acc-sd webinar covid-19 hot topics and ccpa regulations

COVID-19 Privacy Hot Topics and
the Evolving CCPA Regulations
Arsen Kourinian, Data Privacy Counsel
April 30, 2020

© 2020 Knobbe Martens
COVID-19 HOT TOPICS
2

COVID-19 Privacy Hot Topics
• (1) HIPAA and COVID-19
• HIPAA’s Current Requirements for Covered Entities
⎼ Obtain patient’s consent to speak with family or friends
⎼ Allow patient to opt-out of hospital directories
⎼ Provide patient a privacy notice
⎼ Honor patient’s request to restrict use and disclosure of protected health information
⎼ Honor patient’s request to have confidential communications by alternative means or
location
• U.S. Department of Health and Human Services (HHS) Recent Notice
⎼ HHS is waiving sanctions and penalties for failure to comply for up to 72 hours from when
the hospital institutes a disaster protocol in an emergency area.
3

• (1) HIPAA and COVID-19 (Continued)
• Telehealth Services
⎼ Need for telehealth services because of shelter in place order
⎼ HHS will not bring enforcement actions or impose penalties for good faith provision of
telehealth services using popular video conference, telecommunications or other like
applications
4

• (1) HIPAA and COVID-19 (Continued)
• Practical Tips and Best Practices
⎼ If possible, use HIPAA compliant telehealth vendors
⎼ Data breach can expose a business to state law claims
⎼ Public relations nightmare if there is a data breach
5

• (2) Use of Fever Scanners
• Businesses using fever scanners during COVID-19 outbreak
• Data privacy concern if business does not provide notice at or before collection that
⎼ (A) it is collecting biometric data, and
⎼ (B) what the biometric data will be used for
⎼ Post privacy notice at entrance
⎼ Avoid retaining biometric data
⎼ Avoid identifying the patron
6

• (3) Work From Home
⎼ (A) Greater risk of data breach because employees using:
o Unsecure personal devices
o Video conferencing apps
o Home WiFi networks
o AI, virtual assistant and smart devices recording confidential communications
⎼ (B) Hackers active during crisis and use social engineering and phishing scams
⎼ Be vigilant to avoid scams
⎼ Turn off voice recording devices
⎼ Transmit data over secure VPN
⎼ Run hacking simulations to test employees
7

• (4) No Delay in Enforcing the California Consumer Privacy Act (CCPA)
• Balancing data privacy compliance while ensuring business continuity
• Pleas by Association of National Advertisers and others to delay enforcement
• California Attorney General declined to delay enforcement because of heightened need to
protect consumer privacy during this crisis
⎼ 45-day extension available to respond to CCPA requests if “reasonably necessary”
⎼ Do not ignore your obligation to implement reasonable safeguards
o CCPA private cause of action if there is a data breach
o Hackers more active during crisis
o Public relations nightmare if there is a data breach
8

THE CCPA AND IT’S EVOLVING
PROPOSED REGULATIONS
Key Updates – February 10 and March 11,
2020
9

What is the CCPA?
10
The CCPA is the most comprehensive data privacy
law in the United States. It provides California residents
certain rights with respect to their personal information:
• Notice at or before the point of collection
• Right to know
• Right to deletion
• Right to opt-out of the sale of their personal information
• Right to not face discrimination for exercising their CCPA rights

Who Does it Apply to?
11
• For-profit businesses conducting business in California that collect or process personal
information of California residents AND meet one of the below:
⎼ (1) Gross revenues in excess of $25 million;
⎼ (2) Annually buy, receive, sell or share personal information of 50,000 California residents,
households or devices; OR
⎼ (3) Derive 50%+ of revenue selling California residents’ personal information.
• Also, any entity that controls or is controlled by a business above.

Broad Definition of Personal Information
12
• Information that identifies, relates to, describes, is reasonably capable of being associated
with, or could reasonably be linked, directly or indirectly, with a particular consumer or
household.

