Open in app

Sign in

Write

Sign in

Material scope of CCPA

Golden Data Law
Golden Data
Published in
17 min readDec 22, 2018
Image from page 277 of the California Weekly (1908) — IAI

Key points:

(1) CCPA does not specifically address its material scope. It states that it is an implementation of the California Constitutional right to privacy and, on its terms, it applies to the “processing” of “personal information”. The scope of CCPA is not limited to computerized data.

(2) CCPA does not apply to activities governed by other laws (including HIPAA, FCRA, GLBA, CalFIPA and the Driver’s Privacy Protection Act).

(3) The obligations imposed by CCPA on ‘businesses’ do not apply to the extent that they could restrain the business ability to comply with federal, state, or local laws; comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law, or exercise or defend legal claims.

(4) Challenges to CCPA based on federal pre-emption are likely.

As a general rule, all processing of personal data is within the material scope of the California Consumers Privacy Act (CCPA). Only certain entities, however, are required to abide by it (those who qualify as ‘business’ and their ‘service providers’).

Some of those entities’ activities are excluded if within the scope of other federal or State data laws or because they are related to compliance with other laws, related to cooperation with law enforcement, or are performed in furtherance of a legitimate interests of the ‘business’.

CCPA does not specifically define its material scope. Section 2 of CCPA (Legislative findings) states that:

(a) In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.

[…]

(d) As the role of technology and data in the every daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.

[…]

(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level transparency to their business practices.

(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:

(1) The right of Californians to know what personal information is being collected about them.

(2) The right to know whether their personal information is sold or disclosed and to whom.

(3) The right to say no to the sale of personal information.

(4) The right to access their personal information.

(5) The right to equal service and price, even if they exercise their privacy rights.

These legislative findings clarify that CCPA is not a data protection law but a privacy law. It implements the California Constitutional right to privacy and provides ‘consumers an effective way to control their personal information’ by implementing certain rights.

Material scope of CCPA: Building blocks

Therefore the material scope of CCPA is not limited to computerized data (as it is not a data protection law). There are two building blocks to the material scope of CCPA:

  1. ‘Processing’ of
  2. ‘personal information’

What constitutes ‘processing’ under CCPA?

The CCPA defines ‘processing’ as any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.” Cal. Civ. Code § 1798.140 (q).

The reference in the above definition to “any operation or set of operations” reflects a legislative intent to broadly construe processing. “Processing” could be interpreted to mean obtaining, recording or holding the information or data, or carrying out any operation or set of operations on the information.

CCPA applies not only to information processed by automated means but also to information that is not computerized, whether such information is part of a filing system or not.

What is ‘personal information’ under CCPA?

The CCPA’s definition of ‘personal information’ is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” § 1798.140 (o).

This definition contains four closely related building blocks, each of which should be separately analyzed for the sake of clarity. Those blocks are: (1) information (2) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked (3) directly or indirectly with (4) a particular consumer or household.

Data lawfully made available by federal, state, and or local governments is not considered personal information to the extent that it is used only for the purpose it was maintained and made available. See § 1798.140(o)(2).

De-identified and aggregated data are excluded from the scope of CCPA. See §1798.145(a)(5).

You can read an article on what is personal information under CCPA including examples here.

Exclussions to the material scope of CCPA

Key points:

Information subject to HIPAA, FCRA, GLBA/CalFIPA and the DPPA is outside of the scope of CCPA but it is unclear how this exemptions will apply in practice.

The ability of ‘businesses’ to comply with certain laws, respond to requests for information, cooperate with law enforcement or exercise legal claims is not restrained by CCPA.

Exclussions based on existing privacy laws

CCPA excludes information that is governed by certain federal and State privacy laws from its material scope (HIPAA, FCRA, GLBA and CalFIPA, and Driver´s Privacy Protection Act).

In addition, CCPA specifically states that the Act does not impose obligations on ‘business’ that could restrain their ability to comply with certain laws, respond to requests for information, cooperate with law enforcement or exercise legal claims.

Under Cal. Civ. Code 1798.145. (c)

17.98.145

(1) This title shall not apply to any of the following:

(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111–5).

(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

(c) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.

(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106–102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

(1) HIPAA Exclusion

The initial purpose of HIPAA was efficiency in healthcare delivery and for that purpose it required entities receiving federal health payments to shift reimbursement requests to electronic formats. Congress recognized that such a shift posed privacy and security risks and therefore required the Department of Health and Human Services (HHS) to promulgate regulations to protect those interests. The Health Information Technology for Economic and Clinical Health Act (HITECH) strengthened HIPAA and added breach obligations, provided some protections for patients that who directly pay their providers, and created incentives for providers to use electronic records. HIPAA applies to healthcare providers that conduct certain transactions in electronic form, to Health plans and to healthcare clearinghouses, but not to other healthcare providers and services (all of which are considered “covered entities”). See 45 C.F.R. §106.103. HIPAA does not preempt State level regulation.

