On May 14, California Secretary of State Alex Padilla announced that the California Privacy Rights Act of 2020 (the “CPRA”) had obtained sufficient raw signatures to qualify for the November 3, 2020 ballot.  Those signatures are currently being verified by the counties in which they were obtained.  However, based on a complaint filed June 8 by Alastair Mactaggart and other members of Californians for Consumer Privacy—the proponents of the CPRA—it appears that the verification process may not be completed in time for the CPRA to appear on the ballot this Fall.

The lawsuit, Alastair Mactaggart, et al. v. Padilla, filed in Sacramento County Superior Court, alleges that Secretary of State Padilla failed to adhere to a provision of the California Elections Code requiring his office to “immediately” notify county officials to begin the verification process upon receipt of a sufficient number of raw signatures.  Here is a brief timeline of the events alleged in the Complaint:

On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.

Two weeks ago we wrote about proposed legislation, The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”), introduced by a group of senior Republican senators, which was designed to address privacy issues arising in the wake of the COVID-19 pandemic.  In response, senior Democratic members of the Senate and House of Representatives introduced their own framework for protecting the privacy of individuals in light of the development of tools for tracking and containing the spread of the virus.

The Public Health Emergency Privacy Act

Senators Richard Blumenthal (D-CT) (Ranking Member of the Senate Commerce Committee’s Manufacturing, Trade and Consumer Protection Subcommittee) and Mark Warner (D-VA) (Vice Chairman of the Senate Intelligence Committee) lead a bicameral group of 10 lawmakers on a Democratic version of federal consumer privacy legislation as it relates to the coronavirus pandemic.  The Public Health Emergency Privacy Act (the “PHEPA”), introduced on May 14, seeks to give individuals protection and control over their covered health data by adopting an express affirmative consent regime, along with enumerated requirements for businesses. For a helpful summary of the key similarities and differences between the PHEPA and the CCDPA, please see the Chamber Technology Engagement Center’s (C_TEC) COVID-19 Privacy Bill Comparison Chart.

Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered healthcare providers that the HIPAA Privacy Rule remains in force during the COVID-19 public health crisis except as expressly relaxed under OCR’s prior guidance. Specifically, OCR’s most recent guidance addresses the disclosure of patient protected health information (PHI) to the media by allowing the media to film patients in facilities where PHI is accessible.

On March 11th, 2020, Virginia Governor Northam signed the Insurance Data Security Act (the “Act”) — HB 1334 — imposing requirements on all entities regulated by the Virginia Bureau of Insurance (“BOI” or the “Bureau”) to:

• maintain an information security program,
• investigate all cybersecurity events,
• notify the Commissioner of Insurance of cybersecurity events, and
• notify consumers affected by cybersecurity events.