Mythbusters, Amendments, and Proposed Regulations to the California Consumer Privacy Act of 2018

CCPA Law’s Amendments and Proposed Regulations Provide Clarity for Healthcare Technology Companies and Data Brokers, but enforcement is unlikely until Summer 2020

For nearly two years, digital healthcare companies and data brokers from across the country have been preparing to comply with California’s newest data privacy law—the California Consumer Privacy Act of 2018 (CCPA). Companies are making determinations about the applicability of this law to their operations, developing inventories of the types of consumer information they collect, and implementing operational and procedural changes in order to comply with the requirements of the law’s requirements. For those companies whose operations are not subject to the CCPA law, some have determined that it may be a strategic advantage to voluntarily adhere to some of the CCPA’s requirements, as they are likely to be adopted by other states (and even the Federal Government) as privacy legislation continues to proliferate. If you are a digital healthcare company or healthcare data broker and you’ve not initiated these conversations within your company, now is the time.

CCPA Enforcement in 2020

We summarized the basics of the CCPA law in a 2018 article in The Latest. Since that time, controversy and anticipation swept the industry, prompting the California legislature to pass a few amendments to clarify the CCPA law’s requirements and scope. Recently, the California Attorney General’s office issued proposed regulations that include many more details on how companies must structure their operations to comply with the CCPA. In this CCPA update, we will cover the substance of these amendments and a high-level overview of the proposed regulations, and share with you what they mean for your healthcare technology business. Comments to these regulations are due by December 6, so if you’re interested in exercising your right to public comment, contact us for more details.

I’d like to begin with the compliance timeline, which has some in the industry a bit confused. Contrary to what you might gather from reading the original CCPA text, enforcement of the CCPA will not begin on January 1, 2020. This is simply the law’s “effective date”. Section 13 of the CCPA states that the California Attorney General (AG), whose office will be responsible for enforcing the CCPA, may not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

Note that the California AG has the power to retroactively enforce violations of the CCPA committed starting Jan. 1, but because regulations won’t be finalized until just before the new year, it’s unlikely such enforcement will include much more than serious privacy violations by very large players in the industry, if they’re pursued at all. CCPA regulations have been proposed, but have not yet been adopted. The California AG’s office will need to read and respond to all public comments, and publish the final regulations—that publication will start the clock start on the 6-month “grace period”. So, Digital healthcare technology companies and healthcare data brokers may have up to six full months after the effective date of the law to come into compliance.

CCPA: How do I know if the law applies to my healthcare company?

The “Who”

The CCPA applies to for profit companies that do business in California (even if those companies are not located in California), collect consumers’ personal information AND:

  1. Have annual gross revenues in excess of twenty-five million dollars ($25,000,000); OR

  2. Alone or in combination, annually buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; OR

  3. Derive 50 percent or more of its annual revenues from selling consumers’ personal information.

According to the CCPA text, the term “collects” is quite broad—it isn’t limited to collecting information directly from consumers. “Collects” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. Under a strict reading of the text of the CCPA, a company is “collecting” information from a consumer even if it is receiving that information from a third party. This means, for example, that many healthcare data analytics companies that purchase consumer data (healthcare or otherwise) from third parties will be subject to CCPA, even if they never interact directly with consumers.

The CCPA will not apply to all digital healthcare technology companies. Some companies are not large enough in terms of revenue, or don’t have access to the threshold amount of data, especially those in the early stages of growth. Some companies may not be “doing business in California” according to the state’s law. Some companies may be exempt because of the purpose of the collection or the type of data collected. (We will cover this in more detail below.) Companies that use consumer information and have a presence in California will need to do an individualized analysis to determine applicability of the law.

For those companies to whom the law won’t apply in 2020, we argue that understanding the law’s requirements may still be relevant to business planning. Why? Well…

  1. If a company doesn’t qualify because of revenue or number of records or DBA status in California, but plans on growing, it’s better to plan early for compliance so that it can be “built in” once the company begins to scale.

  2. For companies to which the CCPA does not apply, but that contract with companies that are subject to the law, CCPA requirements are likely going to be passed down (similar to HIPAA) via contract. These companies may need to have in place similar controls even though the law doesn’t apply to them directly.

  3. There are current efforts to pass national privacy legislation that would standardize requirements for companies that collect personal data from consumers. Given California’s position as a leader in privacy policy, it’s likely this legislation will look similar to the CCPA. Planning for compliance with CCPA could make transitioning to a new federal standard much easier than starting from scratch.

The “What”

The CCPA applies to consumers’ personal information, including personal healthcare information. CCPA defines “personal information” very broadly, as follows:

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

One of the exceptions to the CCPA regarding medical record information has created some confusion in healthcare technology circles, so we’d like to take a moment to set the record straight. It is true that the CCPA does not apply to “medical information”, which is governed by the California Confidentiality of Medical Information Act (CCMIA). CCPA also does not apply to Protected Health Information ("PHI"), which is governed by HIPAA. However, not all healthcare-related information is protected by state medical records laws and HIPAA. In general, these laws are narrowly applicable to medical record information—that is, information collected and meant to be placed in a patient’s medical record or insurance billing record.

Google or Facebook can collect a person’s height, weight, medication preferences, diabetes diagnosis status, or any number of healthcare data points, but they would not be subject to HIPAA or to California’s medical records laws. In general, the information must be collected by a healthcare provider, insurance company, or clearinghouse in order for these laws to apply. Companies that don’t fall into these categories have traditionally been able to collect sensitive healthcare information from consumers without being subject to traditional healthcare privacy laws, and in many cases without having to inform consumers of the specific use of their data. This is one reason for the creation of law like CCPA—to close these kinds of loopholes in regulation.

