CCPA is Coming

What you need to know and how to prepare

By: John Chaisson, Data Privacy & Blockchain, HealthVerity

In recent years, data privacy violations have unfortunately become all too common. It seems that almost every day there is a new consumer data breach or privacy violation, ranging from Equifax’s now infamous 2017 data breach to Facebook’s recent efforts to negotiate with the Federal Trade Commission over multi-billion dollar fines related to privacy violations. It’s become clear that businesses must do more to govern consumer data and put systems in place to prevent privacy violations from the get-go.

One way to ensure companies do in fact implement better privacy control is through legislation, with California forging the path for potential federal data privacy laws. In less than one year from now, on January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect. The legislation — one of the most expansive consumer privacy protection acts ever passed in the United States — will have far-reaching implications for how businesses collect and use consumer data. This includes healthcare and pharmaceutical companies, that must navigate the intersection between CCPA, HIPAA, and other patient privacy regulations.

The question is, how can these businesses prepare for CCPA?

Overview

CCPA gives California citizens and residents more information about, and more control over, how their personal data is being used. Under the new law, consumers have the following rights with any company holding their data:

  • Opt-out of communication
  • Know what personal information is being collected
  • Know whether their personal information is sold or disclosed and to whom
  • Say no, or opt-out of the sale of personal information
  • Request that a company delete personal data
  • Request a copy of all personal data
  • Receive equal service and price, even if they exercise their privacy rights

The CCPA also defines, for the first time, monetary fines and penalties for failure to provide personal data control and protection. Lack of compliance with CCPA could cost anywhere from $2,500 to $7,500 per violation, per piece of data. Fines could quickly escalate into millions or even billions of dollars.

Who Will CCPA Apply to?

While the legislation is a California state law, it will apply to almost every company that does business in the Golden State, regardless of where it is headquartered (including companies based outside of the United States.)The team at Mannat put together a helpful graphic to illustrate how businesses will be impacted by CCPA.

For most businesses, it makes financial and logistical sense to adjust data privacy practices as a whole rather than maintain two separate systems — one for California, which makes up 12 percent of the U.S. population — and one for everyone else. Effectively, CCPA could soon become the defacto standard for consumer privacy information in the United States. As 2019 unfolds, it is possible privacy legislation could be introduced at the federal level that may or may not pre-empt CCPA.

While CCPA may be new, this broad-based approach to dealing with data privacy it is not. In May 2018, after European regulators passed new privacy rules for the European Union, known as General Data Protection Regulation (GDPR), many global companies have already taken a similar approach to managing personal consumer data in order to be compliant across the board. The key difference between GDPR and CCPA comes down to how Europe and the United States manage privacy data: GDPR is an “opt-in” regulation meaning consumers must provide consent to allow businesses access their data, while CCPA is an “opt-out” regulation requiring consumers to withdraw consent, if and when they desire, in order to exercise their data privacy rights.

Personal Data Defined

CCPA broadly defines personal data as any information that “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

To be more specific, this can and does include:

  • Names
  • Social Security Numbers
  • Email
  • Mailing address
  • Geolocation
  • IP addresses of all electronic devices (computers, tablets, smartphones, etc.)
  • Shopping and browsing history
  • Consumption behaviors and preferences
  • Psychological profiles and consumer behaviors and attitudes.

Why Healthcare and Pharmaceutical Companies Need to Pay Attention

One exemption to CCPA is protected health information (PHI) including “information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services and governed by HIPAA.”

But this exemption does not necessarily include any of the personal data listed above, which is not considered PHI, and therefore, not protected under HIPAA.

According to the International Association of Privacy Professionals (IAPP), “lawmakers extended the HIPAA/CMIA [Confidentiality of Medical Information Act] exemption to providers of health care governed under CMIA or covered entities governed by the specified federal privacy, security, and breach notification rules established pursuant to HIPAA, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information.”

Ultimately, this means that exemptions in CCPA are intended to prevent double regulation where an entity is already complying with a more rigorous privacy regime. But in practice, it means that companies will be working with many different sets of data that must comply with two different regulations.

For example, a patient’s private medical history (HIPAA data/PHI) is regulated for the purpose of the company offering healthcare services, but for marketing purposes the company needs to address CCPA data governance for personal data that is outside HIPAA such as email, phone contact information and consent (opt-in/opt-out) for marketing communication.

Preparing for CCPA

In an era where increasing access to and demand for consumer data is met with growing concerns over privacy, good corporate digital citizenship can help solidify brand reputation and customer loyalty. When consumers know data preferences are respected and their information is secure, they are more likely to continue to trust a business with that information. This trust is especially important for healthcare and pharmaceutical companies that house very personal and sensitive information, often times in multiple places.

HealthVerity Consent provides a single platform to consolidate, connect, and log consumer data privacy preferences (‘consent’), ensuring compliance with consumer rights granted under CCPA and other U.S. or international data privacy regulations. At HealthVerity, we strive to provide data privacy and consent governance solutions to our clients through novel, highly sophisticated identity resolution, and matching capabilities. Increasing transparency, forging interoperability, and activating deeper insights for our clients will remain the mission, especially as consumer data privacy becomes more regulated.

CCPA is coming. With the right preparation in place, companies can take a proactive approach to compliance and maximize connections with consumers at the same time.