Here is a summary of legislative and regulatory developments and challenges for the first quarter of 2021 and their practical implications:
Major State Privacy Legislation: California and Virginia have new and comprehensive privacy statutes on the books, although the effective date for both initiatives is delayed until January 1, 2023.
The California Privacy Rights and Enforcement Act (CPRA) expands upon the current California privacy statute, the California Consumer Privacy Act (CCPA), by regulating not only the buying and selling of consumer information, but also its “sharing.” This term, while appearing to be broad, actually is narrowly defined as targeted advertising based on the consumer’s personal information. The focus of California’s privacy protection measures was and continues to be on commercial use of consumers’ personal information for sales and marketing purposes.
The Virginia Consumer Data Protection Act (CDPA) takes a different approach to consumer privacy, following many of the concepts found in the European Union’s General Data Protection Regulation (GDPR), such as the use of the terms “controller” and “processor.” A “controller” is an entity that determines the purpose and means of processing personal data (such as an insurer or TPA), whereas a “processor” processes personal data on the controller’s behalf (such as MedRisk).
There are a number of thresholds and exemptions that will relieve MedRisk and many of its clients and trading partners from CDPA compliance obligations. For example, the law applies only to entities that control or process the personal data of at least 100,000 Virginia residents during a calendar year. Further, entities exempted from the law include those that are subject to the federal Gramm-Leach-Bliley Act (applying to financial institutions) or that are “covered entities” or “business associates” under HIPAA. Notably, the law does not create a private right of action but restricts its enforcement exclusively to the Attorney General of Virginia, who presumably will limit regulatory action to intentional violations.
Implications: Although neither the California CPRA nor the Virginia CDPA is likely to have much impact on the operations of MedRisk or its trading partners, a potential trend toward a patchwork of comprehensive and inconsistent privacy laws is troubling. Most companies that operate nationally may be driven toward adoption of a lowest-common-denominator set of privacy standards that comply with state laws representing the binding constraint.