And Then There Were Five…

Just last summer, in July of 2021, Colorado joined California and Virginia, and became the third U.S. state with a comprehensive consumer privacy law. The Colorado Privacy Act is set to take effect in July 2023.

Hot on its heels, and within just two months of each other, first Utah in March of 2022, now Connecticut in May of 2022, passed privacy bills which will become effective in 2023.

So far, California remains the only state which allows for a private right of action in connection with its privacy bill. For more information, please see our comparison of the current U.S. state consumer privacy laws below.

For our unofficial redline of the CPRA, click here.

Follow these links for the official text of the CPRA, CPA, CTDPA, UCPA, and VCDPA.

To view and download a PDF version of this chart, click here.

Banner for PrivSec Global: A Global Live Stream Experience. 22-23 September 2021. The Largest Data Protection, Privacy and Security Event of 2021. Businesspeople smiling in the background of the banner.

Metaverse Law Speaks at PrivSec Global

On September 23, 2021 attorney Lily Li spoke at PrivSec Global: The Largest Data Protection, Privacy and Security Event of 2021. The Global Live Stream Experience was a two day event from September 22 to September 23, 2021.

The topic of discussion was “Why Most CCPA Cases Will Fail: Five Hurdles Plaintiffs Must Clear.” For more details on the topic and to watch the presentation on-demand, click here.

Image of virginia state and shield. Virginia has a new data privacy law.

Virginia Governor Signs Comprehensive Data Privacy Law

Image Credit: Kjrstie from Pixabay.

Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.

California Consumer Privacy Act
(CCPA)
California Privacy Rights Act
(CPRA)
Virginia Consumer Data Protection Act
(VCDPA)
Date of effectJanuary 1, 2020January 1, 2023January 1, 2023
Law applies toA “business” that meets at least one threshold below:
• Generates over $25M in annual gross revenue;
• Handles the records of at least 50,000 California consumers; or
• Generates over 50% in annual revenue from sales of consumer data
Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.Applies to businesses that
• Handles the records of at least 100,000 Virginia consumers; or
• Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data

Definition of personal data
Any information that could be associated or linked with a particular consumer or household.Same as CCPA, except that there is a reasonableness element:
Any information that could be reasonably associated or linked with a particular consumer or household.
Limited to particular consumers.
“Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal dataDoes not define sensitive personal data.Defines sensitive personal data to include:
• Social security number
• Driver’s license
number
• Account log-in, debit,
or credit card number in combination with password or PIN
• Precise geolocation
• Racial/ethnic origins
• Religious or
philosophical beliefs
• Union membership
• Contents of e-mails or
texts to others
• Genetic/biometric
data
• Health information
• Sex life/sexual
orientation data
Defines sensitive personal data to include:
• Racial/ethnic origins
• Religious beliefs
• Mental or physical
health diagnosis
• Sexual orientation
• Citizenship/
immigration status
• Genetic/biometric
data
• Children’s data
• Precise geolocation
Consumer rights• Access
• Deletion
• Non-Discrimination
• Opt-out of:
o Sale of personal data
Same as CCPA, with the addition of rights to:
• Correct personal information
• Limit the use of
sensitive personal information
• Access
• Correction
• Deletion
• Port
• Opt-out of:
o Targeted advertising
o Sale of personal data
o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact AssessmentsNo requirement to conduct or document.No requirement to conduct or document.Controllers must conduct and document data protection assessments for the following activities:
• Targeted advertising
• Sale of personal data
• Profiling
• Sensitive data
• Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection AuthorityCalifornia Office of the Attorney General$10 million allocated per year to the California Privacy Protection Agency (CPPA).
Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.
Virginia Office of the Attorney General
Cure Provision30 days to cure upon written notice of a violation by the California Attorney General’s office.Ability to cure removed from CPRA.30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
EnforcementAdministrative fines ranging from $2,500 per violation to $7,500 for intentional violations.Administrative fines of $7,500 now includes intentional violations and children’s data violations.Administrative fines of $7,500 per violation.
Private Right of ActionConsumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.Same as CCPA.Consumers do NOT have a private right of action.
Cell phone with image of lock on the screen.

Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace

Photo by Franck on Unsplash

In 2020, with large portions of the global workforce abruptly sent home indefinitely, IT departments nationwide scurried to equip workers of unprepared companies to work remotely.

This presented an issue. Many businesses, particularly small businesses, barely have the minimum network defenses set up to prevent hacks and attacks in the centralized office. When suddenly everyone must become their own IT manager at home, there are even greater variances between secure practices, enforcement, and accountability.

“Reasonable Security” Requirements under CCPA/CPRA and Other Laws

Under the California Consumer Privacy Act (CCPA), the implementation of “reasonable security” is a defense against a consumer’s private right of action to sue for data breach. A consumer who suffers an unauthorized exfiltration, theft, or disclosure of personal information can only seek redress if (1) the personal information was not encrypted or redacted, or (2) the business otherwise failed its duty to implement reasonable security. See Cal. Civ. Code § 1798.150.

Theoretically, this means that a business that has implemented security measures—but nevertheless suffers a breach—may be insulated from liability if the security measures could be considered reasonable measures to protect data. Therefore, while reasonable security is not technically an affirmative obligation under the CCPA, the reduced risk of consumer liability made reasonable security a de facto requirement.

However, under the recently passed California Privacy Rights Act (CPRA), the implementation of reasonable security is now an affirmative obligation. Under revised Cal. Civ. Code § 1798.100, any business that collects a consumer’s personal information shall implement reasonable security procedures and practices to protect personal information. See our CPRA unofficial redlines.

Continue Reading Reasonable Security: Implementing Appropriate Safeguards in the Remote Workplace
Medical stethoscope and blue ink pen laying on appointment booklet. HIPAA privacy notices.

Deidentified Health Info under HIPAA: Deconstructing Dinerstein v. Google, LLC

Image Credit: DarkoStojanovic from Pixabay.

HIPAA Lawsuit
Privacy Compliance

Health data is an increasingly fraught area of privacy. Outside of sectoral health privacy laws like HIPAA, many regulations such as the GDPR and the California Privacy Rights Act (CPRA) rightly treat health or biometric information as a sensitive or special category of data deserving of more protections than many other types of data.

The amount of electronic heath data collected by companies is also increasing at a staggering rate. DNA testing kits and wearable fitness trackers are everywhere, and telehealth has proliferated in the wake of COVID-19.

Healthcare data controllers are just as likely to be big tech companies as opposed to traditional covered entities. Consequently, courts now need to consider a variety of privacy frameworks, not just HIPAA and HITECH, when they adjudicate healthcare claims.

In September 2020, the U.S. District Court for the Northern District of Illinois dismissed a lawsuit brought against the University of Chicago and the University of Chicago Medical Center (collectively referred to as “the University”) and Google for allegations that the University improperly disclosed healthcare data to Google as part of a research partnership. Dinerstein v. Google, LLC, No. 19-cv-04311 (N.D. Ill. 2020).

Even though the University and Google were able to shake off this lawsuit, this case touched upon several interesting questions at the intersection of HIPAA and other privacy laws:

Continue Reading Deidentified Health Info under HIPAA: Deconstructing Dinerstein v. Google, LLC
1 2