With the advent of COVID-19, are governments around the world too busy with the pandemic to address privacy issues? In some instances, privacy has moved to the forefront, while in others, it has taken a back seat, as we will point out.
In California, the California Attorney General has indicated he will not postpone enforcement of the California Consumer Privacy Act (CCPA), set to begin on July 1. However, enforcement of the proposed CCPA may be heightened by the end of this year if California voters pass the California Consumer Privacy Rights Act (CPRA). As we pointed out in a previous blog, the CPRA crossed a significant threshold, collecting more than 900,000 signatures to qualify for the November 2020 ballot. If passed, the CPRA would introduce significant additions to the CCPA, hence the popular moniker often attached to it, “CCPA 2.0.” Important implications of the CPRA include, but are not limited to, new requirements for businesses and service providers, the right to data minimization, establishment of a California Privacy Protection Agency and the expansion of the private right of action. Additionally, on June 2, the Attorney General submitted final regs for OAL review.
In this COVID-19 era, elevated privacy practices are a priority during the re-opening phase to ensure the health and safety of staff and consumers. Businesses are developing and implementing safety protocols such as temperature checks and requiring disclosure of COVID-19 symptoms. Although, we would caution these businesses to be aware of privacy implications (i.e., collecting health-related personal information such as a person’s temperature protected under HIPPA, the CCPA and/or state laws independent of HIPPA). For example, section 1798.100 of the CCPA requires disclosures such as notice if the business collects personal information.
However, employees’ personal information is exempt from disclosure under the CCPA and this stipulation expires on January 1, 2021. Further, the exemption only applies if the business collects and uses the employee’s personal information “within the context” of the employee’s role. Therefore, if collecting employees’ temperatures is unrelated to their job function, the employee exception would not apply, and disclosure under the CCPA is required. Also, if the business intends to use the information for a secondary purpose unrelated to employees’ job functions, employer notice is required at or before any temperature or medical information collection. A visibly posted privacy notice or questionnaire disclosing the categories of personal information collected, categories of sources, purpose, and any third parties shared, if applicable, is recommended. Unfortunately, different situations and circumstances apply to various organizations and those located in other states. Thus, another recommendation is to consult privacy law advisors and partners.
All of this recent activity has generated interest in federal privacy legislation. A federal COVID-19 privacy bill was introduced, the COVID-19 Consumer Data Protection Act. The Act intends to address privacy issues around the collection, use, and disclosure of tracking those who have COVID-19 or have been in close proximity to anyone who may be infected. Google and Apple have also gained media attention around proposed contact tracing technology. As of this writing, the bill was introduced by the Senate with House representatives putting forth their version – The Public Health Emergency Privacy Act. We will continue to monitor the federal efforts in Washington as it forges ahead.
COVID-19 may have relaxed litigation activity on the CCPA since it took effect on January 1, 2020. A cursory review of pending cases shows that some complaints invoke the CCPA’s private right of action provision, while other claims are for failing to meet and/or violating a requirement under the CCPA. The cases are in preliminary stages and it will be interesting to see how the court interprets these types of claims.
Moreover, in light of COVID-19, the Secretary of the U.S. Department of Health and Human Services (HHS) waived certain provisions of the HIPPA Privacy Rule. The waiver took effect on March 15, 2020 and defers sanctions and penalties for noncompliance around sharing patient information. The exemption is not blanket and only covers good-faith use or disclosure for public health activities. The enforcement moratorium does not extend to other requirements or restrictions under the Privacy Rule.
On the global privacy front, Brazil’s version of the GDPR called the Lei Geral de Protecao de Dados (LGPD) seeks to postpone enforcement of the LGPD until August 2021 because of the COVID-19 pandemic. Thailand has postponed its Personal Data Protection Act (PDPA) to May 2021 for the same reason.
In sum, privacy law is fluid and moves quickly, which is why we at Protiviti closely follow and study evolving obligations and statutes. From the myriad of regulations, coupled with the evolution of privacy law, many businesses are attempting to address what data they store, why they store it, how to respond to consumer requests, and who can access data, whether it be the consumer, third parties or internal team members. We have partnered with clients to stand up cutting-edge infrastructures, governance, and processes to assist with these efforts. In that spirit, we will continue to monitor privacy developments, and help enterprises become proficient with their data privacy duties and obligations.
To learn more about Protiviti’s Security and Privacy practice, contact us.