The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.

At the very least, CCPA-regulated entities that use tracking technology (or something similar) and supply that information to public health authorities may need to provide a supplemental disclosure and require additional consent to share that data with public health authorities or other uses. This may trigger the individual’s right to request deletion, which in turn raises the question of whether public safety concerns override an individual’s privacy right. An additional layer of uncertainty is also sure to arise—the protocols for complying with the CCPA when a customer’s interaction is not via an online transaction, but rather instead merely being present in a store or other location. In other words, privacy in a post-coronavirus world will include heavy emphasis on location (and proximity) data. The CCPA includes location data provisions, but its drafters probably did not contemplate the privacy concerns arising out of the use of such data by governmental entities to combat a global pandemic.

This post COVID-19 reality we are steadily approaching highlights (again) another and arguably more fundamental problem—the absence of a national federal law that sets the universal standard under which data privacy is protected. There is no question that the CCPA is a broad sweeping law. But it is a California law. Although privacy legislation exists in other states, those statutes vary in subject matter and reach. For instance, some states’ laws generally incorporate data privacy into existing legislation, while others chose to tackle some subjects (such as biometric data) specifically and directly. Other states specifically limit law enforcement use of location information (a limit that may or may not apply to public health authorities). Some states provide a private right of action while others leave enforcement solely to the attorney general. States such as New York and Wisconsin are just beginning to consider privacy legislation precisely because there is no federal standard. The result is a patchwork of laws with inconsistency woven throughout. This inconsistency gives rise to uncertainty as businesses seek to emerge from the shutdown and resume their activities.

The lack of a federal standard has not gone unnoticed. Numerous bills on this topic have been introduced in Congress over the years. But none has resulted in legislation. What’s more, the proposals do not establish a universal federal standard. For instance, the Data Protection Act (“DPA”) is a proposed bill that would create the Data Protection Agency. The DPA was introduced in the United States Senate in February 2020—before the phrase “social distancing” was commonplace in our vocabulary. But the DPA does not create a federal privacy law. It merely establishes an agency that would oversee enforcement of certain enumerated federal statutes that are already on the books.  State laws are preempted unless the state statute provides greater protection. This approach underscores that the DPA will not harmonize the various states laws..

The need for a uniform standard in data protection has never been greater given the impetus to implement tracking to stem the spread of the virus and, ideally, enable the health and the economy of the United States to recover. Perhaps the anticipated reality that finally awaits our society in a post-coronavirus world will include the federal legislation that has been lacking these many years, lest individual privacy become a collateral coronavirus casualty.

For more information regarding this article, please contact Rosa Tumialán and Heather Kramer.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.

Print:
EmailTweetLikeLinkedIn
Photo of Rosa M. Tumialán Rosa M. Tumialán

Rosa M. Tumialán, a Member in the Firm’s Chicago office, is a litigator who complements her practice with extensive judicial experience gained from clerkships in both the Illinois Appellate Court and the Chancery Division of the Circuit Court of Cook County. Ms. Tumialán…

Rosa M. Tumialán, a Member in the Firm’s Chicago office, is a litigator who complements her practice with extensive judicial experience gained from clerkships in both the Illinois Appellate Court and the Chancery Division of the Circuit Court of Cook County. Ms. Tumialán is a member of the Firm’s Diversity Committee and Financial Review Committee.

Ms. Tumialán focuses her practice on complex commercial disputes, including class action defense and insurance coverage litigation, in both state and federal courts. Ms. Tumialán’s experience in representing clients in what is often a “bet the company” TCPA litigation has made her a lead defense attorney in this area as well as in litigation arising under other consumer privacy statutes such as the Illinois Biometric Privacy Act (“BIPA”). Ms. Tumialán is lauded for her ability to develop and employ unique and aggressive strategies for her clients in these evolving areas. Ms. Tumialán is routinely sought out by companies seeking TCPA and BIPA compliance analysis or those who face TCPA and BIPA liability. She also advises insurers on TCPA exposure and presently serves as national coordinating counsel for insurance clients who rely on her to develop and implement strategies nationwide, which includes daily monitoring of case law developments. She is often asked to opine on BIPA matters and represent clients named in BIPA class actions. Ms. Tumialán has also spoken on this statute which is becoming the latest darling of the plaintiff class action bar.

Photo of Heather L. Kramer Heather L. Kramer

Heather L. Kramer’s trial and litigation experience has been diverse and extensive. Throughout her career, she has represented businesses and individuals in disputes arising from fraud, breach of contract, privacy and consumer statutory violations (i.e., FDCPA, TCPA, BIPA, etc.), personal injury, premises liability…

Heather L. Kramer’s trial and litigation experience has been diverse and extensive. Throughout her career, she has represented businesses and individuals in disputes arising from fraud, breach of contract, privacy and consumer statutory violations (i.e., FDCPA, TCPA, BIPA, etc.), personal injury, premises liability, theft of trade secrets, trademark infringement, fraudulent conveyances, copyright infringement, breaches of fiduciary duty, and product liability. One significant area of Ms. Kramer’s practice is handling complex individual and class action litigation in the area of privacy and consumer financial services and fair debt collection practices. She has also defended individuals and businesses, directly or through retention by an insurance carrier, in a variety of personal injury litigation. She has tried cases before both juries and judges involving fraud, trademark infringement, covenants not to compete, and breaches of all types of commercial contracts. In addition to her trial experience, Ms. Kramer has successfully resolved matters through settlement or during the summary judgment or motion to dismiss stages.