California Governor Jerry Brown signed A.B. 375, the California Consumer Privacy Act of 2018 (CCPA), into law on June 28, 2018. The CCPA is the nation’s strictest consumer privacy and data protection measure.

For-profit healthcare companies doing business in California will be subject to the new consumer privacy requirements by 2020. California legislators crafted the CCPA in a mere seven days in order to preempt a more expansive ballot initiative from reaching California voters in November.

What Happened?

The CCPA is the nation’s strictest consumer privacy and data protection measure. The law will apply to any for-profit entity doing business in California that (1) collects California residents’ personal information (PI) solely or jointly with others, and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales. The law applies to businesses that collect, use or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).

PI is defined to mean any information that could reasonably be linked to a consumer, including but not limited to personal identifiers, commercial information, biometric information, Internet activity information and employment information.

The CCPA specifically excludes, among other things, (1) the sale of information from or to a consumer reporting agency, if the information is used as part of a consumer report and in compliance with the Fair Credit Reporting Act, and (2) information that is collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act or the Driver’s Privacy Protection Act to the extent the CCPA is in conflict with those laws.

Critical for healthcare companies, the CCPA states that it “shall not apply to protected or health information that is collected by a covered entity governed by the [California] Confidentiality of Medical Information Act [the CMIA]…or governed by the privacy, security, and breach notification rules…established pursuant to the Health Insurance Portability and Accountability Act of 1996. For purposes of [the CCPA], the definition of ‘medical information’ in the [CMIA] shall apply and the definitions of ‘protected health information’ and ‘covered entity’ from the federal privacy rule shall apply.”

This means that companies already regulated under either the CMIA or HIPAA should continue to comply with those rules when handling medical information, as defined by the CMIA, or protected health information, as defined by HIPAA. The CCPA does not supersede those laws.

However, given the breadth of information (outside of medical information and protected health information) regulated by the CCPA, for-profit healthcare companies will still be subject to the CCPA requirements to the extent they gather or process PI, such as IP address, commercial information, Internet activity, geolocation, employment-related information, education information and “inferences” drawn from any such information to create a profile reflecting consumer characteristics.

It is worth noting that a significant portion of California’s hospitals are not-for-profit, which means they may not be subject to the CCPA at all.

The CCPA will require covered businesses to ensure an assortment of consumer rights and related notices that, in certain respects, resemble those recently codified in the European Union’s General Data Protection Regulation (GDPR). The CCPA’s new rights include:

  • Right of Access. Consumers may request disclosure of the specific PI that a business has collected about the consumer.
  • Right of Deletion. Consumers may request that a business delete any PI it has collected from the consumer and may direct any service providers to do the same, subject to several exceptions, such as when PI is needed to complete requested transactions or services.
  • Right to Know. Consumers may request disclosure of the categories and specific pieces of PI collected about them, the sources from which the PI was collected, the purpose for such collection, and the categories of third parties the PI is shared with or sold to.
  • Right to Opt Out or Opt In. Consumers may opt out of any sale of their PI to third parties, and consumers under age 16 must opt in to any such sales.
  • Right of Equal Service. Covered businesses must not discriminate against consumers exercising any of the above rights, including through pricing and quality of goods or services, unless different treatment is reasonably related to the value provided to the consumer by his or her data. However, businesses may offer reasonable financial incentives related to PI collection, sale or deletion.

Violations of these provisions are actionable by the California attorney general (AG) via the state’s Unfair Competition Law (UCL) after a 30-day cure period has passed. In addition to UCL penalties, the law authorizes civil penalties of up to $7,500 per violation.

The CCPA also provides a limited private right of action for data breaches, defined as any instance in which unencrypted PI is subject to unauthorized access and is exfiltrated or otherwise disclosed as a result of a violation of the business’s duty to observe reasonable security procedures and practices. The right of action has two major prerequisites: first, 30 days’ written notice to the business identifying the allegations and an opportunity to cure, and second, notification to the AG within 30 days of filing a complaint, requiring the AG’s response within 30 days that states whether the AG will prosecute the matter within six months and potentially whether the consumer is not authorized to proceed. Only once these preconditions are met may the consumer proceed with his or her civil claim for the greater of statutory damages between $100 and $750 per incident or actual damages and injunctive or declaratory relief.

The CCPA’s quick passage represents a significant compromise with Alastair Mactaggart, the lead sponsor of a ballot initiative that would have brought similar proposals to California voters in November. As part of the compromise, Mr. Mactaggart agreed to pull the initiative from the ballot before the June 28 deadline for the initiative’s certification. Though industry groups had been gearing up for an opposition to the ballot initiative, the Internet Association issued a statement saying it would not impede the bill’s enactment.

Why It Matters

Though healthcare companies are certainly no strangers to privacy and data security regulation, the CCPA introduces extremely burdensome obligations, most of which were previously unseen by American companies and several of which bring questions about what implementation even looks like. For example, the CCPA’s extra protections for data sales utilize an expansive definition that includes any dissemination of consumer data for “monetary or other valuable consideration.” In addition, though companies will have an important right to cure alleged data breaches, it remains unstated and untested what might constitute a cure. Given the potentially complicated measures needed to comply with the CCPA, the 2020 effective date is not far off, and healthcare companies would be well-advised to begin reviewing their practices and policies now for potential exposure.