September 2020 Update
COVID-19 Guidance. The U.S. Department of Health and Human Services (HHS) has issued guidance and notices of enforcement discretion concerning the use and disclosure of protected health information during the COVID-19 pandemic. These are available at https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html. See §7.13A.
California Developments. The U.S. District Court for the Northern District of California’s 2018 injunction preventing the State of California from enforcing CC §1798.83.5’s prohibition on commercial online entertainment service providers’ sharing of information about an individual’s age was affirmed by the Ninth Circuit, which held the statute facially unconstitutional as a content-based restriction on speech. IMDb.com Inc. v Becerra (9th Cir 2020) 962 F3d 1111, 1127, 1128. See §4.12.
On June 10, 2020, the California Supreme Court granted review of Facebook, Inc. v Superior Court (Hunter) (review granted June 10, 2020, S260846; superseded opinion at 46 CA5th 109). In Hunter, the court of appeal ruled that following the supreme court’s decision in Facebook, Inc. v Superior Court (Hunter) (2018) 4 C5th 1245 remanding the case to the trial court, the trial court’s denial of motions to quash based on the Stored Communications Act (SCA) was an abuse of discretion. But in a related case, the supreme court expressly stated that its prior rulings had not determined Facebook was subject to the SCA. Facebook, Inc. v Superior Court (Aug. 13, 2020, S245203) 2020 Cal Lexis 5354. See §4.45.
The California Supreme Court held that despite Pen C §530.5’s colloquial description as “identity theft,” for purposes of reclassification under Pen C §459.5, an offense under Pen C §530.5 is not a theft offense. People v Jimenez (2020) 9 C5th 53. See §10.37.
The California Consumer Privacy Act of 2018 (CCPA) requires the Attorney General to adopt regulations by July 1, 2020, on a series of issues. The final regulations were submitted to the Office of Administrative Law for approval on June 1, 2020. The Attorney General also filed a request for expedited review. It is unclear at this time whether the regulations will be effective in July or not until October 1, 2020. See §10A.73.
Alastair Mactaggart, the driving force behind the CCPA, filed a new initiative, the California Privacy Rights Act of 2020 (CPRA). If the requisite number of signatures are verified, the initiative will appear on the November 2020 ballot. See §10A.1.
TCPA Developments. The Telephone Consumer Protection Act (TCPA) (47 USC §227) has been amended by the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (Pallone-Thune TRACED Act) (Pub L 116–105, 133 Stat 3274), enacted on December 31, 2019, which amends existing laws concerning robocalls. The U.S. Supreme Court held the TCPA as amended to be unconstitutional on First Amendment grounds, but severed the amendment in question and held the TCPA without the offending provision to be constitutional. Barr v American Ass’n of Political Consultants, Inc. (2020) ___ US ___, 140 S Ct 2335. See §4.51.
A TCPA class action case based on numbers obtained via skip tracing resulted in a judgment in excess of $250 million against a debt collector. McMillion v Rash Curtis & Assocs. (ND Cal, Apr. 18, 2017, No. 4:16-cv-03396–YGR) 2017 US Dist Lexis 59246 (final judgment entered Sept. 9, 2019; see https://docs.justia.com/cases/federal/district-courts/california/candce/4:2016cv03396/299946/370). See §5.58.
International Developments. On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the July 12, 2016, adequacy decision on the EU-U.S. Privacy Shield. Data Protection Comm’r v Facebook Ireland & Maximillian Schrems (July 15, 2020) CJEU Case C–311/18 (Schrems II). See §§9.83A, 9.87.
In India, the Personal Data Protection Bill, 2019 (PDP Bill) was introduced in the Parliament on December 11, 2019. The PDP Bill would regulate the processing of personal data in India and by Indian entities. It would also apply to processing of personal data by data fiduciaries or processors not present in Indian territory, if the processing is in connection with any business carried on in India, or the offering of goods or services to data subjects within Indian territory, or any activity that involves profiling of data subjects within Indian territory. See §9.157.