The important takeaway here: the HIPAA carve out won’t necessary apply to all digital healthcare technology companies and healthcare data brokers. These companies will need to perform a fact-based analysis to confirm whether the HIPAA/CCMIA carve out applies.

Implementing CCPA’s Requirements

Opt-out. Under CCPA, a company needs to (a) allow consumers to opt-out of the sale of their personal information and (b) have in place 2 methods for consumers to “opt out” (e.g., email address, web form, toll free number). Companies that sell consumers’ personal information have to also provide a link on their web site titled “Do Not Sell My Personal Information” with the options for opting out.

Privacy Policy Updates. The CCPA may require some companies to update their Privacy Policies to include, among other things, a description of consumer’s rights under the CCPA.

Right to Know and Delete. Companies need to have in place procedures to respond to consumer requests for what personal information (either specific information or categories of information) the company collects. Companies must also be able to respond to and comply with requests to delete personal information. A company needs to provide at least 2 methods for these consumer requests Specifically, companies must have in place the technology and procedures to (i) respond to consumers with the types and sources of information as well as the purpose for the information collection and which third parties have received the information, all in a readily useable format and (ii) permanently delete the consumer’s information from its systems (and direct third parties working with the company to do the same).

Nondiscrimination. When a consumer exercises a right under the CCPA (as described above), a company to whom CCPA applies cannot discriminate—that is, it cannot (1) deny goods or services to that consumer, (2) charge the consumer a different price or rate for goods or services, including through use of discounts or other benefits, (3) impose penalties, (4) provide the consumer with a different level or quality of service, or (5) suggest the consumer will receive a different price or rate or different level or quality of goods or services. However, companies can offer customers financial incentives for collection, sale, or deletion of personal information and can charge consumers different rates or provide different levels of service so long as the price or difference is directly related to the “value provided to the consumer by the consumer’s data.”

Changes in 2019: Amendments and Proposed Regulations

The California legislature recently passed a few amendments to the CCPA, and proposed regulations to the CCPA to clarify certain areas that were not clear in the original statutes. The Amendments to the CCPA (all passed in September 2019 and October 2019) make the following updates to the CCPA:

  • “Consumers” covered by the CCPA do not include job applicants, employees, contractors or agents of a business to the extent their personal information is collected and used in their respective roles. [Assembly Bill 25 – passed 10/11/19].

    • This distinction it likely to limit the scope of applicability of CCPA to a company when the purpose of a company’s consumer information collection is non-commercial. Also, for those companies that are subject to CCPA, this serves to limit liability related to data collection to a subset of data collected by those companies—namely, the data they use for commercial purposes.

  • Personal information covered by the CCPA does not include de-identified or aggregate consumer information. [Assembly Bill 874 – passed 9/11/19].

    • This is a significant change, which permits an entity who collects personal information to avoid CCPA enforcement for certain data sets if they simply de-identify or aggregate the data.

  • The final amendment eased the requirements for online-only companies covered by the CCPA – it allows such companies to provide only one (rather than 2) method to consumers for opting out and making requests. [Assembly Bill 1564 – passed 9/12/19].

The Proposed CCPA Regulations include additional guidance for covered companies in the following areas:

  • Opt-out rights and the language and process required to verify and respond to opt-out requests

  • Specific information required in opt-out notices regarding the collection and sale of consumer’s personal information

  • Response and resolution times for opt-out and consumer requests (confirm receipt within 10 days and respond within 45 days with potential additional 45 day extension)

  • Clarification of when verification of a requestor is required, what types of data requests need to be verified, and categories of information that cannot be disclosed in any request (e.g., SSNs, drivers’ license numbers, financial account numbers, health or medical ID numbers, account passwords)

  • Further guidance on how to respond to a request to delete all information – including that de-identification and aggregation are both options for “deleting” information.

  • Making clear that covered companies need to keep records of types of data collected and used, opt-out and opt-in requests, right to know and deletion requests, do not sell requests for 24 months

  • A new requirement for companies that buy, receive, sell or share personal information of 4 million or more consumers to provide an annual metrics report in its Privacy Policy regarding types of consumer requests received and processed.

  • Clarification of opt-in requirements for minors ages 16 and under.

The full text of the Proposed Regulations can be accessed here. Interested parties are able to provide comments on the regulations to the California Attorney General by 5 p.m. PST on December 6, 2019. If you are interested in submitting comments on the Proposed Regulations, contact us. We can help!

CCPA’s Role in National Privacy Legislation

The CCPA is one of the most restrictive data privacy laws passed in the country. For digital health technology companies that operate in multiple (or all) states, adhering to the most stringent regulatory framework is a reasonable method for controlling compliance costs. For this reason, Nixon Law Group often advises clients to comply with California privacy laws, to the extent commercially feasible, even if their base of operation (and even consumer base) is elsewhere. Further, on a national level, state and federal legislators and major corporations are pushing for stricter or more consistent data privacy protections for all consumers. Washington is deliberating on State Senate Bill 5376, which borrows heavily from the both the CCPA law and the General Data Protection Regulations (GDPR). Texas has two bills under review, one of which mimics the CCPA almost exactly (the Texas Consumer Privacy Act and the Texas Privacy Protection Act), and Massachusetts proposed the Massachusetts Consumer Privacy Act, which has similar consumer notice and protection rights to the CCPA. .

If your company has questions about the applicability of the CCPA to your business, or how to come into compliance with the law before enforcement begins, contact us for a complimentary consult.

Discover how we help digital tech companies anticipate and respond to evolving privacy regulations

Health IT, Regulations, Digital HealthRebecca Gwilt, Esq. and Katherine Bain, Esq.CCPA law, CCPA text, california consumer privacy act, ccpa 2020, ccpa requirements, what is ccpa