Recently, California passed the California Consumer Privacy Act of 2018.
After only one week of review and revisions, the legislature introduced a sweeping privacy law that will be the strictest of its kind in the United States. The timeline was compressed because the legislature was working to prevent a bill from appearing on the November ballot that would have potentially placed greater restrictions on the use of personal data for commercial operations. The bill was signed just in time to allow the initiative to be withdrawn from the ballot.
Who is affected by the California Consumer Privacy Act
The California Consumer Privacy Act doesn’t go into effect until January 1, 2020, and there will likely be additional guidance and potential revisions made before it is in effect – but employers should take notice. The law applies to for-profit businesses that do business in California (or affiliated businesses that do not do business in California) that meet one or more of the following criteria:
The right to be removed
The California legislation is not unlike the European Union’s General Data Protection Regulation in some ways. It contains rules requiring businesses that collect or sell personal data to provide information on the types of data collected and/or sold, the sources of that data, who the data will be disclosed to, and how it will be used. There are restrictions on the use of the data, unless the individuals are notified of the updated use of the data by the companies using it.
Additional requirements include the ‘right to be removed,’ which allows individuals to request to have their personal data deleted upon request. There are exceptions to this rule, such as allowing companies to maintain records needed for transaction purposes or to comply with other laws and legal obligations. But these exceptions don’t guarantee the individuals will understand the reasoning.
There are other restrictions within the regulations, such as addressing individual opt-out rights, and the prohibition of businesses refusing to serve individuals that exercise their privacy rights.
There are several key exceptions to this rule. This includes one specifically geared toward health information collected by a covered entity or governed by the privacy, security, and breach notification rules issued within HIPAA.
So, what does all this mean for employer plans?
While many employers may not meet the requirements of the covered businesses within the California regulation, many will and will need to take notice. It is likely that additional guidance or revisions will be released prior to the law’s effective date. But, until such guidance is received, employers should evaluate their positions based on current legislation.
It remains to be seen how many people will seek to exercise their upcoming additional rights regarding data privacy and their right to be forgotten. But employers should evaluate their current processes to ensure that they will comply with the new requirements, and where needed, develop additional steps to review and appropriately address data privacy inquiries.
Unsure about your next steps? We can help you navigate your compliance questions.