With CCPA in Effect, What Do Health and Life Sciences Entities Need to Know? And How Does the New Amendment Affect You?
Happy Data Privacy Day from the Quarles & Brady Data Privacy & Security Industry Team!
We have rung in the New Year and the California Consumer Privacy Act (CCPA) has been in effect for 28 days. While health and life sciences entities are long familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), CCPA adds a new layer of complexity to health and life sciences entities’ privacy and security compliance programs. The CCPA is the most comprehensive consumer-directed data privacy law in the United States to date. For background, please see our previous article for a summary of the CCPA. While it is generally known that CCPA includes HIPAA-related exemptions, they are not blanket exemptions. Health and life sciences entities may be subject to CCPA, and businesses selling products, providing services, or collecting data from California consumers should take note.
The California Attorney General’s office, in its January 6 Advisory and fact sheet, makes clear that it will focus its enforcement efforts on consumer rights. As stated by California Attorney General Xavier Becerra: “knowledge is power, and in today’s world knowledge is derived from data. When it comes to your own data, you should be in control. In California we are rebalancing the power dynamic by putting power back in the hands of consumers.” The fact sheet also quantifies the incredible value of personal information, noting that CCPA will protect over $12 billion worth of personal information used for advertising in California each year.
Now that companies have breathed a collective sigh of relief after updating their website privacy policies, they need to stay alert to more changes coming down the road. Here are a few considerations for your Data Privacy Day, whether you are a CCPA beginner or a CCPA expert:
1. It is Never Too Late to Work on CCPA Compliance
While the CCPA became effective on January 1, 2020, it is not too late to assess whether it applies to your business and to create a roadmap to compliance. First, determine whether your business is governed by CCPA.
- CCPA applies to you if you are a (1) for-profit business that does business in California that (2) collects California residents’ personal information and (3) meets at least one of the following thresholds: (a) has more than $25 million in revenue; (b) buys, receives, or shares personal information of 50,000 or more consumers, households, or devices; or (c) derives 50% or more of annual revenues from selling California consumers’ personal information.
- Even if your business is not governed by CCPA, your customers and partners may be asking you to amend your services agreement to address CCPA compliance.
In the event you conclude that you are subject to CCPA, you can begin to chart the course for CCPA compliance in light of the unique circumstances of your business. As a reminder, consider including the following steps in your journey:
- Educate. Know your obligations and be alert to changing requirements.
- Project Roadmap. Create a plan to achieve compliance with CCPA.
- Data Map. Identify what personal information you collect, why it is collected, where it is stored, and with whom it is shared. Determine if your data is subject to any exemptions (more on this below).
- Create a “Do Not Sell My Information” link on your website to allow California residents to opt-out of the sale of their personal information.
- Process for Responding to Consumer Requests. Create an efficient system for handling consumer rights requests.
- Train. Train employees on how to handle personal information and consumer requests.
- Data Security. Ensure the security of personal information to avoid breaches and security incidents, which may be actionable under a new private right of action for affected California residents. Make sure you have an incident response plan that addresses both health information and personal information and follow it.
- Update your Service Provider Contracts. Evaluate your upstream and downstream contracts with third-party service providers and modify the underlying agreements for CCPA compliance. Think about your standard data sharing practices, including relationships with data aggregators, data brokers, pharmaceutical manufacturers, hubs, and research intuitions.
- Do Not Look at CCPA in a Vacuum. Consider how compliance with CCPA obligations interplay with existing obligations under regulations specific to the health and life sciences industry (e.g., CMIA, HIPAA, Food, Drug and Cosmetic Act obligations).
2. The CCPA Proposed Regulations Will Soon Become Law.
Businesses will also need to be agile in responding to additional compliance obligations which arise under the CCPA regulations. The California Attorney General issued a series of proposed regulations on October 11, 2019, which further expand compliance obligations under CCPA. The proposed regulations are in the comment period, and we expect to see final regulations in the next few months.
