As discussed in our recent alert, those who oversee pension plans have recently been given a welcome reprieve in terms of more time to pass some interim plan changes; however, the news is not all good. These same people who oversee pension plans – and benefit plans more broadly – may receive a less welcome invitation to participate in planning for their organization’s 2023 privacy readiness…
In 2018, California passed the California Consumer Privacy Act (“CCPA”). It was the first comprehensive consumer data privacy law in the country. Since the CCPA went into effect, beginning in January 2020, California employees are exempt from consumer protections known as “data subject rights,” but they still have the right to be informed at the time of data collection. their data and have the right to sue employers who experience a data breach for damages resulting from the breach.
After the CCPA was passed, California voters approved a ballot initiative in November 2020 that amends the CCPA. The amendment is known as the California Privacy Rights Act (“CPRA”) and takes effect on January 1, 2023. Virginia, Colorado, Connecticut and Utah have also passed new consumer privacy laws which will go into effect on various dates throughout 2023. However, of these pending consumer data privacy laws, only the CPRA provides data subject rights to California employees, which means they have rights on their personal data.
Although there are pending bills in California that would extend the CCPA employee exemption until 2026, August 31, 2022 was the last day of the 2022 legislature (i.e. the last day for any bill to pass in 2022 has passed). If nothing changes before the end of the year, employers who meet the minimum requirements to be subject to the CPRA may have a multitude of compliance requirements.
Specifically, employers and benefit plans will need to amend their benefit plan contracts with service providers to come into compliance as of January 1, 2023, to adhere to privacy and security provisions. data under ACPL. These agreements must specify in particular:
- that personal information is only disclosed for limited and specific purposes,
- that the service provider must comply with the CPRA and provide the same level of privacy protection as required under the CPRA,
- the right to take reasonable and appropriate steps to ensure that the service provider uses the personal information in accordance with the agreement,
- that the service provider will notify the employer if they can no longer meet the requirements of the CPRA,
- the employer’s right, upon notice, to take steps to stop and correct the unauthorized use of personal information, and
- subcontractors hired by the service provider will be subject to the same obligations.
Note that most state laws provide an exception for certain pieces of personal health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA). The basic premise of this approach is that HIPAA establishes standards by which PHI can be used, disclosed and also includes standards for the protection of this information. To this end, the CPRA exempts PHI as the term is defined by HIPAA (and HITECH) from regulation under the CPRA to the extent that the PHI is collected by a covered entity or business associate governed by HIPAA. A HIPAA-covered entity will still need to comply with the CCPA/CPRA to the extent that it collects personal data that is not subject to HIPAA regulation.
For example, this exclusion will apply to certain elements of group health insurance plans, but it does not include all information that may be disclosed to providers of employer-sponsored benefit plans. While employer-sponsored benefit plans are generally insulated from state law regulation under ERISA’s broad preemption, this preemption is limited to the extent that state law State “relates” to employee benefit plans.
The CPRA has not yet been challenged on preemptive grounds, and the success of such a claim is mitigated by the fact that the CPRA, on its face, does not purport to “relate” or regulate benefit plans. social; on the contrary, CPRA has a much broader reach in organizations with access to consumer and employee data. Historically, California has fought against ERISA preemption in similar statewide efforts. It is very unlikely that such a challenge will be successful before 2023.
Given that the employee-employer exemption included in the CCPA expires on January 1, 2023, those responsible for benefit plan contracts may need to act quickly to analyze which contracts, if any, will require amendments to comply. Comply with the CPRA. Civil penalties may be imposed for breaches of the CPRA, including failure to amend contracts deemed to be subject to the law.
Conversations with your benefits and privacy advisor and benefits plan service providers may be a better next step.