide care and holding a decryption key for ransom.

In addition to the technical details, the advisory identifies steps hospitals and healthcare providers should take to protect themselves from this cybercrime threat. Those steps include maintaining an up-to-date business continuity plan and other best practices.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to local administration being disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication (MFA) where possible.
  • Disable unused remote access or Remote Desktop Protocol (RDP) ports and monitor remote access or RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege necessary in mind.
  • Audit logs to ensure new accounts are legitimate.

Ransomware Best Practices

  • CISA, FBI, and HHS do not recommend paying ransoms. Further, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory alerting companies of the potential sanctions risk for facilitating ransomware payments.
  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats (such as ransomware and phishing scams) and how they are delivered.
  • Provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.

The advisory notes that addressing the risks posed by malware and ransomware attacks will be particularly challenging for hospitals and healthcare providers during the COVID-19 pandemic. Additional advice on avoiding and responding to an attack is available here. If you have questions about this advisory or how best to assess and manage the risks identified in the advisory, please contact a Jackson Lewis attorney.

 

Earlier this year, we reported on an evolution in the form of cyberattack known as ransomware –attackers transitioning from denying affected users access to critical data by encrypting it to removing data from the compromised systems and threatening public release in exchange for payment. These attacks typically target the companies maintaining the data. However, attackers may be adopting a new tactic when they do not get paid, targeting the individuals whose sensitive personal information was compromised.

According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom.

When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. Reporting on this incident states:

Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.

Not much is known yet about the nature of the attack and various governmental agencies are involved.

This incident reveals a troubling pattern of cyberattacks now extending to individuals served by the organizations compromised – patients, students, customers, members, employees, etc.

Organizations devote significant resources to securing their networks and protecting the data they maintain. While that is necessary, considering the nature of the threats and current trends, it likely is not sufficient. Incident response planning is critical, but it needs to be reevaluated and evolve as the threat landscape evolves.

There are many steps organizations could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Situations like this emphasize the need to understand the individuals the organization serves, what their needs might be in a case like this, and how best to communicate with them efficiently.

Co-Author: Eric R. Magnus

The Eleventh Circuit Court of Appeals recently ruled that “incentive” or “service” awards to lead plaintiffs in Rule 23 class actions are unlawful. It is the first circuit court of appeals to expressly invalidate such awards as a matter of law. (Johnson v. NPAS Solutions, LLC, No. 18-12344, September 17, 2020).

In a suit brought under the Telephone Consumer Protection Act (TCPA), a divided circuit panel struck down a $6,000 award to a lead plaintiff and, for this and other reasons, vacated a federal court’s order approving a proposed $1.432 million settlement. (There were 179,642 potential class members, who would have received only $7.97, but only  9,543 class members who submitted claims, bringing their haul to what could have been “a whopping $79.”)

Supreme Court precedent. The U.S. Supreme Court prohibited the award of incentive payments to plaintiffs more than a century ago, calling this particular fee for services “decidedly objectionable,” the Eleventh Circuit noted (citing Trustees v. Greenough, 105 U.S. 527 (1882), along with Central Railroad & Banking Co. v. Pettus, 113 U.S. 116 (1885), issued on the heels of that decision. This controlling precedent precedes Rule 23 by decades, as the plaintiffs pointed out to no avail, in arguing that the decisions were nonbinding here. And these opinions seem to have gone unheeded in the 140 or so years since, the majority acknowledged, conceding that incentive awards are routine features of class settlements today.

“But, so far as we can tell, that state of affairs is a product of inertia and inattention, not adherence to law,” the court said, adding: “Although it’s true that such awards are commonplace in modern class-action litigation, that doesn’t make them lawful, and it doesn’t free us to ignore Supreme Court precedent forbidding them.”

The incentive award in this case is “part fee and part bounty,” according to the majority. Such awards amount to the kind of pay for services disfavored by the Supreme Court. What’s more, such fees are meant “to promote litigation by providing a prize to be won.”

Eleventh Circuit is an outlier. Judge Martin dissented on this point, and noted that the decision “takes our court out of the mainstream.” No other circuit court has barred incentive awards; in fact, “none has even directly addressed its authority to approve incentive awards,” she pointed out. Yet, as the majority countered, the courts appear to have abandoned the inquiry whether there is actually a legal basis for such awards, turning instead to the question whether such awards are fair.