Federal health data laws such as HIPAA allow States to regulate the sector if State regulations impose more restrictive conditions than those mandated at the federal level (that is to say, health data federal laws act as a floor instead of a ceiling). The CCPA, however, excludes information governed by HIPAA and other federal laws regulating health information entirely. See § 1798.145(c)(1)(A)-(c)(2).

It is unclear how this exemption will affect organizations that operate in the healthcare space yet are not directly subject to HIPAA. For a discussion on this see here.

Excluding health data from CCPA is a wise choice since health data is already heavily regulated in the US. In addition to HIPPA and the Genetic Information Nondiscrimination Act of 2008 (GINA), the following federal laws restrict the use of health data:

  • Test results: The Clinical Laboratories Improvement Act (CLIA) requires laboratories to protect test results. See 42 U.S.C. §§ 263a; 493.1291.
  • Substance use disorder information: Substance use disorder information is protected as confidential under the Drug Abuse Prevention, Treatment, and Rehabilitation Act. See 42 U.S.C. § 290dd-2.
  • Patient safety data: The Patient Safety & Quality Improvement Act of 2005 (PSQIA) protects patient safety information. See 42 U.S.C. § 299b-21–26.
  • Medical data in job applications: Job applicants are protected against intrusive examination requirements and interview questions regarding disabilities, and employers must keep information about applicants’ disabilities confidential under the Americans with Disabilities Act of 1990. See 42 U.S.C. § 12101.

The State of California established the Office of Health and Information Integrity (CalOHII) to oversee secure health information movement in California. See Cal. Health & Safety Code §§ 130200–205. In addition, the State of California enacted the following requirements on health data:

  • Access and correction rights: Californians have an individual right to access, amend, and make copies of their health records maintained by health providers. Cal. Health & Safety Code § 123110.
  • HIV testing: Patients subject to blood testing for HIV have confidentiality rights. Cal. Health & Safety Code § 120975–1023.
  • Genetic test information: Insurance underwriting on the basis of genetic testing as well as requests for and disclosures of genetic test information is regulated. See Cal. Ins. Code § 10146–149.1.
  • Involuntary psychiatric evaluation or treatment: Records pertaining to individuals who are involuntarily detained for psychiatric evaluation or treatment are protected. Cal. Welf. & Inst. Code § 5328–328.9.
  • Data Security in health facilities: Certain health facilities are required to implement administrative, technical, and physical safeguards to protect medical information, and reporting procedures for data breaches at health facilities are prescribed. Cal. Health & Safety Code § 1280.15, 18.
  • Vital records: California law regulates State and local registrars with respect to the issuance of birth and death certificates and other vital records. See Cal. Health & Safety Code § 103525–595.
  • Medical records collected in connection with insurance applications and claims: The Insurance Information and Privacy Protection Act (IPPA) governs medical records collected in connection with insurance applications and used to resolve insurance claims. See Cal. Ins. Code § 791.1-.29.
  • Collection of medical records for direct marketing purposes: Entities must provide detailed notice and obtain informed consent from individuals before collecting medical information for direct marketing purposes. Cal. Civ. Code § 1798.91.
  • “Shine the Light”: Certain types of medical and health insurance information are subject to shine the light. SeeCal. Civ. Code § 1798.83.
  • Medical records held by state agencies: Records, including those containing medical information, held by a california state agency are subject to California’s Information Privacy Act (IPA). Cal. Civ. Code § 1798.1-.98.

(2) FCRA exclusion

Enacted in 1970, the Fair Credit Reporting Act (FCRA) is the main statute regulating decision making based on personal data in the US. The act regulates the creation and management of “consumer reports” and their use indecision making. FCRA mandates accurate and relevant data collection, provides consumers the right to access and correct their personal data, and limits the use of “consumer reports” to defined permissible purposes. The Fair and Accurate Credit Transactions Act (FACTA) of 2003 amended the FRCA to, among other things, strengthen consumers’ access and correction rights and include provisions for non-consumer-initiated transactions (“prescrening”). See 16 C.F.R. § 682.

FCRA Section 1681t(b) explicitly prohibits states like California from imposing requirements or prohibitions with respect to (i) pre-screening consumer reports, (ii) the responsibilities of furnishers of information to consumer reporting agencies; (iii) the duties of those who take adverse action against a consumer; (iv) affiliate sharing for marketing purposes; (v) the exchange of information among affiliates; (vi) the frequency with which consumers may obtain a free copy of their credit report; and (vii) other of its provisions. See 16 C.F.R. § 1681t(b).

