California Consumer Privacy Act Considerations for Companies

June 25, 2020

Volume X, Number 177

June 24, 2020

Subscribe to Latest Legal News and Analysis

June 23, 2020

Subscribe to Latest Legal News and Analysis

June 22, 2020

Subscribe to Latest Legal News and Analysis

On the Verge of CCPA Enforcement: What Should Companies Do to Comply?

On January 1, 2020 California Consumer Privacy Act (“CCPA”) largely came into effect, albeit with several last-minute modifications and a need to promulgate regulations.  As our colleagues have discussed previously here, CCPA joins other California laws safeguarding California residents’ privacy rights under the California Constitution.  Despite uncertainty around the final regulatory parameters of the law, CCPA grants the California Attorney General (AG) the ity to begin enforcement on July 1, 2020. Further, there have been no indications that such enforcement will be delayed.

Re-issued Proposed CCPA Regulations 

After the California legislature passed several amendments to the CCPA in October 2019, the California AG has been working on proposed regulations.  The proposed regulations, initially introduced on October 12, 2019, went through three rounds of comment periods and were recently amended and reissued as the “Final Text of Regulations” on June 1, 2020.  These proposed regulations notably add new aspects and regulatory hurdles to CCPA implementation most notably: (i) increasing requirements for initial notices; and (ii) adding new requirements on the contents in business’s privacy policies.  These reissued proposed regulations were submitted to the California Office of Administrative Law (OAL) for review.  The OAL has thirty working days to review these regulations, plus an additional sixty calendar days under the California Governor’s Executive Order N-40-20related to the COVID-19 pandemic, to review the regulations for procedural compliance with state law.

CCPA Proposed Regulatory Framework

The CCPA applies to any for-profit business that: (i) collects personal information on California residents; (ii) does business in the state of California; and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information.  Businesses that hit the thresholds will be covered even if they are located outside the state of California.

Notably, companies subject to CCPA must “at or before the point of collection” of personal information provide notice to consumers informing them of the categories of personal information the company collects and what purpose the information is used by the company.  In addition, CCPA requires businesses to post a clear and conspicuous link on their website that says “Do Not Sell My Personal Information” and then to enable consumers to opt-out of the sale of their data to third parties.  CCPA also establishes a wide-range of rights to consumers (as specified below).  Companies should be aware of the potential added cost of business in responding to these rights and ensure that they do not discriminate against any individual who exercises their rights under CCPA.

CCPA also establishes robust consumer rights for Californians including:

  • to know what personal information is being collected about them;

  • to know whether their personal information is sold or disclosed and to whom;

  • to opt-out of the sale of their personal information;

  • to access their personal information and receive a copy;

  • to be free from discrimination for exercising their privacy rights;

  • to the deletion of their personal information, subject to certain exceptions; and

  • to bring a private right of action if certain personal information is subject to unized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable cybersecurity procedures and practices.

Companies that fail to follow CCPA could face significant monetary penalties.  First, noncompliance could result in civil penalties ranging from $2,500 for non-intentional violations up to $7,500 for intentional violations. Second, violators could face liability under private rights of action ranging between $100 to $750 per consumer, per violation.  If actual damages to consumers are in excess of $750 per consumer, per violation, the AG also has the discretion to increase the amount of damages.  In class action scenarios, penalties have the potential to exponentially increase costs to businesses, especially when compared to previous breaches or privacy violations.

CCPA Impact on Healthcare and Life Sciences Companies

Despite the CCPA’s broad scope and reach, the law does include several notable exemptions that are germane to healthcare and life sciences companies.  Particularly, CCPA does not govern the collection, use, disclosure or protection of (1) medical information governed by the California Confidentiality of Medical Information Act (CMIA), (ii) protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); or (iii)  information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (also known as the Common rule) pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the U.S. Food and Drug Administration.

