And given the CPRA’s creation of the California Privacy Protection Agency—a new regulatory body with a $10 million annual budget—drafters of privacy policies would do well to write with this audience, and its potential enforcement powers, in mind.
Approved by voters as the next chapter to the California Consumer Privacy Act (CCPA), the CPRA makes considerable revisions to consumer rights and business obligations, most of which will not become operative until Jan. 1, 2023.
As I explained before, the CPRA not only bolsters the scope of consumer rights created by the CCPA, but it also introduces new ones. Specifically, it broadens existing rights to encompass the “sharing” of personal information with third parties, and it creates new rights to correct inaccurate personal information and to limit the use of sensitive personal information.
While not quite a cliffhanger, businesses following the CCPA storyline were left to wonder if just one method for deletion requests would be sufficient.
To enlarge the image, click here .
Superfans of California privacy may recall a measure approved by Gov. Gavin Newsom last September (AB 713) that aligned certain CCPA exemptions with the federal Health Insurance Portability and Accountability Act (HIPAA). Among other things, AB 713 broadened the CCPA’s exemptions for health data by harmonizing the CCPA’s definition of “deidentified” with HIPAA.
Knowing that the CPRA could be placed on the November ballot, proponents of AB 713 tucked their clarifying text into two new sections of the California Civil Code―§1798.146 and §1798.148—thus shielding their language from potential CPRA revisions.
Unsurprisingly, that provision does not appear in the CPRA; after all, it was added to §1798.130 more than nine months after the ballot measure was drafted. And since the terms of the CPRA revise and replace all of §1798.130, subsection (a)(5)(D) will disappear come Jan. 1, 2023.
Unless, of course, an amendment is passed in the meantime.
I find it hard to fathom that such an amendment would be introduced. Would anyone (aside from a regulator) really care which deidentification method was used? Nevertheless, businesses selling deidentified patient information better ensure that their policies currently disclose the method used, since that requirement is currently in force.
A more significant CPRA amendment affects businesses that do not sell personal information.
Whether “prominent” disclosure would require boldface, a larger font, or “above the fold” messaging is anyone’s guess until the California Privacy Protection Agency issues regulations clarifying the matter. Those regulations are not due until July 1, 2022.
While some stories are worth reading twice, in my view, a business’s data management practices is not one of them. I’d recommend folding any California-specific content within the policy itself. Save retelling for a yarn worth repeating.
Bloomberg Law subscribers can find related content on our In Focus: CCPA page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.