By its terms, therefore, the FCRA requires the CCPA to exclude information governed by the FCRA from its material scope. The CCPA explicitly excludes such information. Cal. Civ. Code § 1798.145(d) (“

This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).”)

The California Consumer Credit Reporting Agencies Act (CCRAA) is the California counterpart to FCRA and became effective in 1975. See Cal. Civ. Code § 1785.1-.36. CCRAA regulates consumer reporting agencies doing business in California. Generally, CCRAA is preempted where there is an identical provision in FCRA, but if a provision of CCRAA is not inconsistent with FCRA it is not preempted unless it falls within FCRA explicit prohibition.15 U.S.C. § 1681t(a) (FCRA does not “annul, alter, affect, or exempt any person” from complying with the laws of any state with respect to the collection, distribution, or use of any information on consumer, or with respect to the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with the act.).

Many CCRAA provisions have been found to be pre-empted but some are either explicitly exempt from FCRA preemption or fall within a number of “grandfather” exceptions to the provisions in 15 U.S.C. Section 1681t(b).. For a great overview of 40 years worth of experience with the FCRA go here.

(3) GLBA and CalFIPA exclusions

The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 to deregulate the financial sector and lift existing restrictions on affiliations for commercial banks. It also includes rules on sharing personal financial information. It applies to financial institutions defined to include entities that lend, exchange, transfer, invest, or safeguard money or securities; provide insurance; provide financial investment or economic advice; underwrite or deal with securities; or engage in related financial activities, including retailers that issue their own credit cards, real estate appraisers, and automobile dealers that lease or finance vehicle purchase. See 15 U.S.C. § 6809(3); 12 U.S.C. § 1843(k). Entities not significantly engaged in financial activities, such as grocery stores that offer cash back services to regular customers, are exempted.. See 16 C.F.R. § 313.3(k)(1).

GLBA protects “nonpublic personal information” defined as any “personal identifiable financial information — (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed to the consumer; or (iii) otherwise obtained by the financial institution”. 15 U.S.C. § 6809. Both customers and consumers are protected under GLBA but the extent of their rights differs, with customers having more extensive rights that consumers.

Under GLBA financial institutions must comply with privacy and security rules and are generally required to:

  • Provide customers notice of their sharing practices addressing specific details. 15 U.S.C. § 6803.
  • Allow customers to opt-out from having their nonpublic personal information shared with nonaffiliated third parties, subject to exceptions. 15 U.S.C. § 6802(e). GLBA does not restrict affiliate sharing, however both the FCRA and CalFIPA, infra, impose restrictions on affiliate sharing.
  • Not disclose a customer’s account number or similar form of access code to a credit card, deposit, or transaction account to any nonaffiliated third-party marketer other than a consumer credit reporting agency. 15 U.S.C. § 6802(d).
  • Comply with security and confidentiality obligations of records, and protect them against security threats and unauthorized access, by implementing a comprehensive information security program appropriate for the sensitivity of the information comprised of “administrative, technical and physical safeguards”. 16 C.F.R. § 314.1–314.5.
  • Develop incident response plans and notify customers of security breaches. 12 C.F.R. § Pt. 225, App. F.

GLBA does not provide for a private cause of action. In re Lenz, 448 B.R. 832, 840 (Bankr. D.Or. 2011). The Consumer Financial Protection Bureau (CFPB) and the Federal Trade Commission (FTC) are the main agencies responsible for enforcing the act. State attorneys general may also enforce GLBA. The California attorney general settled an enforcement action with Citibank alleging violations of GLBA in 2013. The People of the State of California v. Citibank No. RG13693591 (Cal. Super. Aug. 29, 2013).

GLBA generally does not preempt state laws that provide greater protections. California enacted the California Financial Information Privacy Act (CalFIPA) in 2004 to offer california residents protections greater than those offered by GLBA, and applies to the same entities covered by GLBA. Cal. Fin. Code § 4050–60).. Under CalFIPA, a California resident is an individual whose last known mailing address is located in California. It protects virtually the same information as the GLBA. See Cal. Fin. Code § 4052(a), 4052.5.

The CCPA generally excludes personal information ‘collected, processed, sold, or disclosed’ pursuant to GLBA or CalFIPPA from its material scope. Cal. Civ. Code §. 1798.145(e) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106–102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).”).

