On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Business Types Affected.

Generally, the California Privacy Act will affect business entities that are for-profit business entities that collect consumers’ personal information and that meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.  The law applies to businesses who collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).  California’s privacy law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy, security, and notification rules, but, it does apply to the other personal information held by an organization that meets the criteria above and doing business in California. 

Consumer Rights Expanded.

Additionally, the California Privacy Act will provide California residents more control over their personal information.  For example, consumers will have the right to know the type of personal information collected by the business, the purpose for which the information is being collected, and with whom the information is being shared with.  Also, consumers will have the “right to be forgotten” by requesting the deletion of their personal information from the businesses’ systems (with certain exceptions that may apply).  Under the new law, consumers will have the right to prohibit businesses from selling their personal information.  Furthermore, the California Privacy Act will also provide consumers protection from discriminatory action by businesses for exercising these privacy rights.  Overall, the expansion of consumers’ rights to their personal information are similar to the requirements set forth in the European Union’s General Data Protection Regulation (“GDPR”) policies.  Therefore, in this regard, the good news is that the work businesses have been doing to be GDPR compliant will most likely comport with the California Privacy Act.

Business Response Required.

Also, the California Privacy Act will mandate businesses, affected by the law, to comply with several requirements that will ensure consumers’ awareness of their privacy rights.  For example, the law will require businesses to make available at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).  Businesses will be required to disclose and deliver the requested information, free of charge to the consumer within 45 days of the request (although businesses will not have to provide such information more than twice a year to a single consumer).  Furthermore, businesses will be required to ensure that all individuals handling consumer inquiries about the business’s privacy practices or the business’s compliance with the law understand all the requirements under the California Privacy Law.  Therefore, businesses will need to make sure that its online privacy policies and/or California-specific consumers’ privacy rights are updated to include these new rights.

* * *

As mentioned above, the California Privacy Act reaches businesses beyond the borders of the state.  According to the International Association of Privacy Professionals (“IAPP”), more than 500,000 U.S. businesses (most being small- to medium-sized enterprises) will be affected by the privacy law.  Because the California Privacy Act follows in the footsteps of the GDPR, the work businesses have done to be in compliance with the GDPR will most likely comport with California’s privacy law.  But those businesses who have not, should begin making changes to their policies and procedures to ensure they are in compliance by the end of 2019.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.