September 8, 2020
By
Lynn H. Wangerin
Member
Stoll Keenon Ogden PLLC
(502) 560-4283
lynn.wangerin@skofirm.com
Andrew Donovan
Attorney
Stoll Keenon Ogden PLLC
(859) 231-3076
andrew.donovan@skofirm.com
The summer of 2020 was a summer like no other. The COVID-19 pandemic has forced us into our homes for long periods of time and resulted in significant changes in the manner and to the extent we interact with and rely upon technology. It remains to be seen whether these changes are simply a temporary response to unprecedented circumstances or whether they represent an acceleration towards inevitable systemic shifts, but it is nevertheless clear that, at least for the time being, our lives are increasingly taking place online.
This shift is occurring in the context of what was already a significant rise in available and collected data, resulting in privacy and data regulation becoming an increasingly fraught issue. These developments have had an effect on privacy regulations and regulators, but perhaps not to the extent that one might have expected. On July 1, Enforcement of the California Consumer Privacy Act (CCPA) by the California Attorney General began without delay – pandemic or no pandemic –, and this summer has seen numerous other new laws come into effect. Everyone struggled, however, with the question of how to appropriately deal with the competing interests of controlling the pandemic, collecting information that many businesses never expected to need to collect and maintain, and addressing the threat of increased privacy and security violations.
Set out below are a few of the things that have happened and a few tips for dealing with data:
• The CCPA’s July 1 enforcement date is not the only privacy news to come out of California this summer. On August 14, 2020, the California Attorney General finalized regulations under the CCPA that clarify, and in certain instances expand upon, the requirements applicable to covered businesses under the act. For example, the Attorney General’s regulations require every covered business to provide a privacy policy that satisfies the regulatory guidelines, and also impose additional disclosure and opt-in requirements when covered businesses collect personal information from a mobile device or sell a consumer’s personal information.
• In addition, the CCPA, which went into effect January 1, 2020, was amended in October of 2019 to exempt certain employment and personal information involved in business-to-business communications and transactions. Those exemptions were originally set to expire on January 1, 2021. The California Privacy Rights Act (CPRA), which is on the ballot in November, would extend the exemptions for employment and business-to-business data until January 1, 2023. However, there was uncertainty about whether the exemptions would lapse under the CCPA if the CPRA is not passed in November. As a result, in June, the California legislature extended the business-to-business and employee exemptions under the CCPA until January 1, 2022, creating a backstop that only takes effect if voters do not approve the CPRA.
• The Massachusetts Attorney General announced the creation of a Data Privacy and Security Division to focus on protecting consumers from privacy and security breaches and threats signaling a higher priority on privacy and security. The new Division will focus on protecting consumers’ data privacy, empowering consumers in the digital economy, and promoting equal and open access to the internet.
• The data security requirements under the New York SHIELD Act went into effect March 21, 2020. What constitutes “private information” was expanded to include biometric information, user name/email address in combination with a password or security questions and answers, and an account number or credit/debit card number. The SHIELD act applies to any person or business that owns or licenses private information of a New York resident, broadening the original statute that applied only to those that conduct business in New York. The act mandates the development, implementation and maintenance of reasonable safeguards to protect private information, including with respect to the disposal of data.
• In a decision of significant consequence for businesses engaged in international data transfers, on July 16, 2020, the Court of Justice of the European Union issued its decision in the case Data Protection Commission v. Facebook Ireland, Schrems (“Schrems II”) invalidating the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Instead, companies must rely on GDPR compliant standard contract clauses, which were expressly upheld by the Schrems II court, and conduct case-by-case analyses to determine whether data transfers meet EU standards.
All these developments are overlaid by an impending struggle among businesses, individuals and government officials to find a balance between using technology to control the spread of the COVID-19 virus and safeguarding an individual’s data, specifically sensitive medical information. As the U.S. continues to search for measures to control the spread of the virus while reopening the economy, government agencies have put into place or contemplated a variety of tracking and surveillance technology that tests the limits of U.S. privacy law—from geolocation tracking that oversees the location of people through their mobile devices, to facial-recognition programs that analyze pictures to determine who may have come into contact with those who later test positive for the coronavirus.
The COVID-19 pandemic and the data privacy and security issues it has raised have, to many, highlighted the need for comprehensive federal privacy legislation. There is little disputing that technology and data collection have kept certain aspects of our economy and society operating during the pandemic; however, these benefits must be balanced against an individual’s fundamental right of privacy. Proponents of a congressional privacy bill argue that comprehensive federal legislation is necessary to balance these factors while also creating a framework that is both effective and efficient.
Here are a few tips to help navigate data collection and retention:
• Collect only personal information that is needed or helpful to your business.
• Know where and how data is being collected.
• Know where data is being stored (electronically and physically) and for how long.
• Be sure that agreements with vendors or others that may have access to your data contain protections and impose obligations to limit use of and protect data.
• Delete/destroy unneeded data and be sure that the deletion procedure is safe.
• Have a policy relating to data security, collection, storage and destruction that is well publicized within your organization and regularly review and update it.
• Be sure that your privacy policy matches your current practices, including data collected in connection with COVID-related procedures.
****
Stoll Keenon Ogden’s Privacy & Information Security attorneys are ready – as the firm has been for more than 120 years – to answer your questions about electronic communications, cybersecurity, privacy and data protection issues and help you manage risk related to data collection and security through contracts with vendors and others and in preparing and adopting privacy and business policies.
On our Stoll Keenon Ogden website, you’ll find a variety of resources, including the latest information on new laws and directives enacted by federal, state, and local governments; access to firm attorneys; and details about business considerations related to the Coronavirus pandemic.