Privacy Law In Review – What You Need to Know (November 2020)

On election day 2020, Californians voted to approve Proposition 24, a ballot measure that created the California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA). Most of the CPRA’s substantive provisions will not take effect until January 1, 2023. Certain sections however, for example the CPRA’s expansion of the “Right to Know,” impacts personal information (PI) collected on or after January 1, 2022.   Among other things, the CPRA:

• Modifies the definition of a covered “business” by (i) doubling the CCPA’s threshold number of consumers or households from 50,000 to 100,000; (ii) expanding applicability to businesses that generate most of their revenue from sharing PI in addition to selling it; and (iii) extending he definition of a covered business to include joint ventures or partnerships composed of businesses that each have at least a 40% interest.
• Introduces “sensitive personal information” as a new regulated dataset in California, imposing limitation requirements and consumers rights to limit use of their sensitive PI, including government identifiers (such as Social Security numbers and driver’s licenses); financial account and login information (such as credit or debit card number together with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information.
• Extends the current limited CCPA exemption for employment and business-to-business data until January 1, 2023.
• Includes a new right to correction of inaccurate PI, mandatory risk assessments, right to opt our of automated decision making technology, right to access information about automated decision making, right to restrict sensitive PI for secondary purposes.
• Modifies the right to know, extends the opt in right for minors, modifies the right to delete, expands data portability requirements, and expands the right to opt out. 
• Distinguishes between two types of advertising: “cross-context behavioral advertising” and “non-personalized advertising.” 
• Amends the definition of “service provider” and introduces “contractors,” a new category of recipients of PI who process PI made available to them by businesses pursuant to a written contract. The CPRA imposes the same contractual and direct obligations on contractors that it otherwise imposes on service providers, and also requires contractors to certify that they understand and will comply with such contractual obligations.
• Imposes a number of new obligations on service providers and contractors, including requiring them to notify businesses of any engagement with a sub-service provider or subcontractor and to bind those parties to the same written contract that is otherwise arranged between businesses and service providers.
• Directly obligates service providers and contractors to cooperate with and assist businesses in responding to privacy rights requests.
• Clarifies that businesses generally must contractually prohibit service providers and contractors from combining any PI received from the business with PI from other sources or collected on its own behalf.
• Establishes the California Privacy Protection Agency (CPPA) to investigate and enforce the CCPA and CPRA.
• Removes the 30-day cure period that businesses currently enjoy under the CCPA after being notified by the OAG of an alleged violation, and triples the maximum penalties to $7,500 for violations concerning minors.
• Codifies the concepts of data minimization, purpose limitation and storage limitation.
• Clarifies the “consent” standard applicable in certain limited scenarios, some of which already required consent under the CCPA.
• Clarifies that consumer login credentials are among the data types that can give rise to a private right of action if breached.

In the wake of the July 2020 decision by the Court of Justice of the European Union (CJEU) that invalidated U.S. Privacy Shield as a mechanism to transfer personal data from Europe to the U.S. (Shrems II), there has been a flurry of proposals and discussions about the future of data transfers from the European Economic Area (EEA).

On November 12, 2020, the European Commission issued new draft Standard Contractual Clauses for the transfer of personal data from the EEA to third countries, which are designed to replace existing SCCs and bring them in line with the Shrems II ruling. At the Commission’s request, the the European Data Protection Board (EDPB) will issue a joint opinion, with the European Data Protection Supervisor (EDPS), on the proposed SCCs. The public comment period is open until December 10, 2020.

On November 11, 2020, the European Data Protection Bard issued draft recommendations describing how controllers and processors transferring data outside the European Economic Area (EEA) may be able to do so after Schrems II.  The deadline for public comment on these recommendations has been extended to December 21, 2020.   

This is all in the wake of the September 2020 White Paper issued by the U.S. government addressing how companies might be able to justify their continued transfer to the U.S. of personal data from Europe, in light of the Schrems II decision.  

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to highlight sanction risks that can be triggered after a ransomware payment to a malicious cyber actor.

The advisory discussed the effect that ransomware payments were having on US businesses and policy. It also outlined key insights as to how OFAC may look at a payment determined to have a nexus with a sanctioned actor, and what factors can mitigate sanction.

• A  payment either facilitated or made to a sanctioned actor, even if the nexus to the actor is determined afterwards, will be reviewed with a strict lability standard.
• A  risk based compliance program to evaluate the risk of sanction is key to avoiding and mitigating sanctions.
• Full reporting to law enforcement and cooperation at the time of the attack can significantly mitigate a sanction.
• OFAC can be contacted to assist in the determination of nexus to a sanctioned actor. 

This advisory was released at the same time and in conjunction with a updated release from FinCEN on the need for notice on ransomware payments. Both documents referenced that digital forensics and incident response (DFIR) firms and cyber insurance providers that facilitate ransomware payments may need to register with FinCEN and engage in reporting.   

Taken together, these advisory actions show that US regulators will be engaging in heightened scrutiny along the entire payment chain involved in a ransom.

This fall, the Student Privacy Policy Office (SPPO) of the U.S. Department of Education issued informal guidance for schools and families navigating student privacy. While some of that guidance is tied directly to the ongoing pandemic, other components are forward looking. SPPO’s pandemic-related guidance began in March with its “FERPA and the Coronavirus Disease 2019 (COVID-19),” which focused heavily on the bounds of the “health and safety emergency” exception under the Family Education Rights and Privacy Act (FERPA). This fall, Kevin Herms, the Director of the SPPO, published a blog post clarifying the SPPO’s March guidance. The blog post focuses on schools’ authority under FERPA to disclose aggregate statistics on outbreaks of COVID-19 on their campuses. Because those statistics are usually not linked (or linkable) to individually identifiable students, FERPA generally does not prevent their disclosure. SPPO also released two videos clarifying the complaint process under FERPA; the first describes common reasons for filing (and denying) complaints, while the second outlines the process for resolving complaints, including initiating informal mediation or formal investigations.

Finally, the SPPO published a new video looking forward to the education uses and privacy implications of blockchain technology. The video published this fall is part of the Department’s ongoing work on blockchain. This fall’s edition focuses on using blockchain to create a more efficient system for maintaining and sharing students’ credential history. Placing those credentials on a blockchain-based system may permit easier sharing of the credentials among schools, professional organizations, and employers, but blockchain’s open, decentralized, and immutable nature poses challenges to students’ privacy and data rights. The video poses, but does not answer, those questions.