First, it now appears likely that rules implementing the California Consumer Privacy Act (CCPA) will not become effective until October 1. As you may recall, enforcement of the CCPA, which became law on January 1, is set to begin on the first of July. However, rules being drafted by the Attorney General's office will not become final by that date unless they are submitted to the Office of Administrative Law for review by May 31 (that is, tomorrow).
I have argued repeatedly that, especially in light of current economic circumstances, Attorney General Becerra should delay CCPA enforcement until affected businesses have been provided sufficient opportunity to assess, and come into compliance with, finalized versions of these implementing rules. Things could change in the next month, but so far he has rejected requests for additional time.
Second, privacy advocates' attempt to add the California Privacy Rights Act of 2020 (aka the CCPA 2.0) to the November ballot has cleared its first procedural hurdle. CA Secretary of State Alex Padilla recently announced that Californians for Consumer Privacy submitted significantly more signatures than required: 930,942 versus 623,212. Per state guidelines, County election officials next will attempt to verify a sufficient number of those signatures by June 25 to qualify the initiative.
Third, in a May 12 blog post, I provided a summary of the COVID-19 Consumer Data Protection Act of 2020 (CCDPA), federal privacy legislation introduced by five Republican members of the Senate Commerce Committee. The CCDPA would regulate the use of personal data to fight the spread of the coronavirus through digital contact tracing and similar techniques. A few days later, five Democrats in the Senate and House — Senators Richard Blumenthal (CT) and Mark Warner (VA) and Representatives Anna Eshoo (CA), Jan Schakowsky (IL), and Suzan DelBene (WA) — countered with their own pandemic-specific bill, the Public Health Emergency Privacy Act (PHEPA).
Similar to the CCDPA, the PHEPA would require covered entities to:
- Provide adequate notice;
- Obtain "opt-in" consent prior to collecting "emergency health data" and provide a means to revoke that consent at a later date;
- Limit the collection and use of emergency health data to that which is necessary and proportionate for a "good faith public health purpose;"
- Ensure that that data is accurate and provide consumers an opportunity to correct inaccurate information;
- Implement reasonable data security practices; and
- Stop using or maintaining emergency data after the end of the current crisis.
Also like the CCPDA, the PHEPA would empower the FTC and state attorneys general to enforce its provisions.
However, the PHEPA differs from the CCDPA in two significant respects. One, it includes a private right of action. Consumers would be able to seek relief between $100 and $1,000 per negligent violation and between $500 and $5000 per reckless, willful, or intentional violation. I presented a number of arguments against a private right of action for privacy violations in a January 21 FSF Perspectives.
Two, it expressly does not preempt more stringent state laws. In an October 28, 2019, piece for the Free State Foundation analyzing one such law – as it happens, the CCPA – I explained why preemptive federal privacy legislation would be preferable to a patchwork of state laws.
Other provisions unique to the PHEPA include:
- A requirement that the Secretary of Health and Human Services, in consultation with the United States Commission on Civil Rights and the FTC, provide Congress with regular reports on the civil rights impact of the use of emergency health data to fight the COVID-19 pandemic; and
- A prohibition on the use of that data "to deny, retract, or interfere with" a consumer's right to vote.