In June 2018, the California legislature passed the California Consumer Privacy Act (“CCPA”), which was intended to change state law to better protect the privacy of consumers and contained new privacy protections and rights for consumers.
It applies to for-profit companies that hold the data of more than 50,000 individuals. The Act’s rights include the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted, and the right to prevent personal data from being sold. The CCPA is not due to take effect until January 1, 2020.
On August 31, 2018, the legislature passed SB 1121, which changed the implementation of the CCPA. The CCPA includes a consumer private right of action that allows California residents to take legal action against companies that have experienced data breaches as a result of a failure to implement appropriate security measures.
For HIPAA covered entities, the most important change to the CCPA is that it specifies that all data handled pursuant to HIPAA is exempt, confirming that the CCPA will not apply to HIPAA covered entities or to information collected by a HIPAA covered entity or business associate that is part of a clinical trial. Part of the reasoning for this exemption is that HIPAA provides similar rights to health care consumers and security over their data.
Perhaps the most helpful portion of the Senate Bill is that the CCPA relieves HIPAA covered entities from facing the CCPA’s private right of action, which allows health care consumers to sue directly without having to persuade the State Attorney General to sue on their behalf, as HIPAA does.