In 2018, California lawmakers passed the California Consumer Privacy Act (“CCPA”), giving California residents a number of consumer privacy rights, including the right to find out what personally identifying information for-profit companies are collecting about them, to opt out of having such information collected, and to have that information deleted.
The CCPA only applies to for-profit companies doing business in California, that: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more Californians; or (c) derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Although, public entities or nonprofits (not controlled by a covered for-profit company) are not required to comply with the CCPA, when contracting with covered companies, public entities and nonprofits should ensure that the obligations and risks of the CCPA rest squarely with the for-profit company.
Specifically, where a public entity or nonprofit contracts with a for-profit company and that company will be collecting information relating to your public entity or nonprofit, make sure to include contract provisions that require the for-profit company to comply with all applicable privacy laws, including the CCPA.
On September 25, 2020, Governor Newsom signed AB 713, which creates a new healthcare-related exemption from these kinds of requirements in the CCPA, out of concerns that the CCPA was adversely impacting health care research and operations. Under the new exemption, information is not subject to the CCPA if it meets both of the following requirements in Civil Code section 1798.146(4):
(1) the information is deidentified in accordance with the deidentification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as set forth in 45 C.F.R. § 164.514; and
(2) the information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (“CMIA”), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.
This new deidentification exemption is in addition to, and separate from, the CCPA’s current language which also excludes from is scope certain deidentified information, though the definition for deidentification is different in the CCPA than it is in the HIPPA. Thus, AB 712 now provides an alternative basis to argue that patient information that has been deidentified for HIPAA purposes is also exempt from the CCPA.
The new deidentification exemption is subject to conditions. For example, AB 712 prohibits reidentification, except for specific purposes, such as treatment or billing purposes. The bill also requires that contracts for the sale or license of deidentified patient information include specific provisions prohibiting the purchaser or recipient from reidentifying the information and limiting redisclosure of the information to third parties.
AP 713 also highlights that public entities and nonprofits need to keep an eye on developments in privacy laws, as this is a continually changing area of law. For example, AB 713 was passed as urgency legislation (which allowed it to go into effect immediately upon the Governor’s signature) in response to concerns about Proposition 24, an initiative on this November’s ballot. If passed, Proposition 24 will create the California Privacy Rights and Enforcement Act (“CPREA”) to replace the CCPA. Supporters of the proposition say that the CPREA will give consumers even more control over their personal data and make it harder for the Legislature to change privacy laws. Accordingly, AB 713 was preemptively passed in an attempt to preserve exemptions for medical information, just in case Proposition 24 impacts the CCPA’s pre-existing exemptions for deidentified information.
All of this potential change highlights that public agencies and nonprofits need to be on high alert for amendments, changes, and modifications to the CCPA and other California privacy laws, to ensure that they or their vendors are in compliance with this continually evolving area of the law.
(AB 713 amends section 1793.130 of the Civil Code and adds sections 1798.146 and 1798.148 to the Civil Code).
