As discussed in our recent alert, those overseeing retirement plans recently received welcome reprieve in terms of more time to adopt certain interim plan amendments; however, the news is not all good. Those same individuals overseeing retirement plans – and benefit plans more broadly – may be receiving a less welcome invitation to participate in their organization’s 2023 privacy preparedness planning…
In 2018, California passed the California Consumer Privacy Act (“CCPA”). It was the first comprehensive state consumer data privacy law in the country. Since the CCPA has been in effect, starting in January 2020, California employees have been exempt from the protections afforded to consumers, known as “data subject rights,” but they still have a right to notice at the time of collection of their data and have a right to sue employers who experience a data breach for damages arising from the breach.
After passage of the CCPA, California voters approved a ballot initiative in November of 2020 that amends the CCPA. The amendment is known as the California Privacy Rights Act (“CPRA”) and is effective on January 1, 2023. Virginia, Colorado, Connecticut and Utah have also passed new consumer privacy laws that go into effect at various dates throughout 2023. However, of these pending state consumer data privacy acts, only the CPRA provides data subject rights to California employees, which means they have rights over their personal data.
While there are bills pending in California that would extend the CCPA’s employee exemption until 2026, August 31, 2022 was the last day of the 2022 legislature (i.e., the last day for any bill to be passed in 2022 has passed). If nothing changes before the end of the year, employers that meet the threshold requirements to be subject to the CPRA may have a host of compliance requirements.
Specifically, employers and benefits plans will need to amend their benefit plan contracts with service providers to come into compliance starting January 1, 2023, to meet the data privacy and security provisions under CPRA. In particular, those agreements must specify:
- that personal information is disclosed only for limited and specified purposes,
- that the service provider must comply with CPRA and provide the same level of privacy protection as required under the CPRA,
- the right to take reasonable and appropriate steps to ensure that the service provider uses the personal information as required under the agreement,
- that the service provider will notify the employer if it can no longer meet the requirements under CPRA,
- the employer’s right, upon notice, to take steps to stop and remediate unauthorized use of personal information, and
- subcontractors engaged by the service provider will be subject to the same obligations.
Note, most of the state laws have a carveout for some elements of personal health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA). The basic premise of this approach is that HIPAA establishes standards by which PHI may be used, disclosed and also includes standards for the protection of such information. To this end, the CPRA exempts PHI as the term is defined by HIPAA (and HITECH) from regulation under the CPRA to the extent that PHI is collected by a covered entity or business associate that is governed by HIPAA. A Covered Entity under HIPAA will still need to comply with the CCPA/CPRA, to the extent they collect personal data that is not subject to regulation by HIPAA.
For example, this carveout will apply to certain elements of group health plan arrangements but the carveout does not include all information that may be disclosed to employer-sponsored benefit plan vendors. While employer-sponsored benefit plans generally are insulated from state law regulation under ERISA’s broad preemption, that preemption is limited to the extent the state’s law “relates to” employee benefit plans.
The CPRA has yet to be challenged on grounds of preemption, and the success of such a claim is attenuated by the fact that the CPRA, on its face, does not purport to “relate to” or regulate benefit plans; rather, the CPRA has a much broader reach across organizations with access to consumer and employee data. Historically, California has fought against ERISA preemption in similar statewide efforts. Whether such a challenge would be successful is very unlikely to be resolved before 2023.
Given that the employee-employer exemption included in the CCPA expires on January 1, 2023, individuals with responsibility over benefit plan contracts may need to move quickly to analyze which contracts, if any, will require modifications to comply with CPRA. Civil penalties may be assessed for a failure to comply with the CPRA, including failure to amend contracts deemed subject to the law.
Conversations with your benefits and privacy counsel and benefit plan service providers may be a best next step.