The California Consumer Privacy Act (CCPA) of 2018 was enacted on June 1, 2018. It becomes effective January 1, 2020. The law gives consumers broad privacy rights. The CCPA was crafted to be similar to the data protection rights set forth in the European Union’s General Data Protection Regulations (GDPR). Companies that are based in California or do business in California will be subject to fines, injunctions, and class-action lawsuits if they are not in compliance with the law.
The CCPA does require that the Attorney General of California publish what regulations apply as of January 1, 2020. Any delay in publishing the regulations can make it extra-hard for business to understand how to comply with the new law. The regulations should provide for:
- Updating as needed additional categories of personal information in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
- Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.
- Other statutory requirements
The law is a follow-up to other laws that were enacted after California voters amended the California Constitution to include the right to privacy. These other laws include:
- Online Privacy Protection Act
- Privacy Rights for California Minors in the Digital World Act
- “Shine the Light”, a California law intended to give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.
The law was enacted in order to strike a balance between the new technology that is driving new companies in Silicon Valley and other parts of California – with the rights of consumers to have some control over their personal information.
The CCPA aims to protect the access to personal information for consumers who seek a job, drive a car, or make a doctor’s appointment. Financial information is being kept on people for many reasons California believes should be private such as people geolocation information, social networks, biometrics, sleep habits, personality, and health information.
“The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
The CCPA gives consumers the following rights:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
Which businesses and companies are subject to the law?
- A sole proprietorship
- Limited liability company,
- Any other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners
The law applies to these listed entities provided they collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California.
The legal entity must also meet one of the following tests to be subject to the CCPA:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), (some adjustments may apply)
- Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Currently, the law does not seem to apply to nonprofits.
A few key definitions that are similar or even expand the GDPR definitions
Some of the sections that apply to healthcare information that will now be protected include:
(b) “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(k) “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
“Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA does not generally apply to information that is publicly available such as government records. Other exclusions may also apply. The analysis of what information is included/excluded gets more complicated when the data is being “aggregated or de-identified.”
Businesses must still comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the proper disclosure of electronic healthcare records. They must also comply with the Confidentiality of Medical Information Act (a California law)
Consumer protections under the CCPA
The new law allows consumers to pursue their rights in numerous ways including the following:
- Disclosure. 1798.100. (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected including the following:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
- Deletion. 1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- Rights regarding the selling of information. 1798.115. (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- The categories of personal information that the business collected about the consumer.
- The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- The categories of personal information that the business disclosed about the consumer for a business purpose.
- 1798.120. (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
- Freedom from discrimination. 1798.125. (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
- Denying goods or services to the consumer.
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
- Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
- Form of disclosure. The form shall be reasonably accessible to consumers. Business should:
- Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
- Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer.
Many other conditions apply for each listed item. Consumers have other rights and businesses have other duties – which an experienced California healthcare lawyer can explain. For example, additional rules apply when the consumer is under 16 or under 13 years of age.
In general, the law shifts the burden of making sure the consumer understands what information is being collected and why to the business that is collecting the information.
A new legal right to file claims against businesses that fail to comply with the CCPA
The CCPA gives consumers the right to file a legal claim if their disclosure and other data privacy rights are violated. The right includes an individual lawsuit or a class action lawsuit. The damages can be up to $750 or actual damages. Consumers can also seek an injunction to stop future violations.
Intentional violations can result in much higher fines. The CCPA provides:
“Notwithstanding Section 17206 of the Business and Professions Code, any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.”
The Corporate Practice of Medicine (CPM) doctrine continues to befuddle, beleaguer, and bewilder healthcare companies seeking to venture with physicians and non-physician entrepreneurs.
Exactly what constitutes a violation and any timelines for correcting breaches should be reviewed with a skilled California healthcare lawyer.
The CCPA creates a special fund called the “Consumer Privacy Fund.” To help consumers who file claims and help fund other goals of the CCPA.
Businesses who thought that compliance with Europe’s GDPR was all they had to do if they did business in Europe aren’t finished. Any business that collects most any type of personal information from California residents will now have to comply with the California Consumer Privacy Act. The law can affect many for-profit businesses.
The CCPA broadens the definition of personal information to include many different types of healthcare and consumer information. The law also expands the rights of consumers to demand disclosure of the information that is being collected, to demand that personal information be deleted, and to file claims against healthcare and other companies that breach the provisions of the CCPA.
Contact Cohen Healthcare Law Group, PC for information on all your federal and state compliance issues including privacy acts such as the CCPA and HIPAA.