The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.

At the very least, CCPA-regulated entities that use tracking technology (or something similar) and supply that information to public health authorities may need to provide a supplemental disclosure and require additional consent to share that data with public health authorities or other uses. This may trigger the individual’s right to request deletion, which in turn raises the question of whether public safety concerns override an individual’s privacy right. An additional layer of uncertainty is also sure to arise—the protocols for complying with the CCPA when a customer’s interaction is not via an online transaction, but rather instead merely being present in a store or other location. In other words, privacy in a post-coronavirus world will include heavy emphasis on location (and proximity) data. The CCPA includes location data provisions, but its drafters probably did not contemplate the privacy concerns arising out of the use of such data by governmental entities to combat a global pandemic.

This post COVID-19 reality we are steadily approaching highlights (again) another and arguably more fundamental problem—the absence of a national federal law that sets the universal standard under which data privacy is protected. There is no question that the CCPA is a broad sweeping law. But it is a California law. Although privacy legislation exists in other states, those statutes vary in subject matter and reach. For instance, some states’ laws generally incorporate data privacy into existing legislation, while others chose to tackle some subjects (such as biometric data) specifically and directly. Other states specifically limit law enforcement use of location information (a limit that may or may not apply to public health authorities). Some states provide a private right of action while others leave enforcement solely to the attorney general. States such as New York and Wisconsin are just beginning to consider privacy legislation precisely because there is no federal standard. The result is a patchwork of laws with inconsistency woven throughout. This inconsistency gives rise to uncertainty as businesses seek to emerge from the shutdown and resume their activities.

The lack of a federal standard has not gone unnoticed. Numerous bills on this topic have been introduced in Congress over the years. But none has resulted in legislation. What’s more, the proposals do not establish a universal federal standard. For instance, the Data Protection Act (“DPA”) is a proposed bill that would create the Data Protection Agency. The DPA was introduced in the United States Senate in February 2020—before the phrase “social distancing” was commonplace in our vocabulary. But the DPA does not create a federal privacy law. It merely establishes an agency that would oversee enforcement of certain enumerated federal statutes that are already on the books.  State laws are preempted unless the state statute provides greater protection. This approach underscores that the DPA will not harmonize the various states laws..

The need for a uniform standard in data protection has never been greater given the impetus to implement tracking to stem the spread of the virus and, ideally, enable the health and the economy of the United States to recover. Perhaps the anticipated reality that finally awaits our society in a post-coronavirus world will include the federal legislation that has been lacking these many years, lest individual privacy become a collateral coronavirus casualty.

For more information regarding this article, please contact Rosa Tumialán and Heather Kramer.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.