There are several provisions which are garnering a great deal of attention, including the requirement of a “Do Not Sell” Button (being designed by the AG’s office), “just-in-time” notices on the website each time the Company places cookies, and whether privacy policies apply to both off-line and on-line activities.
3. Look for More Amendments to CCPA.
We have every reason to believe that there will be more amendments to CCPA introduced in 2020. One member has already introduced an amendment designated as an “urgency statute” which means it will take effect immediately after it is signed by the California Governor (more on this amendment below, as it is particularly aimed and the health and life sciences industry).
4. Take Advantage of Exemptions Available to the Health and Life Sciences Industry.
CCPA exemptions exist related to certain health care data and certain types of health care entities. Determining whether these health-related exemptions are applicable to your business requires an examination of the type of entity and data at issue. In general, health-related exemptions include:
- Common Rule Exemption. Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (also known as the “Common Rule”) pursuant to good clinical practice guidelines is exempt from CCPA.
- Medical Information and PHI Exemption. “Medical information” governed by California’s Confidentiality of Medical Information Act (CMIA) and “protected health information” (PHI) collected by a covered entity or business associate under HIPAA is exempt from HIPAA.
- Provider and Covered Entity Exemption. CCPA does not apply to a provider of health care governed by CMIA or a covered entity governed by HIPAA to the extent the entity maintains patient information in the same manner as CMIA and HIPAA. This exemption does not currently include “business associates” under HIPAA.
These exemptions are not as broad as they appear, and health and life sciences businesses should consider how they handle “personal information” that is not PHI. For example:
- Health information collected directly from individuals (e.g., via an app) is not PHI if it is not created or received by or on behalf of a health care provider or plan.
- The definition of personal information under CCPA is broad, including inferences drawn from information. If inferences drawn from PHI are used to create a second data set, CCPA may apply to this new data set.
- Certain data collected by health and life sciences entities are outside the scope of PHI, including information collected via cookies as well as collection of geolocation data via a website or app. This data is not exempt from CCPA under the health care exemptions.
- The Common Rule exemption is not broad enough to carve out all PHI used for research purposes, as not all research meets the standard of a clinical trial subject to the Common Rule (but see the bill below).
- As currently drafted, PHI de-identified in accordance with HIPAA is no longer PHI and no longer carved-out of CCPA compliance (but see the bill below).
5. Understand the Impact of the New Amendment and Track its Progress.
Do not fear—there is a bill currently pending in the California legislature (AB 713) that health and life sciences entities should be monitoring. The bill, if enacted, would amend CCPA to provide new exceptions for additional types of health information, including data de-identified in accordance with HIPAA, biomedical research data, information used for public health and safety activities, and health information maintained by business associates in the same manner as PHI. Since this bill is a new development, we got into the weeds on the new exemptions:
- De-Identified Data Exemption. AB 713 would exempt from CCPA compliance requirements de-identified information that meets the following conditions: (1) de-identified in accordance with HIPAA, i.e., the safe harbor or expert determination method; (2) information is derived from PHI or “individually identifiable health information” under HIPAA, “medical information” under CMIA, or “identifiable private information” subject to the Common Rule; and (3) the business (or its business associate) does not actually (or attempt to) re-identify the data.
This exemption helps to reconcile potential inconsistencies between HIPAA and CCPA de-identification standards. In addition, because this exemption is applicable to de-identified data (and not HIPAA covered entities or business associates), it appears that businesses outside the scope of HIPAA that create de-identified data in accordance with HIPAA may also take advantage of this exemption (e.g., manufacturers, research institutions) as long as the data set is not subsequently re-identified.
Importantly, while AB 713 exempts de-identified information, CCPA would still require businesses that sell or disclose de-identified information to provide consumer-facing notice outlining whether the business: (1) sells or discloses de-identified information; and (2) used the HIPAA safe harbor or expert termination method to create the de-identified data set. This notice requirement may heat up the debate regarding the reliability of the safe harbor method in complex data transactions.