Fee objection before fee petition? The appeals court also was troubled that, in granting preliminary approval to the slapdash settlement (over the objections of the appellant here), the district court effectively required class members to opt out or object to the attorney fee award even before class counsel filed their fee petition. The appeals court found a clear violation of Federal Rule of Civil Procedure 23(h) in setting the objection date prior to the motion for fees.

However, applying the harmless-error doctrine for the first time in the context of Rule 23(h), the court concluded that this error was harmless.

“Boilerplate” approval. In addition, the lower court violated the Federal Rules and circuit precedent more generally by failing to offer a reasoned explanation for its decision to approve the terms of a class settlement and to overrule objections. The appeals court recognized that the district court’s approach to evaluating the settlement was fairly common. Here again, though, as with the court’s approval of the incentive award, it is no answer to say, “That’s just how it’s done.”

“We don’t necessarily fault the district court—it handled the class-action settlement here in pretty much exactly the same way that hundreds of courts before it have handled similar settlements. But familiarity breeds inattention, and it falls to us to correct the errors in the case before us.”

Takeaways. As a practical matter, removing the prospect of service awards for Named Plaintiffs in class actions will impact the resolution of class actions within the Eleventh Circuit, adding further nuance to the negotiation of settlements and the drafting of settlement agreements.

This decision will also further increase judicial scrutiny of class action settlements in the Eleventh Circuit, which is a Circuit that, since its seminal decision in Lynn’s Foods, Inc. v. United States in 1982, has been active in scrutinizing the terms of employment class action settlements, particularly in the area of wage and hour settlements.

A critical question that remains unanswered is whether the majority’s rationale will be applied in the context of collective actions brought under Section 216(b) of the Fair Labor Standards Act (FLSA) or to the settlement of hybrid claims under both Rule 23 and Section 216(b).

It also remains to be seen if other federal circuits will find the Eleventh Circuit’s holding persuasive, and likewise opt to prohibit the use of incentive payments, or whether the Eleventh Circuit has further distanced itself from its sister circuits in closely scrutinizing class action settlement terms.

As organizations aim to return to some type of normalcy, and help ensure a healthy and safe workplace, many have implemented COVID-19 screening programs that check for symptoms, and an employee’s recent travel and potential contact with the virus. Moreover, many states and localities across the nation are mandating or recommending the implementation of COVID-19 screening programs in the workplace, and beyond. In many cases, organizations have leveraged various technologies, such as social distancing bands, apps, and thermal scanners, to streamline their screening programs.

Despite the benefits of COVD-19 screening programs, organizations should proceed carefully to examine not only whether the particular solution will have the desired effect, but whether it can be implemented in a compliant manner with minimal legal risk, particularly regarding the privacy and security implications. Just last week Amazon was hit with a proposed class action lawsuit in Illinois state court, claiming the company’s COVID-19 screening program violated Illinois’s Biometric Information Privacy Act (BIPA).  According to the complaint, Amazon employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law when collecting biometrics identifiers, such as a facial geometry scan.

The BIPA sets forth a comprehensive set of rules for companies doing business in Illinois when collecting biometric identifiers or information of state residents. The BIPA has several key features: • Informed consent prior to collection • Limited right of disclosure of biometric information • Written policy requirement addressing retention and data destruction guidelines • Prohibition on profiting from biometric data • A private right of action for individuals harmed by BIPA violations. Statutory damages can reach $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation.

The complaint alleges that Amazon employees “lost the right to control” how their biometric data was collected, used and stored, exposing them to “ongoing, serious, and irreversible privacy risks — simply by going into work”.  In addition to claims of failure to notify employees and obtain express consent regarding their biometric data collection practices, the complaint also alleges that Amazon failed to develop and follow a publicly available retention schedule and guidelines for permanently destroying workers’ biometric data.

