For much of the year, privacy professionals have expressed concern that the California Consumer Privacy Act business-to-business and employee partial moratoria were scheduled to expire at the end of 2020. If these moratoria lapse, the scope of CCPA rights requirements would expand dramatically. For example, CCPA businesses would need to present CCPA “At Collection” privacy notices to employees and representatives of other business entities — something that U.S. businesses rarely, if ever, do today. 

On Aug. 31, 2020, the California Legislature passed Privacy Committee Chairman Ed Chau’s Assembly Bill 1281 to extend the moratoria one year until the end of 2021, in large part because of COVID-19 economic disruption in the state and because the shortened legislative session had not allowed time to develop a 21st-century employee privacy bill to adopt in place of the CCPA applying to employee data. 

The California Privacy Rights and Enforcement Act initiative, endorsed by former Democratic presidential candidate Andrew Yang, would extend these moratoria an additional year until the end of 2022 and appears very likely it will be approved in November. So why does the passage of AB 1281 matter operationally? It gives the many businesses subject to the CCPA certainty several months earlier that they do not need to translate the balance of CCPA requirements to their B2B and employee data operations. However, particularly as to employee data, CCPA businesses should develop plans for employee privacy protections and requirements to expand in the state by 2023, the same year that the California Privacy Rights Act would take effect.

Separately, the Legislature did not pass two broad contact-tracing privacy bills (AB 1782 and AB 660), as these would have restricted private sector use of contact tracing for COVID-19 prevention purposes, but did pass a genetic-testing privacy bill (Senate Bill 980) that would put in place robust privacy protections for non-Health Insurance Portability and Accountability Act-regulated genetic-testing data.

There are several other data/privacy bills, including AB 713, Assemblyman Kevin Mullen’s CCPA health data clarification bill to exempt HIPAA deidentified data from the CCPA, that have not been resolved this year. The end result of the legislative session is likely to fall substantially short of what privacy advocates and their retiring champion, Senate Judiciary Chair Hannah Beth Jackson, had hoped for. Because of COVID-19 economic and legislative disruption, California legislative leaders greatly scaled back the volume of non-COVID-19-germane legislation that was seriously considered. Meanwhile, the CCPA regulations going into effect immediately upon finalization and the likely prospect that the CPRA will be approved by California voters this November are already giving privacy professionals plenty to think about and work on.

And, of course, the Legislature will be back to work on further privacy proposals in six months.  

Photo by LYCS Architecture on Unsplash