California Dreamin' About Data Privacy

California is leading the pack in the US as they prepare for the California Consumer Privacy Act (CCPA) to take effect in January 2020. While the CCPA (also known as AB 375) doesn’t apply to HIPAA-defined “protected health information”, (and so doesn’t quite fit in to our state-based privacy blog series), it is a significant piece of legislation, and we wanted to dig in.

Overview of CCPA

  • The CCPA establishes that California Residents will have basic rights to personal data which is collected or held by companies bound by CCPA.
  • Not every company with California residents in its database needs to comply with CCPA, but, for many companies conducting business regularly in California, CCPA compliance will be necessary.
  • Even though CCPA doesn’t apply to data covered by HIPAA, the broad definition of ‘personal information’ will apply to many companies.

Deep-Dive

CCPA Rights

Once the CCPA comes into effect, California residents will have the following rights:

  • The right to be told what personal information companies are collecting about them
  • The right to be told if their personal information is being sold or shared
  • The right to opt out of the sale or sharing of personal information for commercial purposes
  • The right to be given a copy of all personal information that has been collected about them, and the right to request the deletion of that information
  • The right to equal service and price if they opt out of data sharing
    • Put another way, a company cannot discriminate against a California Resident if they choose to exercise any of their other rights under the CCPA

Compliance with CCPA

CCPA applies to any company that does business in California and meets AT LEAST ONE of the following criteria:

  • Has over $25M in gross annual revenue
  • Buys, receives, sells, or shares for commercial purposes, personal information of more than 50,000 consumers, households, or devices
  • Derives more than 50% of annual revenue from selling personal information about consumers

Determining derived revenue may get tricky, because the definition of ‘sell’ is broad. It not only includes direct sale of information, but also transfers of data for ‘valuable consideration’.

Information governed by CCPA

Information that is protected under CCPA includes:

  • Geolocation data
  • IP address
  • Biometric information
  • Internet browsing/search history
  • Professional and educational information
  • Information as part of an inferred ‘profile’

If a company collects any non-PHI personal information from California residents as part of providing services as a Covered Entity or Business Associate, CCPA would still apply to that information.

Summary

The CCPA is a complex and wide-reaching law with the potential to change the landscape of data privacy regulation in the US. Will California residents choose to exercise the rights granted by CCPA? Will companies be able to effectively demonstrate compliance with the CCPA regulations? Will the regulation be sustainable? We look forward to seeing the rubber hit the road in 2020.

Andrew Briggs