Broad Definition of “Sell”
13
• Selling, renting, releasing, disclosing, disseminating, making available, transferring, or
otherwise communicating orally, in writing, or by electronic or other means, a consumer's
personal information by the business to another business or a third party for monetary or
other valuable consideration.
• Transfer of personal information to vendors could constitute a “sale” unless they meet
definition of “service provider.”
⎼ (1) Written contract with business
⎼ (2) Use personal information to perform services in contract

Timeline Regarding CCPA and Proposed Regulations
• June 28, 2018 – Signed into law
• October 11, 2019 – Various amendments to CCPA signed into law
• October 11, 2019 – Initial proposed regulations published
• December 2-4, 2019 – Public hearings regarding the initial proposed regulations
• December 6, 2019 – Deadline for written comments to the initial proposed regulations
• January 1, 2020 – CCPA goes into effect
• February 10, 2020 – Modified proposed regulations published
• February 25, 2020 – Deadline to submit written comments
• March 11, 2020 – Second version of modified proposed regulations published
• March 27, 2020 – Deadline to submit written comments
• ??? – Final CCPA regulations
14

The CCPA’s Evolving Proposed Regulations
• (1) Guidance (Or Lack Thereof) Regarding IP Addresses
• IP addresses considered category of personal information under CCPA
• Confusion if business is taking advantage of B2B and/or employee information exemptions
• February 10, 2020 – IP address is not considered personal information if business does not
link IP address to a consumer or household and could not reasonably do so
• March 11, 2020 – Attorney General removes this guidance from proposed regulations
following criticism from consumer rights advocates, e.g., Alastair MacTaggart and Consumer
Reports
⎼ Avoid linking IP addresses from websites with natural persons
⎼ Institute internal policy prohibiting same
15

• (2) Guidance Regarding Accessibility
• October 11, 2019 – Privacy notices must be accessible to consumers with disabilities
• February 10, 2020 – Privacy notices must be “reasonably” accessible and businesses must
follow generally recognized industry standards, i.e., the Web Content Accessibility Guidelines,
version 2.1 of June 5, 2018, from the World Wide Web Consortium (WCAG 2.1)
⎼ Use videos, sound and images
⎼ Options to increase text sizes
⎼ Contrasting color schemes
⎼ Spacing and headers
⎼ Avoid lawsuits under Americans with Disabilities Act
16

• (3) Opt-Out of Sale Logo or Button
• CCPA requires “Do Not Sell My Personal Information” link on homepage if you sell personal
information
• February 10, 2020 – The Attorney General provided the design for the opt-out button or logo
• March 11, 2020 – The Attorney General removed the opt-out logo or button design
⎼ Consider whether you “sell” personal information, as defined under the CCPA
⎼ If you do not sell, then you do not need to provide opt-out notice
17

• (4) Calendar v. Business Days
• CCPA requires response to request to know and delete “within 45 days”
• Original regulations require confirmation of receipt “within 10 days”
• February 10, 2020 – Modified regulations clarify that businesses must confirm receipt within
10 business days and provide a response within 45 calendar days of receiving request
⎼ Consider implementing automated process to keep track of deadlines and requests
⎼ This will help avoid requests falling through the cracks
18

• (5) Service Providers
⎼ CCPA states that service providers may only use personal information to perform services
under contract with business
⎼ Modified proposed regulations provide further guidance
• February 10 and March 11, 2020 – A services provider CAN use personal information:
⎼ (A) To provide a service to the business per the written contract;
⎼ (B) To retain and employ a subcontractor;
⎼ (C) Internally to build or improve the quality of its services*;
o *But you CANNOT: (i) build or modify consumer or household profiles for another business or (ii) correct or
augment data acquired from another source.
⎼ (D) To detect data security incidents or protect against fraudulent or illegal activities.
⎼ If service provider, include permitted uses in service provider agreement or addendum
19

• (5) Service Providers (Continued)
• February 10, 2020 – Clarified service providers’ role if they receive consumer requests
⎼ Service provider can either:
o (1) Act on behalf of the business and honor the request; or
o (2) Inform the consumer that the request cannot be acted upon because it was sent to
a service provider.
⎼ Service provider cannot simply ignore the request
⎼ No requirement to provide the name of the business
⎼ Negotiate who should respond in the service provider agreement
⎼ Best course of action is for the business to respond, instead of the service provider
20

acc-sd webinar covid-19 hot topics and ccpa regulations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to acc-sd webinar covid-19 hot topics and ccpa regulations

Similar to acc-sd webinar covid-19 hot topics and ccpa regulations (20)

More from Knobbe Martens - Intellectual Property Law

More from Knobbe Martens - Intellectual Property Law (20)

Recently uploaded

Recently uploaded (20)

acc-sd webinar covid-19 hot topics and ccpa regulations