Privacy Recap: Another CCPA Update, Another COVID-19 Bill

Another round of privacy developments:

First, I reported last Saturday that "it ... appears likely that rules implementing the California Consumer Privacy Act (CCPA) will not become effective until October 1." Attorney General Xavier Becerra had not yet submitted those rules to the Office of Administrative Law (OAL), and time was almost up.

It's a good thing that I qualified that statement, because on Monday – the deadline was extended from May 31, a Sunday, to Monday, June 1 – the AG beat the buzzer, seeking approval, and requesting expedited review, of the same version of rules on which his office sought public comment nearly two months ago.

I find it interesting that the request for expedited review comes right out and acknowledges that, "[o]nce final regulations are adopted, the Attorney General will enforce the regulations that establish procedures to facilitate new consumer rights under the CCPA and provide guidance to businesses for how to comply." I couldn't have said it better myself.

If the OAL grants that request and completes its review within 30 days, the rules still could go into effect on July 1, the same day on which the AG in a June 2 press release confirmed his intention to commence CCPA enforcement. Stay tuned.

Second, yet another coronavirus-specific privacy bill has been introduced. Senate Republicans on the Commerce Committee unveiled the COVID-19 Consumer Data Protection Act of 2020 (CCDPA) on May 7. Congressional Democrats responded with the Public Health Emergency Privacy Act (PHEPA) on May 14. A bipartisan group of Senators completed the trilogy on June 1 with the Exposure Privacy Notification Act (EPNA).

Sponsored by Senators Maria Cantwell (D – WA), ranking member of the Commerce Committee, and Bill Cassidy (R – LA), and co-sponsored by Senator Amy Klobuchar (D – MN), the EPNA, as its title suggests, focuses on the notices provided via contract tracing apps and similar technological approaches  to containing the spread of the virus ("automated exposure notification services").

Among other things, the EPNA would:

• Require "opt-in" consent – and allow consumers to revoke that consent at any time;
• Require app developers to collaborate with public health officials;
• Limit notifications to medically-authorized diagnoses of infectious diseases;
• Allow participating consumers to determine whether their diagnoses are included in such notifications;
• Limit data collection and use to that which is reasonably necessary for public-health purposes;
• Ban any commercial use of that data;
• Prohibit, with certain exceptions, the transfer of that data;
• Create a right to delete – and allow consumers to exercise that right at any time;
• Require, on a rolling basis, data deletion after 30 days;
• Prohibit discrimination based upon that data or a refusal to participate;
• Require minimum data security practices including breach notifications;
• Provide for oversight and reporting by the Privacy and Civil Liberties Oversight Board;
• Empower the FTC and state attorneys general to enforce its provisions;
• Authorize the FTC to impose civil penalties for first-time violations; and
• Preserve (that is, not preempt) state laws.