News that a number of trade associations asked the California attorney general to postpone enforcement of the California Consumer Privacy Act (CCPA) until Jan. 2, 2021, can’t help but make one wonder just how much data privacy laws as a whole are being adhered to right now. Companies in the age of the coronavirus pandemic, after all, are slightly more focused on how to generate revenue as all of their employees head home to work remotely.
Those organizations deemed “essential” likely are scrambling to keep up as members of their workforce fall sick. Employer interest—and that of the general public—in the health of workers as well as their movements prior to any COVID-19 diagnosis would seem to place compliance with data privacy laws on a back burner.
But even if privacy is not entirely top-of-mind in this new world order, state data privacy laws as well as federal ones (think the Health Insurance Portability and Accountability Act, or HIPAA) “remain in place,” noted Brian Kint, a member at law firm Cozen O’Connor.
Employer interest in COVID-19 diagnoses
Employers walk a tenuous path right now as they seek to protect their employees in part by finding out which ones happen to be afflicted with COVID-19. “There is legal risk associated with disclosing the identity of an afflicted employee,” said Jeffrey Poston, co-chair of the Privacy & Cybersecurity Group at law firm Crowell & Moring. While “employers are generally protecting the identity of the employee,” they are also “gathering the names of the employees with whom the patient may have had contact and notifying those individuals and urging them to get tested,” Poston noted.
Companies have to balance the privacy and confidentiality of a coronavirus-diagnosed employee “with employee safety,” Kint said. “If a company has to notify employees that they may have been exposed, it should do so without releasing the identity of the infected employee,” he suggested. Keeping that confidentiality will “encourage employees to report a positive test result that they may otherwise be reluctant to share with their employer,” Kint said.
“If a company has to notify employees that they may have been exposed, it should do so without releasing the identity of the infected employee.”
Brian Kint, Member, Cozen O’Connor
Interestingly enough, HIPAA privacy protections remain in place. In February, the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) issued “a warning to employers that the HIPAA Privacy rule continues to apply during the outbreak of infectious disease or other emergency situations,” cautioned Steve Cosentino, a partner at law firm Stinson.
HIPAA “has been around for quite some time” though, Cosentino noted. “It is not surprising that we have not seen similar proclamations about some of the newer state privacy laws,” he said. But the HHS Office for Civil Rights is giving some people a break in this fraught time; earlier this month, the agency announced it would be “exercising its enforcement discretion” to not impose penalties on healthcare providers using telehealth communications in good faith during the COVID-19 nationwide public health emergency.
California Consumer Privacy Act
Not long after California Governor Gavin Newsom declared a state of emergency to help address the spread of COVID-19, more than a dozen trade associations along with some companies and organizations wrote to ask California Attorney General Xavier Becerra to hold off on CCPA enforcement until next year. The March 17 letter from entities including the Association of National Advertisers, the Cemetery and Mortuary Association of California, and the United Parcel Service (UPS) expresses concern that “given current events and the presently unfinished status” of CCPA regulations, “businesses will not have the operational capacity or time to bring their systems into compliance” with the CCPA by its current July 1, 2020, enforcement date.
That effort did not sit well with some. “This is a cynical attempt by industry to avoid honoring California consumers’ constitutional right to privacy, and industry shouldn’t exploit the health crisis to ignore consumer requests to companies to stop selling their data,” said Justin Brookman, director of privacy and technology policy at Consumer Reports, via press release.
“Now that more consumers are working from home and relying on tech companies for crucial communications, the attorney general needs to ensure that appropriate safeguards are in place,” Maureen Mahoney, a policy analyst at Consumer Reports, added.
Whether the California AG can unilaterally opt to defer CCPA enforcement for a year “is not immediately clear,” said Laura Jehl, global head of the Privacy and Cybersecurity Practice at law firm McDermott Will & Emery.
“The original delay in enforcement of the privacy provisions—from a January 1, 2020, effective date to July 1, 2020—came about as a result of an amendment to the law” passed by the California state legislature, she noted.
Even so, absent egregious behavior by a business, “it’s unlikely that we will see a significant CCPA enforcement action this year,” Jehl predicted. Still, “the major provisions of the law have been reasonably clear for some time,” she said. Moreover, “the AG earlier warned that he expected companies to come into compliance by January 1,” Jehl recalled. As such, it “is not inconceivable” that Becerra would pursue enforcement for a “blatant” violation, “particularly by a company with the sophistication and resources to have engaged in a compliance program before now,” she said. Alternatively, the California AG’s office could just issue a strong warning or direct a violator to cease and desist inappropriate practices, Jehl noted.
Given the state of business during the current pandemic, the risk of a CCPA enforcement action within the next six months should probably not be “high on a company’s list of things to be worried about right now,” said Kirk Nahra, co-chair of the Cybersecurity and Privacy Practice at law firm WilmerHale.
The press office of the California attorney general did not respond to a request for comment.
New York’s SHIELD Act
Meanwhile, data security elements of New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect on March 21, 2020.
Although New York has been hard hit by the coronavirus pandemic, so far “there has been no indication” that Attorney General Letitia James “will not enforce security and privacy-related laws during the global pandemic,” said Kate Hanniford, a senior associate at the law firm Alston & Bird.
Most of the SHIELD Act’s provisions “have already taken effect” anyway, noted Brian Mahanna, a partner at WilmerHale. “The reasonable data security provisions are all that’s newly in place,” he said. Enforcement of those aspects of the law “was always likely to be backwards-looking and predicated by a data breach, rather than the attorney general proactively, randomly investigating individual companies for failure to adopt such standards,” Mahanna said.
AG discretion and limited resources
As a practical matter, states attorneys general have a lot on their plates right now. “It seems unlikely at this particular point in time that the CCPA will be the [California] AG’s top priority on account of the pandemic,” observed Aaron Simpson, a partner at law firm Hunton Andrews Kurth.
The judiciary has also been impacted by the recent turn of events. “State courts are shutting down and limiting court activities to emergency matters,” Kint noted. Although the California AG “has the power to bring a civil enforcement action,” any such efforts likely “will be delayed” for as long as courts are closed, Kint said.
The same holds true elsewhere. “Given the significant current COVID-19 outbreak in New York, any immediate enforcement of the SHIELD Act seems highly unlikely,” Jehl said.
State attorneys general “determine based upon their own priorities what laws to enforce and when to enforce them,” said Douglas Gansler, a partner at Cadwalader. As unlikely it is that an attorney general might announce that he or she has no plans to enforce a particular statute, the reality is that limited resources do tend to limit how much can actually be enforced, explained Gansler, a former attorney general of Maryland.
But private rights of action have not been eliminated. Indeed, a class-action complaint filed earlier this year in federal court in the Northern District of California against Hanna Andersson, which sells children’s apparel, and Salesforce, a provider of cloud-based e-commerce services, alleges, among other things, violation of the CCPA. The case is ongoing.
Despite the stress of this moment, “COVID-19 has increased the importance of a company’s privacy and security compliance,” Hanniford said. “The shift to remote work arrangements may raise more specific issues depending on a company’s information security environment.”
Even at this challenging moment, “all organizations should make cyber-security—whether defined as ‘reasonable security’ under CCPA or ‘reasonable administrative, technical, and physical safeguards’ under the SHIELD Act—their top priority,” Jehl suggested. “Many experts are predicting a significant upturn in cyber-crime while employees, including IT and information security staffs, are working from home.”
Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.
- PDF, Size 0.67 mb