Financial institutions, however, are subject to the CCPA provision related to data breach litigation and, to the extent that they process data exempted from GLBA or CalFIPPA, they are subject to CCPA (i.e. both GLBA and CalFIPPA exclude publicly available information from their scope but CCPA only excludes data that is lawfully made available by the federal, state, and local government to the extent that it is used only for the purpose it was maintained and made available).

(4) Driver’s Privacy Protection Act exclusion

The Driver’s Privacy Protection Act of 1994 (DPPA) is federal statute governing the privacy and disclosure of personal information gathered by State Departments of Motor Vehicles (DMVs). The statute prohibits the disclosure of personal information (as defined in 18 U.S.C. § 2725) without the express consent of the person to whom such information applies. Certain exceptions apply.. 18 U.S.C. § 2721.

CCPA expressly excludes personal information regulated by DPPA, however, the CCPA’s data breach provision is not part of this exclusion. Cal. Civ. Code § 1798.145(f) (“This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.).”)

Other exclusions

The obligations imposed by CCPA on ‘businesses’ do not apply to the extent that they could restrain the business ability to:

  1. Comply with federal, state, or local laws. Cal. Civ. Code §. 1798.145(a)(1).
  2. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Id at 145(a)(2).
  3. Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law. Id at 145(a)(3).
  4. Exercise or defend legal claims. Id at145(a)(4).

Cal Civ. Code 1798.145

(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:

(1) Comply with federal, state, or local laws.

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.

(4) Exercise or defend legal claims.

Federal Preemption

In principle under the U.S. Constitution, California and other states can legislate on any topic whereas Congress may only legislate based on enumerated topics which do not specifically include federal jurisdiction over personal data protection legislation. In practice, the U.S. Constitution significantly limits California’s ability to regulate. Given its broad reach, CCPA is at risk of being preempted by federal law.

CalOPPA provides a relatively recent example where the courts found a California privacy statute to be preempted by federal law. The California Attorney General brought an enforcement action against Delta for lack of compliance with CalOPA (specifically, for not displaying a privacy policy in its mobile app) in 2012. However, federal law — specifically, the Airline Deregulation Act — preempted the application of CalOPPA to commercial airlines. The People of the State of California v. Delta Airlines, Inc., No. CGC-12–526741, WL 6061446, (Cal. Super 2012).

The main theories under which CCPA could be preempted at the federal level are summarized below.

Supremacy Clause:

The Supremacy Clause provides that the federal constitution takes precedence over state laws. U.S. Const. Art. Vi, cl.2. If CCPA presents an “obstacle to the accomplishment and execution of the full purposes and objectives” of a federal act, it violates the Supremacy Clause. Crosby v. Nat’l Foreign Trade Council, 530 U.S. 363, 372–73 (2000) (citing Hines v. Davidowitz, 312 U.S. 52, 67 (1941)).

Where there is conflict between State and Federal law, Congress may indicate its intent to preempt state law in two ways: through express language (typically in the form of a preemption clause) or through the structure and purpose of the law. Where the scope of a federal statute indicates that Congress intended federal law to occupy the legislative field occupied by CCPA (data privacy), or if there is actual conflict between CCPA and federal law, CCPA will likely be invalidated. See Altria Grp., Inc. v. Good, 555 U.S. 70, 76 (2008).

Commerce Clause:

The Commerce Clause of the US Constitution may also result in the partial invalidation of CCPA. The Commerce Clause grants Congress the authority to regulate interstate commerce, as well as commerce with foreign nations. U.S. Const. Art. I § 8, cl.3. It also prohibits the states against improperly discriminating against or unduly burden out-of-state commerce. See W. Lynn Creamery, Inc. v. Healy, 512 U.S. 186 (1994).

This principle is often referred to as the “dormant” or “negative” commerce clause and the following rules are derived from it: (i) where a state law provides for differential treatment of in-state and out-of state economic actors, it will be upheld only if it serves a legitimate local purpose and that purpose cannot be achieved through available non discriminatory means, (ii) even if a state law does not discriminate and attempts to effectuate a legitimate local interest it may be stricken down when the burden on interstate commerce outweighs the local benefits; and (iii) when a state law effectively imposes a tax only on out-of-state products, it violates the dormant Commerce Clause. See Main v. Taylor, 477 U.S. 131, 140 (1986); Pike. v. Bruce Church, Inc., 397 U.S. 137 (1970); Healy, 512 U.S. 186, 194–98 (1994).

Privacy
California
Unlisted

--

--

Golden Data Law
Golden Data

Written by Golden Data Law

389 Followers
Editor for

Golden Data Law is a mission driven benefit corporation that provides legal services to the not-for-profit community and to governmental agencies.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams