July 19, 2019

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

July 16, 2019

Subscribe to Latest Legal News and Analysis

Follow the Leader: California Paves the Way for other States to Strengthen Privacy Protections

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney General (AG) Becerra introduced a new bill (SB561) that will expand the consumer’s right to bring private lawsuits for violations of the CCPA. If passed, SB561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day period for businesses to cure after receiving notice of an alleged violation; and (3) allow the AG to publish guidance materials for businesses instead of allowing businesses’ the option to seek specific opinions of the AG. Currently, the CCPA allows the AG office to bring action against business, in most instances, only allowing consumers to bring private action in instances of data breach resulting from a business’s failure to implement reasonable security measures. If SB561 is passed, the CCPA will materially expose businesses to private actions for damages applicable to other violations under the CCPA, including failure to provide consumers with proper notifications required under the CCPA.

These developments are just the tip of the iceberg.  Emboldened by California’s example, many other states are following suit. As such, businesses that implement an effective CCPA compliance program will likely position them to satisfy potential compliance obligations in other states moving forward.  For example, Colorado recently passed as sweeping law to protect patient privacy (HB18-1128), which went into effect September 1, 2018.  Colorado now requires covered entities (e.g., business entities that maintain, own, or licenses personal identifying information (PII) in the course of their business) to implement, and ensure that third-party service providers implement, reasonable security procedures and practices.  Additionally, the law requires covered entities to develop written policies and procedures concerning the destruction of paper and electronic documents that contain PII. Further, the law authorizes the AG to bring criminal prosecution against covered entities that violate the new rules.

Other states including HawaiiMarylandMassachusetts,  New MexicoNew YorkNorth DakotaRhode Island, and Washington are also using the CCPA and the GDPR as templates to perform similar overhaul of their privacy laws. As a result of this state law trend, businesses should closely monitor the legislative progress of these state bills.  Further, if businesses have not yet started shoring up their privacy and data security practices and programs, they had better do so in short order. It is likely that many of these state laws, if passed, will carry stiff penalties for noncompliance and may subject businesses to class actions.

In addition to these piecemeal state law efforts to strengthen privacy, the U.S. Chamber of Commerce is currently exploring whether a Federal consumer privacy protection law should be enacted.  It appears that the privacy tidal wave starting on California’s west coast is making its way eastward . . . .

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Daniel Kim, Epsten Becker Law Firm, Washington DC, Healthcare law
Associate

DANIEL KIM is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. He will be focusing his practice on FDA marketing approval of medical devices and pharmaceutical, reimbursement and compliance matters affecting health care medical device manufacturers, telehealth and telemedicine, HIPAA privacy and security, regulatory health care due diligence, and compliance issues.

Mr. Kim received his J.D., cum laude, from American University Washington College of Law....

202-861-1829
Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling of health care entities on legal and regulatory compliance issues. He has extensive experience with legal issues related to health information technology, HIPAA, HITECH, anti-kickback laws, the False Claims Act, breach of contract issues, business torts, and a variety of unfair competition laws. He has established compliance programs, conducted privacy and security risk assessments, established trust networks, responded to data breaches, and managed e-discovery issues.

Mr. Shah is a Certified CSF Practitioner, a designation given by the Health Information Trust Alliance (HITRUST), an organization that provides training to develop and maintain effective security programs for health care and life sciences companies that comply with security laws, regulations, and standards, including HITECH, HIPAA, PCI, JCAHO, CMS, ISO, NIST, and various other federal, state, and business requirements. He is also recognized by the Healthcare Information and Management Systems Society (HIMSS) as a Certified Professional in Healthcare Information and Management Systems (CPHIMS).  Mr. Shah is also recognized by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in the United States.

Mr. Shah began his legal career at Epstein Becker Green. Before rejoining the firm in October 2017, he served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society where he strengthened enterprise-wide privacy and security, helped establish a big data initiative focused on improving quality of care by harnessing cancer patient medical information, and built data sharing trust networks among the oncology community.

During law school, Mr. Shah worked with the U.S. Department of Health and Human Services (DHHS), Office of General Counsel, where he provided legal counsel and support to all agencies and programs under the Public Health Division of DHHS. Prior to law school, Mr. Shah worked as a research technician at cancer treatment and research institution in New York City, where he helped manage a laboratory and conducted cancer immunology research, and his contributions led to the publication of 13 journal articles.

202-861-5320