Covid 19 privacy hot topics and the evolving ccpa regulations

COVID-19 Privacy Hot Topics and
the Evolving CCPA Regulations
Arsen Kourinian, Data Privacy Counsel
April 15, 2020

© 2020 Knobbe Martens
COVID-19 HOT TOPICS
2

COVID-19 Privacy Hot Topics
•  (1) HIPAA and COVID-19
•  HIPAA’s Current Requirements for Covered Entities
⎼  Obtain patient’s consent to speak with family or friends
⎼  Allow patient to opt-out of hospital directories
⎼  Provide patient a privacy notice
⎼  Honor patient’s request to restrict use and disclosure of protected health information
⎼  Honor patient’s request to have confidential communications by alternative means or
location
•  U.S. Department of Health and Human Services (HHS) Recent Notice
⎼  HHS is waiving sanctions and penalties for failure to comply for up to 72 hours from when
the hospital institutes a disaster protocol in an emergency area.
3

•  (1) HIPAA and COVID-19 (Continued)
•  Telehealth Services
⎼  Need for telehealth services because of shelter in place order
⎼  HHS will not bring enforcement actions or impose penalties for good faith provision of
telehealth services using popular video conference, telecommunications or other like
applications
4

•  (1) HIPAA and COVID-19 (Continued)
•  Practical Tips and Best Practices
⎼  If possible, use HIPAA compliant telehealth vendors
⎼  Data breach can expose a business to state law claims
⎼  Public relations nightmare if there is a data breach
5

•  (2) Use of Fever Scanners
•  Businesses using fever scanners during COVID-19 outbreak
•  Data privacy concern if business does not provide notice at or before collection that
⎼  (A) it is collecting biometric data, and
⎼  (B) what the biometric data will be used for
⎼  Post privacy notice at entrance
⎼  Avoid retaining biometric data
⎼  Avoid identifying the patron
6

•  (3) Work From Home
⎼  (A) Greater risk of data breach because employees using:
o  Unsecure personal devices
o  Video conferencing apps
o  Home WiFi networks
o  AI, virtual assistant and smart devices recording confidential communications
⎼  (B) Hackers active during crisis and use social engineering and phishing scams
⎼  Be vigilant to avoid scams
⎼  Turn off voice recording devices
⎼  Transmit data over secure VPN
⎼  Run hacking simulations to test employees
7

•  (4) No Delay in CCPA Enforcement
•  Balancing data privacy compliance while ensuring business continuity
•  Pleas by Association of National Advertisers and others to delay enforcement
•  California Attorney General declined to delay enforcement because of heightened need to
protect consumer privacy during this crisis
⎼  45-day extension available to respond to CCPA requests if “reasonably necessary”
⎼  Do not ignore your obligation to implement reasonable safeguards
o  CCPA private cause of action if there is a data breach
o  Hackers more active during crisis
o  Public relations nightmare if there is a data breach
8

THE CCPA’S EVOLVING PROPOSED
REGULATIONS
FEBRUARY 10 AND MARCH 11, 2020
UPDATES
9

•  Timeline
•  October 11, 2019 – Initial proposed regulations published
•  December 2-4, 2019 – Public hearings regarding the initial proposed regulations
•  December 6, 2019 – Deadline for written comments to the initial proposed regulations
•  January 1, 2020 – CCPA goes into effect
•  February 10, 2020 – Modified proposed regulations published
•  February 25, 2020 – Deadline to submit written comments
•  March 11, 2020 – Second version of modified proposed regulations published
•  March 27, 2020 – Deadline to submit written comments
10

The CCPA’s Evolving Proposed Regulations
•  (1) Guidance (Or Lack Thereof) Regarding IP Addresses
•  IP addresses considered category of personal information under CCPA
•  Confusion if business is taking advantage of B2B and/or employee information exemptions
•  February 10, 2020 – IP address is not considered personal information if business does not
link IP address to a consumer or household and could not reasonably do so
•  March 11, 2020 – Attorney General removes this guidance from proposed regulations
following criticism from consumer rights advocates, e.g., Alastair MacTaggart and Consumer
Reports
⎼  Avoid linking IP addresses from websites with natural persons
⎼  Institute internal policy prohibiting same
11

•  (2) Guidance Regarding Accessibility
•  October 11, 2019 – Privacy notices must be accessible to consumers with disabilities
•  February 10, 2020 – Privacy notices must be “reasonably” accessible and businesses must
follow generally recognized industry standards, i.e., the Web Content Accessibility Guidelines,
version 2.1 of June 5, 2018, from the World Wide Web Consortium (WCAG 2.1)
⎼  Use videos, sound and images
⎼  Options to increase text sizes
⎼  Contrasting color schemes
⎼  Spacing and headers
⎼  Avoid lawsuits under Americans with Disabilities Act
12

•  (3) Opt-Out of Sale Logo or Button
•  CCPA requires “Do Not Sell My Personal Information” link on homepage if you sell personal
information
•  February 10, 2020 – The Attorney General provided the design for the opt-out button or logo
•  March 11, 2020 – The Attorney General removed the opt-out logo or button design
⎼  Consider whether you “sell” personal information, as defined under the CCPA
⎼  If you do not sell, then you do not need to provide opt-out notice
13

•  (4) Calendar v. Business Days
•  CCPA requires response to request to know and delete “within 45 days”
•  Original regulations require confirmation of receipt “within 10 days”
•  February 10, 2020 – Modified regulations clarify that businesses must confirm receipt within
10 business days and provide a response within 45 calendar days of receiving request
⎼  Consider implementing automated process to keep track of deadlines and requests
⎼  This will help avoid requests falling through the cracks
14

•  (5) Service Providers
⎼  CCPA states that service providers may only use personal information to perform services
under contract with business
⎼  Modified proposed regulations provide further guidance
•  February 10 and March 11, 2020 – A services provider CAN use personal information:
⎼  (A) To provide a service to the business per the written contract;
⎼  (B) To retain and employ a subcontractor;
⎼  (C) Internally to build or improve the quality of its services*;
o  *But you CANNOT: (i) build or modify consumer or household profiles for another business or (ii) correct or
augment data acquired from another source.
⎼  (D) To detect data security incidents or protect against fraudulent or illegal activities.
⎼  If service provider, include permitted uses in service provider agreement or addendum
15

•  (5) Service Providers (Continued)
•  February 10, 2020 – Clarified service providers’ role if they receive consumer requests
⎼  Service provider can either:
o  (1) Act on behalf of the business and honor the request; or
o  (2) Inform the consumer that the request cannot be acted upon because it was sent to
a service provider.
⎼  Service provider cannot simply ignore the request
⎼  No requirement to provide the name of the business
⎼  Negotiate who should respond in the service provider agreement
⎼  Best course of action is for the business to respond, instead of the service provider
16

Covid 19 privacy hot topics and the evolving ccpa regulations

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to Covid 19 privacy hot topics and the evolving ccpa regulations

Similar to Covid 19 privacy hot topics and the evolving ccpa regulations (20)

More from Knobbe Martens - Intellectual Property Law

More from Knobbe Martens - Intellectual Property Law (20)

Recently uploaded

Recently uploaded (20)

Covid 19 privacy hot topics and the evolving ccpa regulations