May 30, 2019 –As “the outrage around privacy incidents continues to get a little bit louder every year,” many states have already made significant moves to regulate data privacy and fill the gaps left by a lack of federal legislation, Alison Pepper, senior vice president for Government Relations at the 4A’s, told the Rising Leaders Conference on Healthcare Policy, sponsored by the Coalition for Healthcare Communication, on May 22.
The 2018 California Consumer Privacy Act (CCPA) is “the first comprehensive privacy act passed by the states,” Pepper said, but because it was passed hurriedly and is vague on key elements, amendments already are being proposed ahead of the Jan. 1, 2020, effective date.
Although the CCPA was influenced by the European Union’s General Data Protection Regulation (GDPR), “you have some very fundamental differences,” Pepper explained: GDPR is consent-based legislation, but CCPA instead is opt-out legislation. The CCPA includes ambiguous language that made it unclear exactly what was being required to comply with this law.
This spring – after the law was enacted – the California Attorney General’s Office held a series of public hearings across the state to hear from private citizens and industry, as well as other interested stakeholders, to talk about the ways in which the CCPA was problematic; a report summarizing the findings from these hearings, as well as interpretive guidance, is supposed to be issued by that office, but this has not happened yet, Pepper stated.
Legislative amendments to the CCPA are being introduced in both the State Assembly and the Senate. Some of these amendments are technical clarifications, and others are proposing big change, such as broadening consumer rights, according to Pepper.
As it stands now, the CCPA carves out a number of exemptions, she explained:
- CCPA does not apply to medical information already covered by California’s Confidentiality of Medical Information Act (CMIA), Protected Health Information (PHI) already covered by the Health Insurance Portability & Accountability Act (HIPAA), and information covered as part of a clinical trial that is already subject to the Common Rule, Good Clinical Practice (GCP) guidelines, or FDA requirements.
- CCPA also does not apply to aggregate consumer information or de-identified information.
- There is also a research exemption for personal information used for public or peer-reviewed research in the public interest (which also states that the personal information is not to be used for any commercial purpose).
Non-exempt data (i.e., data that are covered by CCPA) include: marketing data, customer service call information, social media and app data, data licensed by a third party, etc.
According to Pepper, the 4A’s believes that some of the problems with the CCPA are that it is: (1) unclear as to explicit downstream uses; (2) appears to limit almost all uses of publicly available data; (3) suggests customized privacy policies might be required; and (4) suggests that verifying and responding to consumer requests for data could counterintuitively require companies to collect more data to verify a request.
The 4A’s has partnered with Venable LLP to provide CCPA compliance guidance written specifically for its member agencies (the CCPA compliance guidance is available on the 4A’s website). This guidance, according to Pepper, includes key information for agencies, including:
- Is my agency covered by CCPA?
- What kind of contractual changes with partners do I need to consider?
- My agency already went through a GDPR compliance review – how different is CCPA?
- If I’m already in compliance with the Children’s Online Privacy Protection Act (COPPA), is there anything to worry about under CCPA when it comes to minors?
The CCPA compliance guidance is available on the 4A’s website.
To view Pepper’s Rising Leaders Conference slides, go to the Resources tab above.