White Papers

CCPA Compliance: Where Do I Begin?

Issue link: https://insights.redspin.com/i/1081440

Contents of this Issue


Page 3 of 4

Consider This…. Page 4/5 CCPA Compliance: Where Do I Begin? 9/20/19 Rule. In addition, the amendments to CCPA also exempt health information and clinical trial data that falls outside privacy regulations so long as they are treated by HIPAA covered entities (or providers under CMIA) with the same protections as HIPAA or clinical trial regulated data. However, this exemption for identifiable health information that is outside the scope of HIPAA was not extended to business associates (i.e., contractors or vendors to covered entities). Many companies will find that CCPA's exemption for certain types of health information will not cover large swaths of the data processed in the healthcare industry. Examples where CCPA might apply are: ‣ Data about employees, except in connection with a health plan that is a HIPAA covered entity (last minute legislative action exempts information about job applicants, employees, and their families for one year) ‣ Personal information that is not PHI held by a HIPAA business associate that also may receive information from healthcare organizations that are not covered entities or providers ‣ Personal information that is not PHI collected by HIPAA covered entities or healthcare providers from consumers ‣ Businesses that are not covered by HIPAA or providers under the CMIA (e.g., genetic testing providers, medical device monitoring companies, vendors of wearables, cloud-based electronic health record companies, pharmaceutical manufacturers, health and wellness product retailers, for-profit assisted living facilities) Include Group Entities Operating Under the Same Brand Once an entity qualifies as a "business" (that is, any entity that is assessed to be within scope after applying the steps above), all of the group's entities that control or are under the control of the entity (e.g., its corporate parent, subsidiaries, or affiliates) immediately qualify as "business" under CCPA as long as they operate under the same brand. This is the case regardless of their revenue or number of data sales. CCPA does not specify whether group entities with no connection to California or not-for-profit entities can be excluded from this general rule. There is broad agreement that the state attorney general will have to provide interpretive guidance to address a number of drafting errors and an array of contradictory provisions in the CCPA that may make compliance impractical. Summing It All Up For-profit business entities with a presence in California that either have annual revenue of $25 million or more, or that annually process the personal information of 50,000 California residents are facing the strictest general privacy law in the nation. These businesses will be required to provide consumers, including their own employees and job applicants, privacy notices along with an array of rights for access, correction, and deletion of their data while facing significant restrictions on the sale of personal information. Although on its face, the legislature addressed significant concerns of the business community exempting most employees and information derived from B2B activities, these issues were merely kicked down the road to be dealt with again next year. There are a number of problems in CCPA that will require clarification, but these far reaching, first in the country consumer privacy rights will become law on January 1 st . No business should risk waiting to assess how CCPA may apply to their organization until all of the kinks have been worked out. The scope and reach of the new law for

Articles in this issue

view archives of White Papers - CCPA Compliance: Where Do I Begin?