On June 28, 2018, California’s new privacy bill A.B-375 was signed into law as the California Consumer Privacy Act of 2018 (“CCPA”). On October 10, 2019, the California Attorney General issued proposed regulations for implementing and interpreting the CCPA. Effective on January 1, 2020, the CCPA will apply to all for-profit entities and businesses that:
- Do business in California;
- Collect the personal information (“PI”) of California residents, and
- (a) Annually have gross revenues of $25 million or more; (b) derive half or more of their annual revenue from selling PI; or (c) transact in the PI of 50,000 or more consumers, households, or devices per year.
PI is broadly defined under the CCPA to encompass any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA specifically includes information that is often collected by healthcare service providers such as: (i) personal identifiers like social security numbers, postal addresses, email accounts and driver’s license numbers, (ii) commercial information like records of purchased products or consuming histories/tendencies, (iii) internet browsing activity, (iv) geolocation data, and (v) biometric information.
This expansive definition provides a broad purview for the CCPA. The new regulatory requirements established by the CCPA will end up impacting stakeholders that are both domestic and foreign to California.
Impact of the CCPA – New Consumer Rights
The CCPA will require regulated entities to respect a series of new consumer rights in order to be compliant. Specifically, consumers will have the following new protections and rights under the CCPA:
- Disclosure. Consumers will have the right to request information concerning the PI collected by a regulated entity including: (i) the categories and source of the PI collected, (ii) why it was collected, and (iii) whom the regulated entity shared the PI with. Regulated entities will have to provide at least two (2) methods by which consumers can request this information.
- Deletion. Consumers will have the right to ask a regulated entity not only to delete their PI, but to ask any “Service Providers” working with the regulated entity to do so as well (subject to certain exceptions). A “Service Provider” in this case is defined as a for profit business to whom the regulated entity provides consumer PI for a business purpose, so the Service Provider can process or perform specific services with respect to the PI.
- Opting Out. Consumers will have the right to opt out (or in the case of minors, opt in) to the sale of PI, with a clear and conspicuous link online for a consumer to be able to do so.
- Non-discrimination. Regulated entities will not be allowed to discriminate against a consumer for his or her choice in exercising any of the above mentioned rights.
Despite the broad reach of the CCPA, the impact will be limited by a series of exclusions and limitations. The CCPA does not regulate non-profit entities, meaning that non-profit hospitals and other health care providers would generally be outside of the scope of its direct requirements. Also health care providers that are already considered covered entities under the Health Insurance Portability and Accountability Act (“HIPAA”) or the Confidentiality of Medical Information Act (“CMIA”) and which maintain the data in a manner that is compliant with CMIA or HIPAA, respectively, would have less requirements to meet due to federal preemption. For all practical purposes this means regulated entities that are currently operating under, or regulating patient information storage and maintenance according to CMIA or HIPAA regulations, can continue to do so. There are also exclusions for certain clinical trial research data that is subject to the Common Rule, and exclusions for certain de-identified data.
However, regulated entities that are considered exempt from the CCPA due to being compliant with HIPAA or CMIA for certain portions of the data they collect, are not blanketly exempted. These stakeholders may still fall under the purview of the CCPA if they maintain PI that does not fit into the exemptions noted above, or if the stakeholders receive information from affiliates that are governed by the CCPA and thus have certain indirect requirements. In order to meet the CCPA requirements, it will be important for stakeholders to be aware of the types of information they are collecting and why, as well as which third parties have received access to this information.
Between now and the effective date of January 1st, 2020 all stakeholders are highly encouraged to identify any data collection activities in order to determine if these activities will be subject to the CCPA. Stakeholders should examine any relevant information sharing transactions and agreements they have entered into to confirm or revise these arrangements to be compliant with the CCPA.
Penalties for violating CCPA are significant, with each intentional violation costing up to $7,500. Further, the CCPA provides a private right of action for data breaches that notably does not require the consumer to show that any harm resulted from the breach, making the potential for liability much larger. However, this right of action does require written notice to be provided to the regulated entity with an opportunity to cure, as well as a notification to the Attorney General before the consumer can proceed.