While this case is an important reminder of BIPA implications, implementing a COVID-19 screening program, or any type social distancing or contact tracing technology to help prevent/limit the spread of coronavirus for that matter, can have privacy and security implications that extend well beyond the BIPA. In addition to the BIPA, depending on the type of data being collected and who is collecting it, such practices may trigger compliance obligations under several federal laws, such as the Americans with Disabilities Act (ADA), the Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA). In addition to BIPA, other state laws should be considered, if applicable, such as the California Consumer Privacy Act (CCPA) and state laws that require reasonable safeguards to protect personal information and notification in the event of a data breach. International laws, including the General Data Protection Regulation (GDPR) also can affected screening programs depending on their scope. In addition to statutory or regulatory mandates, organizations will also need to consider existing contracts or services agreements concerning the collection, sharing, storage, or return of data, particularly for service providers supporting the screening program.  Finally, whether mandated by law or contract, organizations should still consider best practices to help ensure the privacy and security of the data it is responsible for.

COVID-19 screening programs, as well as the extensive technology at our disposal and/or in development are certainly helping organizations address the COVID-19 pandemic, ensuring a safe and health workplace and workforce, and preventing future pandemics.  Nevertheless, organizations must consider the legal risks, challenges, and requirements with any such technology prior to implementation.

Back in August, after much anticipation and several rounds of review and modification, the California Consumer Privacy Act (CCPA) regulations finally became effective. This was long awaited by businesses and their service providers looking for compliance guidance and clarity on key issues related to facilitation of consumer rights.  This week, the California Department of Justice (“DOJ”) announced there would now be a third set of proposed modifications made to the CCPA regulations.

As a quick recap of past of developments related to the CCPA regulations, the DOJ first published CCPA proposed regulations on October 11, 2019.  In February 2020 and again in March, the DOJ gave notice of modifications to the proposed regulations, based on comments received during the relevant public commentary periods.  The final version of the CCPA regulations that became effective in August, was substantively unchanged from the previous version from March.

Below are highlights from the third set of proposed modifications made to the CCPA regulations, released this week:

  • Addition of examples of how businesses that collect personal information in the course of interacting with consumers offline can provide the notice of right to opt-out of the sale of personal information through an offline method.
  • Guidance on how a business’s methods for submitting requests to opt-out should be easy and require minimal steps. It provides illustrative examples of methods designed with the purpose or substantial effect of subverting or impairing a consumer’s choice to opt-out.
  • Clarification on the proof that a business may require an authorized agent to provide, as well as what the business may require a consumer to do to verify their request.
  • Clarification that businesses that have actual knowledge that they sell PI of minors are required to include in their privacy policies a description of their method for verifying that the person authorizing the sale of a child’s data is actually that child’s parent or guardian.

The DOJ’s notice regarding the proposed modifications and a comparative version of the new text are available here.  The DOJ will accept written comments from the public regarding the proposed modifications between Tuesday, October 13, 2020 and Wednesday, October 28, 2020. Written comments may be submitted to the DOJ via email to PrivacyRegulations@doj.ca.gov.

Since the CCPA’s effective date back in January there have been an influx of developments, as the legislature and regulators help to clarify ambiguities and provide greater specificity on key compliance issues facing covered businesses and their service providers. Just last week we reported on CCPA amendment, AB 1281, which extended exemptions for “B2B” and employee personal information. We will continue to update on CCPA and other related developments as they unfold.

New York and New Jersey release “COVID Alert NY” and “COVID Alert NJ,” apps designed to alert their users when they have been exposed to someone who tested positive for COVID-19. These apps follow those released in Pennsylvania and Delaware and are soon to be joined by Connecticut. The states hope to enhance their contact tracing efforts, but what about privacy?

According to New Jersey Governor Murphy,

The app is free and secure, and your identity, personally identifying information, and location will never be collected. The more phones that have the app, the better we can fight this pandemic.

Larry Schwartz, a former high-ranking aid to Governor Cuomo, explains privacy is achieved “not through location services tied to smartphones but through the device’s Bluetooth proximity detection.” More specifically, the apps use the Exposure Notification System technology developed by Google and Apple. By using Bluetooth instead of GPS, location tracking of individuals is not necessary and users can turn it off at any time.

According to state officials, the COVID Alert apps will notify users if they have been in “close contact” (within six feet for at least 10 minutes) with someone who has tested positive for COVID-19. In order for the apps to work between users in close contact, a few things have to happen.

