The California Consumer Privacy Act (“CCPA”), California’s sweeping new data privacy law enacted on June 28, 2018, goes into effect in January 2020. Because California has historically been the vanguard for social, legislative, and political innovation, and because of its similar-but-different compatibility with the EU’s General Data Protection Regulation, healthcare entities everywhere can expect to see more and more states adopt similar legislation in the coming years.
Prominent among the CCPA’s signature features is its expansive definition of “personal information,” which goes well beyond traditional identifying information (names, birth dates, social security numbers, etc.) to incorporate internet-age data like IP addresses, device identifiers, and geolocation and biometric information. While the CCPA specifically excludes certain types of health data, commercial entities collecting, using, or selling personal data that is not exempted (including Business Associateslocated outside of California) must support new consumer information rights.
Who Does the CCPA Apply to?
The CCPA applies generally to businesses that:
- Do business in the State of California;
- Collect personal information (or have it collected on their behalf for their use);
- Determine the purpose of collecting personal data, either alone or jointly, as well as the means of processing such data for that purpose; and
- Meet at least one of the following thresholds:
- Have annual gross revenues in excess of $25M;
- Receive, sell, or share for commercial purposes, alone or jointly, the personal information of 50,000 or more consumers, households, or devices; or
- Derive ≥50% of its annual revenues from selling consumer’s personal information.
While these requirements generally apply only to for-profit businesses that meet the above criteria, it should be noted that a “business” under the CCPA encompasses any entity that controls or is controlled by a business that meets the above criteria and that shares common branding with that business. Thus, organizations that do not qualify as “businesses” under the CCPA should nevertheless evaluate their relationships and data sharing arrangements with CCPA-covered entities.
Who Does the CCPA Protect and How?
The CCPA establishes four rights regarding individuals’ personal information: (1) the right to know what personal data a business has collected, where it was obtained, what it is being used for, and whether it is being sold or disclosed and to whom; (2) to opt out of allowing personal data to be disclosed or sold to third parties; (3) to have a business delete personal data; and (4) to equal treatment by businesses with respect to pricing and provision of services if the individual opts out.
Importantly, the CCPA authorizes a private cause of action where a business fails to safeguard an individual’s personal information. A successful plaintiff may recover statutory damages of up to $750 per incident or actual damages – whichever is greater – as well as injunctive or declaratory relief and any other relief the court deems proper. This means that in order to succeed on a claim under the CCPA and recover, a plaintiff does not have to show actual harm.
What Types of Personal Information are Covered?
Because the CCPA specifically excludes protected health information covered under HIPAA and HITECH as well as California’s Confidentiality of Medical Information Act (CMIA), many such covered entities and their Business Associates erroneously believe they are not subject to the CCPA. However, the CCPA may nevertheless encompass information maintained by healthcare entities in certain situations, including Business Associates located outside of California. It is important to note that it is the type of information, rather than the status of the entity maintaining it, that determines whether the CCPA applies. The following is a noncomprehensive summary of covered data types.
Second, personal information that is excluded under HIPAA’s definition of Protected Health Information (PHI) falls under CCPA. This means that, while the CCPA exempts PHI collected by HIPAA-covered entities and their Business Associates, it does not exempt non-PHI unless that data is maintained in the same manner as PHI. The same applies to “medical information” maintained by CMIA-covered entities, however it is not clear from current guidance whether it applies to Business Associates maintaining non-PHI in the same manner as PHI, as such entities are not expressly included in the carve-out.
Third, de-identified PHI is defined differently under the CCPA than under HIPAA and may therefore constitute protected “personal information” under the CCPA. Moreover, under HIPAA’s standards, de-identified health information is no longer PHI at all and may therefore fall outside of the HIPAA exemption if it does not meet the CCPA’s criteria for “de-identified” classification.
Fourth, personal data that was derived from PHI, but is not itself PHI, may nevertheless be subject to the CCPA. Simply put, this means that where health-related inferences can be drawn from personal data, that information will likely be protected under the CCPA. Similarly, it is unclear whether the CCPA applies to health-related employment data such as information collected from applicants for disability benefits or physicals submitted by new hires during onboarding.
Fifth, PHI disclosed for research under HIPAA may be considered personal information under the CCPA if it is not properly de-identified or if it used for commercial purposes. Moreover, if the research organization is closely affiliated with a for-profit business (i.e., if the two entities have overlapping or shared control, marketing, logos, etc.), it is likely not exempt.
Keep Abreast of Future Developments
Finally, it is important to note that the information provided above is only a small piece of the puzzle, and a predictive piece at best. Additional complications are certain to arise once the CCPA goes into effect in January. While it is impressive in breadth, the true scope of the CCPA’s exemptions for PHI maintained by covered entities and their Business Associates under HIPAA remains to be seen.