Stay-at-home orders and business closures during the Coronavirus (COVID-19) pandemic have led to a sharp increase in online shopping. While e-commerce has helped businesses stay afloat during this challenging economic time, there has also been a spike in litigation alleging that certain websites are not accessible to individuals with disabilities. In an article for Bloomberg Law, Jeremy White, Matthew Cin and Brian Long review the legal landscape governing accessibility of websites – including specific rules that apply to the healthcare industry, and explore best practices for companies to mitigate their risk of facing a website accessibility lawsuit.
Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.
As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.
Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:
Trend #1 – Increased Push for a Private Right of Action
In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.
Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.
If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become [...]
With the California Consumer Privacy Act of 2018 (CCPA) having taken effect on January 1, 2020, the privacy and data security landscape for insurance carriers, producers and insurtech (collectively, “insurers”) continues to grow more complex. A number of states have also recently passed laws regulating data security in the insurance industry, with the first transition period under a number of these laws set to end in 2020. Given the significant amount of sensitive personal information that insurers collect, process and retain, this trend of increased privacy and data security regulation within the insurance industry is likely to continue. To stay ahead of these new privacy and data security requirements, insurers need to take steps now to navigate the increasingly complex regulatory landscape.
How Does the CCPA Impact Insurers?
On January 1, 2020, California became the first state in the United States to enact comprehensive privacy legislation that governs the collection, use and sale of personal information of California residents (i.e., consumers) and households. Personal information is broadly defined as any information that identifies, relates to, describes is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. The CCPA applies to “businesses,” which are for-profit entities that determine the purposes and means of processing consumers’ personal information that do business in California and meet certain applicability thresholds.
Insurers operating in California that meet the CCPA applicability thresholds will be deemed “businesses” subject to a number of obligations under the CCPA, including disclosure obligations and requirements related to consumer privacy rights. While these obligations can be quite onerous, the vast majority of personal information that many personal line insurers collect, process and retain will likely fall under an exemption in the CCPA. The CCPA includes exemptions for:
Throughout the past year, the healthcare and life science industries experienced a proliferation of digital health innovation that challenged traditional notions of healthcare delivery and payment, as well as product research, development and commercialization, for long-standing and new stakeholders alike. Lawmakers and regulators made meaningful progress towards modernizing the existing legal framework to both protect patients and consumers and encourage continued innovation, but these efforts still lag behind the pace of digital health innovation. As a result, some obstacles, misalignment and ambiguity remain, and 2020 will likely be another year of significant legal and regulatory change.
The California Consumer Privacy Act (CCPA) has forced companies across the United States (and even globally) to seriously consider how they handle the personal information they collect from consumers. By its terms, however, the CCPA only protects the privacy interests of California residents; other “copy-cat” privacy laws proposed or enacted in other states similarly would only protect the rights of residents of each state. Given the burden on businesses imposed by the rapid proliferation of privacy and data protection laws, including data breach notification obligations, requirements for data transfer mechanisms imposed by international data protection laws (such as the EU General Data Protection Regulation (GDPR)), and the imposition of a variety of data subject rights, a comprehensive US federal privacy bill appears increasingly overdue.
In the past year, US legislators have proposed a wide variety of data privacy laws—none of which seems to have gained significant traction. In November 2019, two new proposals were released in the Senate: the Consumer Online Privacy Rights Act (COPRA), sponsored by Senate Democrats, and the United States Consumer Data Privacy Act of 2019 (CDPA), proposed by Senate Republicans. Both proposals require covered entities to:
The California Consumer Privacy Act (CCPA) is not yet one month old, but movement has already started on a new California privacy law. In November 2019, the advocacy group Californians for Consumer Privacy, led by Alastair Mactaggart, the architect of CCPA, submitted a proposed California ballot initiative to the Office of the California Attorney General that would build upon the consumer privacy protections and requirements established by CCPA. In December 2019, as required under state law, California Attorney General Xavier Becerra released a title for and summary of the proposed ballot initiative, which will be known as the California Privacy Rights Act (CPRA).
Key Provisions of the CPRA
CPRA seeks to give California consumers additional control over and protection of their personal information in five core ways.
On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households.
The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing.
This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. With the CCPA, companies now face potentially staggering damages in relation to a breach. To provide some context, a data breach affecting the personal information of 1,000 California consumers may result in statutory damages ranging from $100,000 to $750,000, and a data breach affecting the personal information of one million California consumers may result in statutory damages ranging from $100 million to $750 million. These potential statutory damages dwarf almost every previous large data breach settlement in the United States.
To mitigate the risk of this increased exposure, companies need to take key steps to ensure they have implemented reasonable security procedures and practices.
What Is Reasonable Security?
As businesses have scrambled to obtain compliance with the California Consumer Privacy Act (CCPA) in recent months, questions surrounding its constitutionality have arisen. As a broad, sometimes unclear state law that imposes significant obligations on businesses around the country, CCPA may be ripe for legal challenge. The strongest bases for such challenges appear to be: (1) that CCPA violates the “Dormant Commerce Clause”; and (2) that CCPA is impermissibly vague.