First, both users must have downloaded the app on their mobile devices and opted-in to receive “Exposure Notifications.” For COVID Alert NY and NJ, the apps are free and available to anyone 18 or older who lives, works, or attends college in New York or New Jersey, and can be downloaded in multiple languages from the Google Play Store or Apple App Store. As with all apps, users should read the app’s privacy statement – here is New Jersey’s privacy statement.

Second, one of the users would need to have tested positive for COVID-19 and cooperated with the local health department by agreeing to anonymously enter a code into the user’s app.

Third, when the two users are in close contact, as described above, their devices will exchange codes via Bluetooth. Using Bluetooth Low Energy technology, a device can detect when another phone with the same app is within six feet. If a code matches with a list of codes associated with positive COVID-19 app users, the user will get an “Exposure Alert” together with recommendations on next steps to stay safe and prevent community spread like self-quarantining and getting tested.

With reports of data breaches and intrusive government surveillance of citizens, it is no wonder New York and New Jersey state officials are touting COVID Alert’s attention to privacy. However, app users are permitted to do a “COVID Check-In” and enter any symptoms they are having. As I write this post, there were 15,561 check-ins today, with 97% percent feeling good. When Checking-In, users are reminded that the app does not reveal the user’s identity, but the information, which could include race, gender, and ethnicity, can be useful for public health action. Users also are reminded that a record is kept of symptoms entered into the app for future reference.

According to reports, the app cost $700,000 to develop, a cost reportedly paid for by the Bloomberg Foundation. It remains to be seen whether the app will serve its intended purpose and will keep user data private and secure.

By signing AB 1281 into law on September 29th, 2020, California Governor Gavin Newsom amended the California Consumer Privacy Act (“CCPA”) to extend until January 1, 2022, not only the current exemption on employee personal information from most of the CCPA’s protections, but also the so-called “B2B” exemption. Welcomed by many “B2B” (business to business) organizations, this exemption originally enacted under AB 1355 removed significant amounts of personal information from the CCPA’s reach. Note, however, this exemption could be further extended until January 1, 2023, if the California Privacy Rights Act (CPRA) is approved by voters on Nov. 3, 2020.

The “B2B” exemption applies to the following:

Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency

In other words, for example, the personal information obtained by a business from a consumer under the CCPA is generally exempt under this provision when that consumer is acting as a representative of another organization and the consumer engages with the business in communications or transactions that relate solely to providing or receiving products or services.  However, similar to the employee personal information exemption, certain personal information in this context remains subject to the CCPA’s private right of action if that personal information is involved in a data breach and reasonable safeguards were not in place.

CCPA covered businesses have a temporary reprieve on employment and “B2B” personal information, and will have to wait until election day to see if they will get another year.

On September 29th, California Governor Gavin Newsom signed into law AB 1281, an amendment to the California Consumer Privacy Act (“CCPA”) that would extend the current exemption on employee personal information from most of the CCPA’s protections, until January 1 2022. The exemption on employee personal information was slated to sunset on December 31, 2020.  It is important to highlight that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

Notably, the operation of the extension is contingent upon voters not approving ballot proposition 24 in November, the California Privacy Rights Act (“CPRA”), which would amend the CCPA to include more expansive and stringent compliance obligations and inter alia, would extend the employment personal information exemption until January 1, 2023.

As a reminder, during this challenging time, it is important for employers, regardless of jurisdiction, to remain vigilant on the types of personal information collected from employees and how it is used. Pre COVID-19, employers, for example, were not thinking of performing temperature checks on employees or collecting other personal information in connection with COVID-19 screenings, and as a result may need to update their privacy notices to capture this category of information and the purpose it was used.

A full discussion on AB 1281 is available here.

During the same session, Governor Newsom vetoed an additional privacy bill, AB 1138, which would have required parental or guardian consent for creation of a social media or application account for children under 13. Under the federal Children’s Online Privacy Protection Act (COPPA) operators of Internet websites or online services to obtain parental or guardian consent before collecting personal information from a child known to be under 13. States have the authority to enforce COPPA.  In Governor Newsom’s veto statement, he highlighted that “Given its overlap with federal law, this bill would not meaningfully expand protections for children, and it may result in unnecessary confusion.” However, Governor Newsom concluded that his Administration is “open to exploring ways to build upon current law to expand safeguards for children online”.

California continues to be a leader in privacy and cybersecurity legislation. We will continue to update on CCPA and other related developments as they unfold.