On June 28, 2018, Gov. Jerry Brown, D-Calif., signed the California Consumer Privacy Act of 2018 into law, which establishes new privacy rights for California residents and new obligations for businesses operating in California, effective Jan. 1, 2020. The CCPA was amended via SB 1121 in September 2018, and a number of additional technical and substantive amendments have been proposed, while implementing regulations have yet to be passed. It's hard to keep track of the changes, but here are the latest CCPA provisions and exemptions relevant to health care providers, drug and device manufacturers, biotech companies and their respective service providers, as well as digital health and other companies engaged in health care delivery.
CCPA scope
The CCPA applies to for-profit companies that do business in California and meet one or more of the following criteria: have more than $25 million in annual gross revenue; buy, receive, sell or share the personal information of 50,000 or more consumers or devices; or derive 50% or more of their annual revenue from selling consumers’ personal information.
As drafted, the CCPA applies to all California “consumers,” a term defined to include any “natural person who is a California resident ... however identified, including by unique identifier.” In other words, the law broadly applies to California residents and not consumers in the traditional sense. This wide-reaching CCPA application extends even further when paired with the law’s expansive standard for “personal information,” which includes information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA enumerates several examples of personal information identifiers that could be linked to an individual, including certain inferences that can be drawn from such data. Taken together, elements of this definition create a more expansive and ambiguous standard than existing laws, like the EU General Data Protection Regulation and Health Insurance Portability and Accountability Act of 1996. Although the California Legislature has proposed multiple amendments seeking to clarify and narrow the foregoing definitions, no such amendments have been passed.
Significant exemptions for health care data
Exempt from the CCPA is personal information already regulated by certain federal and state laws. The CCPA does not, for example, apply to protected health information collected by a “covered entity” or “business associate” governed by the privacy, security and breach notification rules issued pursuant to HIPAA or medical information collected by a health care provider governed by California’s Confidentiality of Medical Information Act, Part 2.6 of Division 1 of the Civil Code.
The CCPA also exempts CMIA-covered health care providers and HIPAA-covered entities to the extent such providers or covered entities “maintain patient information in the same manner as medical information or protected health information.” Other types of personal information held by these entities, however, would remain subject to the CCPA. Because “patient information” is not defined in the CCPA, it remains unclear whether and to what extent the foregoing CCPA language would exempt other non-PHI held by these types of entities.
Health care and life sciences entities often involve complex organizational structures, which may further complicate the foregoing CCPA exemptions. For example, although a legal entity that meets the CCPA “business” definition and only offers products/services not regulated by HIPAA would be subject to the CCPA, a company engaging in more diversified operations will face more complex challenges in assessing CCPA applicability. This may arise in situations when an entity not subject to HIPAA acquires a HIPAA “business associate” or when a diversified company “hybridizes” and limits HIPAA’s applicability to only certain covered “health care components” of the business, leaving other portions of the business open to CCPA applicability. It is therefore crucial for companies to closely evaluate each affiliated organization, product and business process to determine CCPA applicability.
Clinical research
Although the CCPA exempts certain clinical trial data, the underlying exemption language represents one of the law’s noted ambiguities. Specifically, the CCPA exempts “information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the U.S. Food and Drug Administration."
As drafted, it is unclear whether the foregoing language exempts clinical trials only if conducted pursuant to the federal Common Rule (plus either of the two additional standards), which would not exempt certain privately funded research. Instead, commenters have requested that the language be construed more broadly to clearly exempt clinical trial data if the research is conducted pursuant to any of the following: the federal Common Rule, the ICH Good Clinical Practice standards, or Food and Drug Administration human subject protection standards. Presently, without implementing regulations, it is unclear which of the foregoing interpretations will prevail.
Accordingly, significant questions remain regarding the extent to which clinical research — including secondary research, which is not addressed by the CCPA — will be impacted by the law. Although industry representatives might assume that information collected pursuant to a HIPAA authorization or in connection with an IRB-approved research study will be exempt from the CCPA, nothing in the law actually confirms these assumptions. Similarly, it is unclear how the CCPA will impact certain research data collected outside of the clinical trial context.
Not-for-profit organizations
The CCPA only applies to “businesses,” which are defined by the CCPA to include legal entities, like corporations, limited liability companies, and partnerships, that are “organized or operated for the profit or financial benefit of [their] shareholders or other owners.” Those health care entities (like many hospitals) that operate as not-for-profit organizations are therefore exempt from the CCPA.
Next steps
Even while proposed CCPA amendments and implementing regulations are pending, health care and life sciences companies can and should begin preparing for CCPA compliance. These companies can proactively take the following compliance steps now:
- Data mapping/preparation of data inventory to identify: in-scope and out-of-scope data (e.g., PHI exempt from the CCPA); applicable data processing activities; potential “sales” of personal information; and third parties that receive “personal information.” Performing such data mapping early is vital. At a minimum, companies must have this information organized and readily available to respond to individual data requests. In fact, many health care and life sciences industry companies are using the CCPA as an opportunity to execute a broader information governance strategy.
- Gap assessment against current policies and procedures (including those created for GDPR, as applicable), prioritization of compliance action items, and preliminary development of new policies and procedures.
- Categorize third-party relationships, review contract language with service providers, and develop new template language.
Looking forward
As the CCPA’s Jan. 1, 2020, effective date approaches, material implementation questions remain. However, companies should not mistake the existence of uncertainty and pending clarification for compliance leeway. Instead, the present CCPA ambiguities, immense compliance challenges, and significant penalties each underscore the importance of proactively assessing compliance considerations immediately.
Photo by Hush Naidoo on Unsplash