California Governor Signs Far-Reaching Consumer Privacy Legislation

The CCPA has drawn comparisons to the European Union’s General Data Protection Regulation (GDPR), because it establishes many of the privacy protections contained in the GDPR. Californians for Consumer Privacy has said it will withdraw its ballot measure for a similar California Consumer Privacy act because of the CCPA’s passage.[2]

Under the CCPA, California residents will have the right to request that a business provide them with the personal information the business collects about the resident requesting such information. In addition, individuals can request that a business stop selling their personal information.  Although the CCPA excludes from its jurisdiction patient health information defined under the California Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act (HIPAA), health care providers would still be subject to the law because it applies to any resident of California, including employees and other workforce members of a business.  Thus, all information providers have on their employees, contractors, and other workforce members would be subject to the CCPA.

Summary of the California Consumer Privacy Act (CCPA)

What is the CCPA?

• The California Consumer Privacy Act requires California businesses to provide California residents with the right to know how their personal information is collected, sold, or disclosed by certain businesses, and the right to prevent businesses from selling their personal information.

Who is covered by the CCPA?

• The CCPA’s privacy obligations apply to “businesses,” defined as legal entities that (1) do business in California; (2) collect or sell personal information; and (3) either: (A) have annual gross revenues exceeding $25 million (to be adjusted to reflect changes in the Consumer Price Index), (B) derive 50 percent or more of annual revenues from selling consumers’ personal information, or (C) buy, sell or share for commercial purposes “the personal information of 50,000 or more consumer, households, or devices.” Civ. Code § 1798.140(c).
• The CCPA’s privacy rights apply to “consumers,” which are defined by the law as California residents, which in turn are defined as (1) all individuals in California for other than a temporary purpose and (2) everyone domiciled in California who is not in the state for a temporary purpose. 18 CCR § 17014.  There is no exclusion in the definition for personal information an employer maintains regarding its employees and other workforce members.

What information does the CCPA regulate?

• The CCPA regulates “personal information,” defined as any information that could reasonably be linked to a consumer, including but not limited to, personal identifiers, commercial information, biometric information, internet activity information, and employment related information. 1798.140(o)(1).
• Personal information does not include “publicly available” information or information available from federal, state, or local government records. 1798.140(o)(1)(K)(2).
• The CCPA does not apply to protected or health information collected by a covered health entity governed by CMIA or HIPAA. 1798.145(c).

What activities does the CCPA apply to?

• Collecting information pertaining to a consumer through buying, selling, gathering, obtaining, or any other means. 1798.140(e).
• “Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating” orally, electronically, or in writing a consumer’s personal information to another business or third party for monetary or other valuable consideration. 1798.140(t)(1).

What are the different rights businesses and consumers will have under the CCPA?

• Businesses
  • A business can offer financial incentives for the collection of personal collection as long as consumers consent to opt-in. 1798.125(b)(1).
• Consumers
  • The right to request a business delete any personal information about the consumer which the business has collected. 1798.105(a).
  • The right to request a business collecting personal information disclose: (1) the categories of personal information collected, (2) the category of sources from which the personal information is collected, (3) the business or commercial purpose of the personal information, (4) the categories of third parties the business has shared the information with, and (5) the specific pieces of information a business has collected from a consumer. 1798.110.
  • The right to request a business selling personal information about the consumer disclose: (1) the categories of personal information sold; (2) the categories of personal information the business sold and the categories of third parties who received it; and (3) the categories of personal information that the business disclosed about the consumer for a business purpose. 1798.115.

What other obligations will businesses have under the CCPA?

• If a consumer requests a business not to sell his or her personal information, the business cannot do so. § 1798.120(c). In addition, a business cannot sell personal information if it has actual knowledge the consumer is less than 16 years of age unless the consumer, if between 13 and 16 years of age, consents or the consumer’s parent or guardian, if the consumer is less than 13 years of age, consents.   1798.120(d).
• A business must secure personal information from breaches and unauthorized uses and disclosures. See 1798.150(a)(1).
• A business cannot discriminate against consumers for exercising their rights under the CCPA by charging different rates or changing quality.  1798.125(a)(1).
• A business must establish two or more methods for submitting requests for information. This includes a toll-free telephone number and a Web site address if the business has an Internet Web site. 1798.130(a)(1).
• In its online privacy policies, the business must provide a description of the consumer’s rights, a list of categories of personal information it has collected about consumers, and, whether it has collected, sold, or used personal information for business purposes. § 1798.130(a)(5). In addition, it must have a “clear and conspicuous” link on the business’ Internet homepage titled “Do Not Sell My Personal Information” that allows consumers to opt out of the sale of their    § 1798.135(a)(1).

What are the consequences of violating the CCPA?

• Violators of the CCPA are liable for a civil penalty under Section 17206 of the Business and Professions Code in a civil action brought by the Attorney General. Violators may also be liable for civil penalties of up to $7500 per violation.   1798.155(a)-(b).
• If a consumer’s personal information is subject to a security breach because of the business’s violation of the duty to have reasonable security procedures, then the consumer can sue for civil damages between $100 and $750 per consumer per incident or actual damages, whichever is greater. 1798.150(a)(1).

What can businesses do to avoid violating the CCPA?

• Businesses can ask the California Attorney General for guidance on complying with the CCPA. 1798.155.
• A business disclosing personal information to a service provider is not liable if the service provider violates the CCPA and the business has no actual knowledge to believe the service provider intended to commit a violation. If the service provider discloses personal information to the business and the business violates the CCPA, the service provider is not liable if it has no actual knowledge to believe the business intended to violate the CCPA.   1798.145(h).

Conclusion

The  CCPA will place significant new obligations on health care to protect the personal information of employees, patients and other California residents.  Businesses will have to not only inform consumers of their rights, but also be subject to penalties for violating the CCPA. Hooper, Lundy & Bookman’s health privacy attorney’s will continue monitoring the effects of the CCPA.

For more information please contact Steve Phillips, Paul Smith or Jeffrey Lin in San Francisco at 415.875.8500; Amy Joseph in Boston at 617.532.2702; or David Vernon in Washington, D.C. at 202.580.7713.

________________________________

[1] Jeffrey Lin is a current summer associate at Hooper, Lundy & Bookman and a law student at U.C. Berkeley School of Law.

[2] Bryan Anderson, Sweeping California consumer privacy bill approved by Jerry Brown, The Sacramento Bee (June 28, 2018, 1:28 pm), https://www.sacbee.com/news/politics-government/capitol-alert/article213993229.html.