Understanding the New CPRA Draft Regulations & the ADPPA

As of August 2022, the CPRA employee and B2B exemptions are due to expire on January 1, 2023, as the CPRA enters into effect.

There are currently two bills making their way through the California Legislature that aim to extend this exemption. Assembly Bill (AB) 2871 was introduced on February 18, 2022, and seeks to extend the employee and B2B exemptions indefinitely. While AB 2891, also introduced on February 18, 2022, seeks to extend the exemption until January 1, 2026.

Both bills are still active in the legislature and no concrete decisions have been on either. Therefore, covered organizations should continue to develop their CPRA compliance programs with employee data in scope come January 1, 2023.

For organizations that fall under the scope of the General Data Protection Regulation (GDPR) and the ADPPA, there are several areas where the two laws overlap. Despite using language more akin to that found under other US privacy laws such as the CCPA, several concepts found under the ADPPA are comparable to those found under the GDPR. For example, the definition of a data controller under the GDPR is similar to that of a covered entity under the ADPPA. The same applies to the notion of data processors and service providers.

In regard to some key provisions of the ADPPA, Section 103 extensively highlights Privacy by Design (PbD) requirements for covered entities, stating: “covered entit[ies] and a service provider[s] shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, and transferring of covered data and that […] mitigate privacy risks, including substantial privacy risks, related to the products and services of the covered entity or the service provider, including in the design, development, and implementation of such products and services, taking into account the role of the covered entity or service provider and the information available to it.”
Much like the GDPR, the ADPPA introduces several principles for data processing. This includes data minimization, which when compared to the same principle under the GDPR bares many similarities.

GDPR
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

ADPPA
A covered entity may not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate

The GDPR and the ADPPA also have similar scopes including a carve out for sensitive personal information and similar requirements for key compliance areas such as privacy risk assessments, privacy notices, and individual rights, among other things.

The ADPPA’s Section 2(8)(B) explicitly states that covered data does not include employee data, among other things.
The ADPPA goes on to define employee data in Section 2(8)(C) to ensure organizations have a clear picture of what falls under this term. The definition of employee data is extensive, however, the below is a summary of what falls under the definition.

Employee data under the ADPPA includes:
• Information relating to a job applicant collected by a prospective employer during the application or hiring process
• Information processed by an employer relating to the professional activities of the employee
• Contact information of an employee, including:
   o name, position, or title
   o business telephone number
   o business address
   o business email address
• Emergency contact information is collected by an employer for the purpose of having a contact on file for the employee in case of an emergency
• Information relating to an employee, spouse, or other covered family members for the purpose of administering employment benefits to which the employee is entitled based on their position

The ADPPA sets out requirements for the retention and disposal of personal data, requiring organizations to delete personal data when it is no longer needed for the purposes it was originally collected unless the organization has obtained the consent of the individual to retain the information.

The ADPPA states that disposal of personal data includes destroying, permanently erasing, or modifying data to make it permanently unreadable or indecipherable, and unrecoverable.

There are also specific requirements for service providers which must develop processes for deleting or returning data to a covered entity as requested. Retention of such data is permitted when the service provider is required by law to do so.

Title IV of the draft ADPPA approaches the subject of sectoral exemptions such as where organizations are required to comply with the Gramm-Leach-Bliley Act (GLBA), sections of the Health Insurance Portability and Accountability Act (HIPAA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

In terms of interpreting these exemptions, the ADPPA makes it clear that organizations that are in compliance with GLBA and HITECH will be deemed to be compliant with the ADPPA.

The issue of pre-emption of state law has become central to many of the debates relating to the ADPPA. The current draft of the ADPPA states that the requirements of state privacy laws will be pre-empted by the ADPPA. Other state-level laws in areas such as facial recognition, employee rights, or cybercrime will not be pre-empted by the ADPPA nor will the requirements of the Children's Online Privacy Protection Act (COPPA).

Several of the concerns being raised surrounding pre-emption relate to the ADPPA weakening individuals’ protections, especially in California where the ADPPA would undercut the strong protections outlined by the CPRA as well as disbanding the recently formed California Privacy Protection Agency (CPPA).

Other objections to the ADPPA’s pre-emption provisions have come from U.S. Congresswoman Anna G. Eshoo who stated that the ADPPA could threaten the right to access, deletion, and opt-out of sale in California. Furthermore, the California Attorney General led a coalition of Attorneys General in a letter to the U.S. Congress urging it to establish a baseline of consumer privacy laws that do not pre-empt US States from responding with legislation intended to address changing technologies.
With the volume of objections being raised in the area of pre-emption, it looks like this could become a stumbling block for the ADPPA which could see such provisions being amended in order for it to pass.

The fastest possible route for the ADPPA to be signed into law would involve the House passing the bill in September with the Senate following suit soon after. Following that, the bill states that it will enter into effect 180 days after its passing, making March 2023 the earliest possible effective date.

However, at this moment there are no concrete dates in place for the House discussion on the bill and with mid-terms looming, any delays in the discussion could result in a significant push back to a potential effective date.

In the event that the ADPPA does not pass, the bill would still represent the furthest a federal privacy bill has come to being signed into law which is a positive landmark for those supporting a national framework.

It is also important to remember that the state-by-state privacy landscape is becoming stronger and this trend is likely to continue. Five new laws will enter into effect in 2023 and many other states will likely re-kindle attempts at passing their own comprehensive privacy laws as the 2023 legislative sessions begin and an agreement-in-principle still remains over an updated EU-US framework for Transatlantic data transfers which would re-establish a legal mechanism for transfers of EU personal data to the US.