Dormant Commerce Clause
The burden that CCPA imposes on out-of-state economic activity may place it in violation of the Dormant Commerce Clause, a legal doctrine created out of the Commerce Clause of the US Constitution. The Commerce Clause allows the US Congress to regulate interstate commerce; from this grant of power, courts have inferred a limitation on the authority of states to regulate interstate commerce, a doctrine coined the Dormant Commerce Clause. On this basis, courts will strike down state laws that explicitly discriminate against out-of-state actors or that regulate activity that occurs entirely outside of the state. In addition, the Dormant Commerce Clause prohibits laws that do not explicitly discriminate against out-of-state economic interests if the effect of a law is to unduly burden interstate commerce. If a state law does unduly burden out-of-state interests, a court will typically balance the burdens imposed on interstate commerce against the benefits the law creates for the state to determine whether or not the law should be upheld.
Minimal Changes Expected to the Final Regulations
On October 10, 2019, the Attorney General issued his Proposed Text of Regulations, along with a Notice of Proposed Rulemaking Action and Initial Statement of Reasons. According to the Attorney General, the regulations will “benefit the welfare of California residents because they will facilitate the implementation of many components of the CCPA” and “provid[e] clear direction to businesses on how to inform consumers of their rights and how to handle their requests.” See Notice of Proposed Rulemaking, page 10.
The deadline to submit public comments on the proposed regulations was December 6, 2019. The Office of the Attorney General (OAG) reported receiving about 1,700 pages of written comments from almost 200 parties. Despite this, the Attorney General stated in a news briefing that he does not expect the final regulations to include significant changes.
The proposed regulations should give everyone a sense of how the Attorney General will interpret the CCPA. The Attorney General is required to issue final regulations and a final Statement of Reasons at some point before July 1, 2020, which is the first day that the Attorney General can enforce the law.
Investing in Enforcement
California has invested in enforcement resources. The Attorney General stated that the CCPA will cost the state about $4.7 million for FY 2019-2020, and $4.5 million for FYI 2020-2021, which reflects the cost of hiring an additional 23 full-time positions and expert consultants to enforce and defend the CCPA. See Notice of Proposed Rulemaking, page 10. Despite this additional funding, the OAG is still an agency with limited resources. Many expect that the OAG will only be able to pursue a limited number of CCPA enforcement actions, particularly if it takes large on and well-funded companies.
US Office of Management and Budget Calls for Federal Agencies to Reduce Barriers to Artificial Intelligence
On January 7, 2020, the Director of the US Office of Management and Budget (OMB) issued a Draft Memorandum (the Memorandum) to all federal “implementing agencies” regarding the development of regulatory and non-regulatory approaches to reducing barriers to the development and adoption of artificial intelligence (AI) technologies. Implementing agencies are agencies that conduct foundational research, develop and deploy AI technologies, provide educational grants, and regulate and provide guidance for applications of AI technologies, as determined by the co-chairs of the National Science and Technology Council (NSTC) Select Committee. To our knowledge, the NTSC has not yet determined which agencies are “implementing agencies” for purposes of the Memorandum.
Submission of Agency Plan to OMB
The “implementing agencies” have 180 days to submit to OMB their plans for addressing the Memorandum.
An agency’s plan must: (1) identify any statutory authorities specifically governing the agency’s regulation of AI applications as well as collections of AI-related information from regulated entities; and (2) report on the outcomes of stakeholder engagements that identify existing regulatory barriers to AI applications and high-priority AI applications that are within the agency’s regulatory authorities. OMB also requests but does not require agencies to list and describe any planned or considered regulatory actions on AI.
Principles for the Stewardship of AI Applications
The Memorandum outlines the following as principles and considerations that agencies should address in determining regulatory or non-regulatory approaches to AI:
- Public trust in AI. Regulatory and non-regulatory approaches to AI need to be reliable, robust and trustworthy.
- Public participation. The public should have the opportunity to take part in the rule-making process.
- Scientific integrity and information quality. The government should use scientific and technical information and processes when developing a stance on AI.
- Risk assessment and management.A risk assessment should be conducted before determining regulatory and non-regulatory approaches.
- Benefits and costs. Agencies need to consider the societal costs and benefits related to developing and using AI applications.
- Flexibility. Agency approaches to AI should be flexible and performance-based.
- Fairness and nondiscrimination. Fairness and nondiscrimination in outcomes needs to be considered in both regulatory and non-regulatory approaches.
- Disclosure and transparency. Agencies should be transparent. Transparency can serve to improve public trust in AI.
- Safety and security. Agencies should guarantee confidentiality, integrity and availability of data use by AI by ensuring that the proper controls are in place.
- Interagency coordination. Agencies need to work together to ensure consistency and predictability of AI-related policies.