Disclaimer: This post should not be used to determine your CCPA obligations and does not offer legal advice. It is designed to inform, raise some questions and lead you to investigate further by consulting with attorneys with relevant experience in data privacy laws and enforcement.
Often considered as GDPR-lite, the California Consumer Privacy Act (CCPA) is active since January 2020 (with active enforcement six months later) and contains some exemptions, one of which relates to HIPAA data otherwise known as Personal Health Information (PHI). Many HIPAA-compliant entities and business associates rejoiced at this find, confident that the CCPA did not apply to them… Unfortunately, this is not the whole story.
Let’s look at it in greater detail. The CCPA is primarily focused on consumer rights and a means of enforcing how organizations use consumer data. Like the GDPR it covers all data, including website cookies, so-called anonymous data collected via marketing, surveys and apps. The law includes penalties for each violation and perhaps most importantly, allows individuals to sue businesses directly, a facility that HIPAA doesn’t permit. This single factor is one of the reasons HIPAA violations regularly occur, although HITECH helps in raising penalties per violation, it currently does not allow victims to benefit from fines unless state attorneys sue on behalf of their residents.
The first thing you need to discover is if the CCPA applies to your business activities.
Is the CCPA Relevant To Your Business?
If you ‘collect’ information on California residents for your for-profit business, CCPA applies to you. ‘Collect’ seems straightforward, right? Unfortunately, collect in this context is not a necessarily a deliberate action but refers to any method or technology that collects identifiable information. If you receive, buy, rent or access any information on California residents, then CCPA applies to you. It’s likely we are all subject to CCPA, given that even website cookies and data gathered via website contact forms are all considered if involving California residents. I’m not sure if blocking California IP address ranges will eliminate these concerns, given the increase in VPN usage these days – ask your attorneys.
If you are confident that you can ignore CCPA at this point, there’s more to consider. If you answer “Yes” to any one of the following, you are subject to CCPA.
- Your gross revenue is more than $25 million
- At least half of your revenue comes from selling consumers’ personal data
- You collect (see above) the information of more than 50,000 California residents, households or devices each year
- If a non-profit, are you controlled or do you control a for-profit business that satisfies earlier questions?
Chances are you’ve now discovered you need to be CCPA-compliant but if not, there’s even more.
Do you do business in the state of California? You may not but one of your partners might… In this manner, like the HIPAA Business Associate Agreement, you are also indirectly tied to CCPA. Therefore, to ignore CCPA, you must also confirm that your business partners have no business activities with California residents.
The HIPAA Exemption
The HIPAA exemption in CCPA only applies to PHI or ePHI (electronic personal health information), everything else is subject to the CCPA interpretation. Legal ‘experts’ may claim that a federal law (HIPAA) takes precedent over a state law (CCPA in this case) but that is only true if the state law offers less protection to the patient. Therefore, anything identifiable linked to a California resident, household, device or business that is not PHI becomes personal information (PI) and CCPA applies. This includes geolocation data, browsing history, and anything else collected that could be used to identify a user, device or business but unrelated to health, treatment or payment for treatment.
Finally, it’s now clear that the HIPAA exemption under CCPA is very specific and does not eliminate CCPA compliance concerns. Pending a federal privacy law, compliance with multiple regulations has become the norm, with the GDPR having global impact. It does raise one important question. Is it beneficial to gather volumes of data that are unrelated to process efficiency? I don’t think so and am quite happy to see data harvesters jump through hoops to achieve compliance. If they limited their data to business activities only, the compliance task is simplified. When many privacy laws include provision for data tracking, protection, disclosure and deletion on request, it forces companies to embrace a comprehensive cybersecurity and data management plan that quite frankly, many companies choose to ignore. I think our data deserves such protection. If you do not, please include your email and home address in the comments.