Nevertheless, it is important to keep in mind that these exemptions do not cover all personal information collected by healthcare and life sciences businesses.  For example, marketing or employment data collected by businesses that operate in these areas may be subject to CCPA.  Additionally, operational considerations regarding how a company collects and maintains its data may warrant voluntary application of the CCPA requirements for efficiency and consistency reasons.

How to Prepare for CCPA Enforcement

As a result of CCPA and other data protection laws, privacy and data security compliance programs should be agile to address these new or expanded demands quickly.  With CCPA’s July 1, 2020 enforcement deadline, steps that can be immediately taken may include, but are not limited to, the following:

  • updating notices and privacy policies;

  • reviewing data flows including data mapping and classification;

  • segregating data and IT systems between regulated and non-regulated data repositories;

  • implementing cookie banners and web beacons in accordance with CCPA-compliant privacy policies;

  • implementing individual request processes (including opt-out and deletion); and

  • implementing training to meet CCPA’s new requirements.

CCPA Compliance in the Age of COVID-19

As a result of the COVID-19 pandemic, many businesses may collect, store and process additional information about Californians in order to help mitigate the spread of the disease.  As such, CCPA may impose additional regulatory burdens on businesses relative to such information.  If your business is collecting additional COVID-19 related personal information beyond what it typically would, there are several considerations to keep in mind. First, consider where any such information is stored.  Second, evaluate how that information is being protected.  Third, identify if that information is being shared, and with whom.  Fourth, determine all the legitimate purposes (primary and secondary) for collection of the information.  Subsequently, businesses should update privacy policies and notices, and provide such documents to employees and consumers prior to beginning any new or expanded collection of personal information.

To help navigate CCPA’s impending enforcement data of July 1, 2020, especially in the context of the current health crisis, it is recommended you consult legal counsel.

©2020 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume X, Number 174


About this

Alaap Shah Attorney Healthcare Life Sciences

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

Matthew Berger Healthcare Attorney Epstein Becker Green

MATTHEW H. BERGER* is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. A Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals, Mr. Berger has extensive experience in international data transfer standards and protocols, supply chain data vulnerabilities, and data breach management due to his work as a privacy professional supporting the U.S. Department of Energy’s Privacy Program and other federal agencies’ privacy programs and as a data privacy and security attorney.

Mr. Berger’s experience includes:

  • Counseling health care companies, private equity firms, hedge funds, and other private-sector and public-sector entities on matters involving cybersecurity, data privacy, data center consolidation, privacy compliance, high-capacity computing, and breach responses/wargames

  • Working with corporate or department leadership to build cross-vertical collaboration in cybersecurity matters

  • Providing advice to government contractors and to businesses with international clientele or Internet-based advertising or services on issues pertaining to U.S. federal privacy and transnational border data transfer protocols, the Health Insurance Portability and Privacy Act (HIPAA), and the new Office for Civil Rights’ “Audit Protocol”

  • Advising clients on compliance with HIPAA Privacy and Security Rules, and other relevant privacy laws, rules, and regulations regarding protected health information, during mergers, acquisitions, and divestitures

  • Drafting and reviewing vendor and data processor agreements for compliance with international data transfer standards, including General Data Protection Regulation (GDPR) model clauses, binding corporate rules (BCRs), and APEC Cross-Border Privacy Rules (CBPRs)

  • Counseling clients on emerging European Union data privacy issues, including “the right to be forgotten” and GDPR

Before joining Epstein Becker Green, Mr. Berger worked at several technology companies, where he was assigned to serve as the Team Lead and Highest-Level Privacy Advisor to the U.S. Department of Energy’s Chief Privacy Officer, as the Lead Data Privacy Incident Associate to the Federal Deposit Insurance Corporation’s Chief Information Officer Office, and as a Privacy Advisor to the National Nuclear Security Administration. Earlier in his career, he was a data privacy and security attorney at a national law firm.

*Admitted in Virginia; not admitted in the District of Columbia.