In our second California Privacy Update, we continue to closely follow updates in California privacy law, especially those to the California Privacy Rights Act (CPRA). Below are the recent updates to the California’s privacy law and takeaways for companies to be on the lookout for prior to the CPRA going into effect.
Lawmakers Look to Extend CCPA/CPRA
Since its initial draft, the future of business-to-business (B2B) and employee data exemptions under California law has been nebulous. In November of 2021, the CPRA extended the business-to-business and employee information exemptions in the CCPA to January 1, 2023 (subject to certain limitations). Most recently however, on February 18, 2022, two bills were introduced to extend the timeline of the exemptions. Bill AB-2891 proposes to extend the exemptions until January 1, 2026, while Bill AB-2871 would extend the exemptions indefinitely. Both bills are scheduled to be heard by committee on March 21, 2022. It’s unclear whether the CPRA permits California lawmakers to permanently exempt these categories of data, and it’s possible that any bill allowing for such exemptions would be challenged in court.
Businesses relying on these exemptions currently for the CCPA should plan accordingly as they are set to expire at the beginning of next year when the CPRA goes into effect. They should also be aware of the obligations that they may already have under the CCPA for these categories of data, such as the requirement to provide notice of data collection activities to California employees.
CPPA Announces New Deadline for CPRA Rule-Making.
The CPRA established the first of its kind California Privacy Protection Agency (CPPA or “Agency”). Governed by a five-member board, the Agency is responsible for rulemaking and enforcement under the CPRA. The text of the CPRA requires that the Agency adopt final CPRA regulations by July 1, 2022.
On February 17, 2022, the Agency met to discuss among other things, organization, hiring, budget and most notably, the new timeline for rulemaking. In this meeting, the Agency reported that it does not foresee meeting the July 1, 2022 timeline. Instead, the Agency anticipates preliminary public hearings in March and April. Further, the Agency expects the completion of rulemaking as late as the fourth quarter of 2022, potentially only a few weeks before the January 1, 2023 date that the CPRA goes into effect.
Businesses seeking compliance with CPRA and implementing strategies in support of its new regulations will likely find this timeline challenging. As such, companies will need to closely monitor regulations, follow the Agency’s response to comments, and be agile in their approach of implementing the regulations.
In the interim and until the Agency’s enforcement, we can expect that the Office of the Attorney General of California will continue its investigative sweep and efforts of sending notices of alleged noncompliance to CCPA.
California Senate Bill Would Protect Biometric Information Similar to Illinois’s BIPA
On February 17, 2022, Senate Bill 1189 (the “Bill”), sponsored by Senator Wieckowski, was introduced to the California Senate with the goal of protecting consumers’ biometric data. This bill shares many similarities with Illinois’s Biometric Information Privacy Act (“BIPA”) but is even broader in scope.
Like BIPA, the Bill targets businesses that collect biometric information on individuals, such as fingerprints, faceprints, iris and retina information. Going beyond BIPA, the Bill also seeks to (a) protect voiceprint, keystroke patterns, sleep, health and exercise data, and (b) include data already covered by California’s Genetic Information Privacy Act and the federal Health Insurance Portability and Accountability Act. Thus, if enacted, a significantly larger number of businesses will be impacted by the Bill.
If passed, businesses collecting biometric data in California will need to:
(1) provide and establish a retention schedule with clear guidelines for permanently destroying the biometric information;
(2) refrain from selling, leasing, trading, using for advertising purposes, or otherwise profiting from a person’s biometric information;
(3) refrain from disclosing individual’s sensitive data unless the individual authorizes the disclosure or completes a financial transaction requested or authorized by the subject of the biometric information; and
(4) store, transmit, and protect from disclosure biometric information using reasonable security standards.
Notably, like BIPA, the Bill includes a private right of action. Relief sought can include either statutory damages of anywhere between $100 to $1,000 per violation per day or actual damages, punitive damages, attorney fees and any other relief the court determines to be appropriate. The Bill is currently pending committee assignment, and it is unclear what traction it will get in the legislature.