In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

Recently, Health Canada released guidance to help companies understand their reporting obligations under section 14 of the Canada Consumer Product Safety Act, which requires that sellers, distributors, importers, and manufacturers report after becoming aware of any health or safety incident involving a consumer product. Notably, the guidance clarifies (1) what constitutes a reportable “incident,” (2) at what point a company is “aware” of an incident, (3) when a company must report, (4) what information each report must include, and (5) how Health Canada will treat confidential business information and private information.

What Constitutes an “Incident”?

Section 14 of the Act defines an “incident” as an occurrence; defect; characteristic; or incorrect, inadequate, or an absence of information on a label or instructions that resulted or may reasonably have been expected to result in death or serious negative impacts on health. In addition, an “incident” occurs when the company undertakes a recall or other action, whether or not in Canada, based on concerns about human health or safety.

The guidance explains that a serious health impact includes harmful effects that bring about a temporary or permanent change to health, including, for example, external physical harm, poisoning, and loss of sight or hearing. Whether an injury is serious, however, will depend on other factors such as the age of the consumer and the part of the body that is harmed, and should be considered from the viewpoint of the consumer. Regardless, if a company decides not to report, it must be prepared to justify its decision if questioned by a Health Canada Product Safety Officer.

When Is a Company “Aware” of an Incident, and When and What Must It Report?

Under the Act, a company has an obligation to report as soon as it becomes “aware” of an incident, even if it does not have details on all aspects of the incident, as the obligation to report occurs as soon as the company has awareness that an incident could lead to a recall. As a result, Health Canada states that a company should not wait for further details or absolute certainty – i.e., a formal risk assessment – to report and, if it is not certain that an incident has occurred, should report on a precautionary basis.

Within two days of awareness, the company must provide all information about the incident to Health Canada and to the person from whom the company received the product – i.e., up the supply chain. The initial report must include:

  • All information about the product (name, model number, UPC, serial number),
  • A description of how the incident happened,
  • Details of injuries, such as the body part, age of the victim, and kind of treatment needed,
  • Details on where the product is sold,
  • The complete name and contact information of the manufacturer or importer, as it appears on the product label,
  • Information on any other known events related to the product,
  • Information on any other known incidents reported to Health Canada in the past, and
  • Information on products that share the same parts as those involved in the incident.

Furthermore, within 10 days of awareness, manufacturers must submit a written report with additional information about the product, including new details about the incident, the number of products distributed, the standards to which the product is certified, any test reports, the steps taken (or that will be taken) to ensure safety, and the proposed corrective action.

How Will Health Canada Handle Confidential Business Information and Personal Information?

Sections 16 and 17 of the Act allow Health Canada to disclose confidential business information to protect human health or safety or the environment, and with or without consent or notice to (1) a person or government that carries out functions relating to the protection of human health or safety or the environment, or (2) the public if the product poses a serious and imminent danger to human health or safety or the environment. Health Canada notes, however, that it is often possible to deal with health or safety concerns without disclosing confidential business information, and the agency will consider relevant factors when determining whether to make a disclosure in a particular case.

Regarding personal information, Health Canada explains that it does not routinely require personal information when it assesses incident reports and recommends that companies omit consumer personal information from them. The Canadian Privacy Act will govern Health Canada’s management – and disclosure – of personal information.