What is the California Consumer
Privacy Act (CCPA)?
In 2018, the state of California passed privacy legislation known as the California Consumer Privacy Act (CCPA). The CCPA is comprehensive data protection legislation. Under the CCPA, entities that handle the personal information of California residents are subject to restrictions as to how the information may be used. Specific consumer rights granted under the law are discussed below.
Whom Does the CCPA Protect?
The CCPA protects data privacy of “consumers,” whom the law defines as residents of California. The provisions of the CCPA govern how any business, as the law defines the term “business,” handles personal information relating to a California resident. That is, the business need not have a business-customer relationship with the individual for the CCPA to apply.
To Whom Does the CCPA Apply?
The scope of the CCPA is broad in terms of who it applies to. The following entities must comply with the CCPA:
◈ Entities that collect consumer personal information
◈ Entities that determine the purposes and means of processing that personal information
◈ Entities that do business in California, and that meet one of the following thresholds:
◆ Have an annual gross revenue that exceeds $25 million;
◆ Annually buy, receive for commercial purposes, sell, or share for commercial purposes personal information relating to 50,000 or more consumers, households, or devices; or
◆ Derive more than 50% of their annual revenue from selling consumers’ personal information.
What is “Personal Information” Under the CCPA?
Under the CCPA, personal information includes any information that:
◈ Relates to;
◈ Is capable of being associated with; or
◈ Could reasonably be linked to, directly or indirectly,
A particular consumer or household.
Under the CCPA, What Does Personal Information Include?
Under the CCPA, personal information includes eleven specific categories relating to consumers. These categories include:
◈ Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
◈ Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information
◈ Characteristics of protected classifications under California or federal law
◆ National origin
◆ Gender (including pregnancy)
◆ Citizenship status
◈ Commercial information, including:
◆ Records of personal property;
◆ Records of products or services purchased, obtained, or considered; and
◆ Other purchasing or consuming histories or tendencies.
◈ Biometric information
◈ Internet or other electronic network activity information, including, but not limited to:
◆ Browsing history;
◆ Search history; and
◆ Information regarding a consumer’s interaction with an Internet website, application, or advertisement.
◈ Geolocation data
◈ Audio, electronic, visual, thermal, olfactory, or similar information
◈ Professional or employment-related information
◈ Education information (i.e., information that is not publicly available as defined in the federal Family Educational Rights and Privacy Act (FERPA))
◈ Inferences drawn from any of the above to create a profile about a consumer reflecting the consumer’s:
◆ Psychological trends;
◆ Abilities; and
What Consumer Rights are Granted by the California Consumer Privacy Act?
The California Consumer Privacy Act provides consumers with the following rights:
◈ The right to request deletion of personal information
◈ The right to access personal information
◈ The right to opt out of the sale of personal information
◈ The right to be free from discrimination
The CCPA imposes obligations on businesses to enable consumers to exercise these rights.
What is the Right to Request Deletion of Personal Information?
Generally, under the California Consumer Privacy Act, businesses must delete – and direct their service providers to delete – any personal information collected about a consumer, if the consumer requests deletion. The California Consumer Privacy Act contains limited exceptions under which businesses are not required to grant such a request.
What is the Right to Access Personal Information?
Upon a consumer’s request, a business must disclose details about personal information pertaining to a consumer collected by the business. The business, upon request, must also disclose details about personal information the business may have sold or disclosed. In response to a consumer request, a business must disclose the following:
◈ The category or categories of personal information about the consumer that the business sold to a third party
◈ The business or commercial purpose for which personal information was collected or sold
◈ The types of third parties to whom the business sold or disclosed the personal information
◈ The categories of sources from which the personal information was collected
◈ The categories of personal information about the consumer that the business collected
◈ The specific items of personal information that the business collected about the consumer
What is the Right to Opt Out of the Sale of Personal Information?
The California Consumer Privacy Act creates a right of consumers to opt out of the sale of their personal information. The “opt out” provision contained in the California Consumer Privacy Act is also contained in a number of other states’ laws that protect personal information, reflecting a growing trend to prevent sale of personal information without meaningful consumer consent.
Generally, under the California Consumer Privacy Act, a business must honor a consumer request to opt out of the sale of his or her personal information.
The Act ensures that consumers are aware of this right to opt out, by requiring businesses to include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on the business’ website’s homepage.
What is the Right to be Free of Discrimination?
The California Consumer Privacy Act also imposes requirements on businesses to ensure that consumers are not discriminated against in the exercise of the Act’s data privacy rights. Under the California Consumer Privacy Act, a business may not:
◈ Charge different prices or rates to consumers;
◈ Provide different services; or
◈ Deny goods or services,
To consumers who exercise their rights under the CCPA. Essentially, the Act prevents retaliation against consumers who exercise their legally protected rights.
The Interaction of HIPAA and CCPA
HIPAA and CCPA interact clearly: The CCPA, by its terms, does not apply to HIPAA covered entities and business associates.
How Do HIPAA and CCPA Interact?
HIPAA and CCPA directly interact. The CCPA “carves out,” or excludes, “HIPAA covered entities” and “business associates” from its requirements; the CCPA does not apply to protected health information (PHI), as that term is defined under HIPAA.
How Else Do HIPAA and CCPA Interact?
Despite the existence of these carve-outs, personal information (as that term is defined under the CCPA) created, received, maintained, stored, or transmitted by entities subject to HIPAA, is likely to also be subject to the CCPA, under a number of circumstances. These are discussed below.
Collection of Personal Information from Non-patients and Non-plan Members
Covered entities, as that term is defined by HIPAA, perform activities that involve the collection of personal information, as the term “personal information” is defined under the CCPA. Such personal information is often collected from individuals who are neither patients nor enrollees in a health plan.
For example, covered entities, in the course of their business, may collect geolocation from employee smartphones. This personal information does not constitute PHI, but falls under the definition of CCPA “personal information,” and as such, is protected under the CCPA. Therefore, covered entities ARE subject to the requirements of the CCPA, if the information the covered entities collect is personal information.
PHI That Has Been De-Identified Under HIPAA
Under the HIPAA Privacy Rule, once PHI has been properly de-identified, it is no longer considered PHI. Therefore, the de-identified information is no longer subject to the HIPAA Privacy Rule. Since the CCPA “carves out” PHI from its terms, once the information is no longer PHI, it is no longer subject to the carve-out. Therefore, de-identified PHI under HIPAA may nonetheless still constitute personal information under the CCPA. Covered entities must observe CCPA requirements with respect to personal information.
◈ Information that is not PHI, but is derived from PHI
◈ The CCPA definition of personal information is extremely broad. One of the eleven types of information that constitutes “personal information” under the CCPA, is “inferences” – specifically, inferences “drawn from… [information] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
The CCPA (not particularly helpfully) defines the term inference as “the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information of data.”
With the CCPA now in effect as of January 1, 2020, court challenges to the law may result in clarity with respect to the phrases “derive” and “inference.” Until then, common sense can be used to determine what type of inference constitutes “personal information.” For example, if inferences are drawn from protected health information, and that information is then used to create new data that in turn is used for marketing activities, the new data is likely “derived” from PHI, or drawn from PHI. As such, the information is personal information, subject to the CCPA.