- Research Data Exemption. AB 713 would create an additional exemption for personal information collected for or used in biomedical research subject to institutional review board standards, Common Rule ethics and privacy requirements, good clinical practice, or US Food and Drug Administration’s human subject protection requirements. AB 713 would also create an exemption for any research, subject to applicable privacy and ethics laws, if the information is either “individually identifiable health information” under HIPAA or “medical information” under CMIA.
- Public Health and Safety Exemption. AB 713 would create a partial exemption for personal information used for the following public health and safety activities as long as the privacy of the information is protected under applicable law and the information is not sold or used for other purposes: (1) registration and tracking of products regulated by the FDA; (2) public health activities as described in HIPAA; and (3) FDA-regulated activities related to quality, safety, or effectiveness. These are partial exemptions, as AB 713 requires businesses to comply with certain CCPA obligations, including notice and access. Key to this exemption is the need to not sell or use the information for other purposes than the specified public health and safety activities.
- Business Associate Exemption. AB 713 would add an exemption for business associates to the extent they maintain, use, and disclose patient information consistent with HIPAA’s requirements applicable to PHI. This may have limited application, as business associates processing health information may not wish to apply HIPAA’s compliance obligations to consumer-generated information. However, this does allow another exemption to assess with regard to patient information about California residents.
Last week the bill was designated as “urgent” by the California legislature and, if enacted, would immediately go into effect once signed by the governor. We will continue to monitor this bill as it moves through the legislature.
6. Expect Constitutional Challenges to CCPA.
While it is early in 2020, legal commentators are already expecting that there will be multiple constitutional law challenges to the CCPA. In particular, commentators seem to agree that the statute may be vague and/or that the statute violates the dormant commerce clause.
7. Get Ready to Respond to Consumer Requests under CCPA.
Yes Virginia, you will quickly move past the legal theory into the reality of having to respond to real live requests from real life consumers. The California legislature gave California consumers a number of rights with regard to their personal information under CCPA, including: right to request deletion, right to access, right to know, and right to opt out of the sale of personal information. The right to opt-out of the sale of personal information does not just mean sale in the traditional sense, but to share such personal information to another party for monetary or other valuable consideration.
These early requests present a great opportunity for companies to test their internal processes to ensure that you are responding in an accurate and timely manner. Make sure your company:
- Meets the time frames for response.
- Confirms the identity of a requestor before making a substantive response.
- Has a process for recording requests and responses.
- Is familiar with exemptions which do not require the deletion despite a consumer request.
8. Employee Data is Exempt, But Maybe Not For Long.
CCPA currently provides a temporary exemption—until January 2021—with regard to the collection of employee data, including personal information derived from job applicants, employees, and contractors. However, despite the moratorium, businesses must still comply with certain CCPA obligations, including:
- Informing job applicants and employees about the categories of personal information to be collected (again, at or before the point of collection); and
- Implementing reasonable security procedures and practices with regard to employee data (note that businesses may still be subject to a private right of action from employees for unauthorized access and exfiltration, theft, or disclosure of their unsecured data).
We are confident this topic is going to be the subject of much debate over the course of 2020 so businesses should be giving further consideration of how to be ready to respond if this exemption expires.
9. Business-to-Business Data is Also Exempt For Now.
Like employee data, personal information collected from employees and contractors of business customers, suppliers, and vendors acting in their business capacity, i.e., business-to-business (B2B) data, is also subject to a temporary moratorium on most CCPA requirements. This moratorium is also giving businesses a temporary reprieve for B2B data until January 1, 2021. Those of you doing business in the EU already know how complicated life becomes when B2B personal information is subject to privacy law restrictions, so we expect this will also be the subject of much debate in 2020.
Stay tuned as we address what’s next for other states in our next article. Remain nimble and ready to adapt to an evolving law in California and similar but different consumer privacy laws in other states (e.g., Maine, Nevada, New York, Washington, and Wisconsin) with more on the horizon in 2020.
For questions about this update, CCPA compliance, or your data privacy and security program generally, please contact a member of the Health Information Technology, Privacy & Security team, the Data Privacy and Security industry team, your Quarles & Brady LLP attorney, or: