In 2018, California lawmakers passed the California Consumer Privacy Act (CCPA), giving California residents a number of consumer privacy rights, including the right to find out what personally-identifying information for-profit companies are collecting about them, to opt-out of having such information collected, and to have that information deleted.
The CCPA only applies to for-profit companies doing business in California that: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more Californians; or (c) derives 50 percent or more of their annual revenues from selling California residents’ personal information.
Although public agencies, including school districts, county offices of education, charter schools, community college districts, the California State Universities, or the University of California are not required to comply with the CCPA when contracting with covered companies, public educational institutions should ensure that the obligations and risks of the CCPA rest squarely with the for-profit company. Specifically, where a public educational institution contracts with a for-profit company and that company will be collecting information relating to the public educational institution, make sure to include contractual provisions that require the for-profit company to comply with all applicable privacy laws, including the CCPA.
We also recommend tracking changes in this area of law, to help in understanding what may be expected of vendors. For example, AB 713 creates a new healthcare-related exemption from certain requirements in the CCPA out of concerns that the CCPA was adversely impacting health care research and operations. Under the new exemption, information is not subject to the CCPA if it meets both of the following requirements in Civil Code Section 1798.146(4):
The information is de-identified in accordance with the de-identification requirements in the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as set forth in 45 C.F.R. § 164.514; and
The information is “derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by” HIPAA, California’s Confidentiality of Medical Information Act (CMIA), or the Federal Policy for the Protection of Human Subjects, often referred to as the Common Rule.
This new deidentification exemption is in addition to, and separate from, the CCPA’s current language which also excludes from its scope certain de-identified information, though the definition for deidentification is different in the CCPA than it is in the HIPPA. Thus, AB 713 now provides an alternative basis to argue that patient information that has been de-identified for HIPAA purposes is also exempt from the CCPA.
The new deidentification exemption is subject to conditions. For example, AB 713 prohibits reidentification, except for specific purposes such as treatment or billing purposes. The bill also requires that contracts for the sale or license of deidentified patient information include specific provisions prohibiting the purchaser or recipient from reidentifying the information and limiting redisclosure of the information to third parties.
AB 713 also highlights that public educational institutions need to keep an eye on developments in privacy laws, as this is a continually changing area of law. For example, AB 713 was passed as urgency legislation (which allowed it to go into effect immediately upon the Governor’s signature) in response to concerns about Proposition 24, an initiative on this November’s ballot. If passed, