Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy Please, a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.

  • The California AG Releases Fourth Set of Proposed Modified CCPA Regulations. On December 10, 2020, the California attorney general released a fourth set of proposed modifications to the implementing regulations of the California Consumer Privacy Act (CCPA). If adopted, the proposed modifications would (1) require businesses that sell personal information collected offline to inform consumers (by an offline method) of their right to opt out and how to submit an opt-out request, and (2) revive the option for a business to use an opt-out button for online opt outs, in addition to posting a notice of right to opt out and the “Do Not Sell My Personal Information” link. As the CCPA and its implementing regulations continue to change — most recently with the passage of the California Privacy Rights Act of 2020 — businesses should continue to monitor developments relating to the CCPA, including any additional modifications to the regulations and guidance from the California attorney general. For more information about the latest proposed CCPA regulations, please see Troutman Pepper article, ”California AG Releases Fourth Set of Proposed Modifications to CCPA Regulations.”

  • New CCPA Requirements Under AB-713 Take Effect January 1, 2021. In September 2020, AB-713 amended the CCPA to better align with de-identification standards under the federal Health Insurance Portability Act of 1996 (HIPAA). Importantly, beginning January 1, 2021, AB-713 requires any contract for the sale or license of de-identified information, where one of the parties is a person residing or doing business in California, to include (1) a statement that the de-identified information being sold or licensed includes de-identified patient information, (2) a statement that re-identification, and attempted re-identification, of the de-identified information by the purchaser or licensee of the information is prohibited, and (3) a requirement that, unless otherwise required by law, the purchaser or licensee of the de-identified information may not further disclose the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions. For more information related to AB-713, please see Troutman Pepper articles, “CCPA Amendment Further Harmonizes with HIPAA and Provides Additional Exemptions” and “AB-713 CCPA Requirements Take Effect January 1, 2021 for Use of De-identified Health Data Sets.”

  • HHS Proposes Modifications to the HIPAA Privacy Rule. On December 10, 2020, the U.S. Department of Health and Human Services (HHS) announced proposed changes to the HIPAA Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry. Key modifications contained in the Notice of Proposed Rulemaking include shortening covered entities’ time to provide individuals with access to their PHI to no later than 15 calendar days following the request, reducing the identity burden on individuals exercising their right to access, building out capabilities of EHR systems, creating exceptions to the “minimum necessary” standard for individual level of care coordination and case management uses and disclosures, and eliminating the requirement to obtain an individual’s written acknowledgement of receipt of a direct treatment provider’s Notice of Privacy Practices. Public comments on the proposed modifications are due 60 days after publication of the on the Notice of Proposed Rule Making in the Federal Register.
  • Internet of Things Cybersecurity Act of 2020 Signed into Law. On December 4, 2020, President Trump signed the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Act) into law. The Act empowers the National Institute of Standards and Technology (NIST) to create cybersecurity standards for internet-connected devices purchased and used by federal agencies. In particular, the Act provides that the cybersecurity standards must include minimum security requirements for managing cybersecurity risks for IoT devices and should take into account secure development, identity management, patching, and configuration management. The standards ultimately developed by NIST under this law will be of particular interest to manufacturers of IoT devices. Government contractors providing IoT devices will be judged on compliance, with such standards effective two years after enactment.
  • Annual Updates to Privacy Policies for CCPA-Regulated Businesses are Due. As a reminder, the CCPA requires covered businesses to update their privacy policies annually. For those organizations that updated privacy policies to coincide with the CCPA’s January 1, 2020 effective date, an updated privacy policy is now due. As we turn our attention from holiday cheer toward 2021 resolutions, businesses would be well-served by updating their privacy policies since an outdated policy is a public — and obvious — indication of noncompliance with the CCPA.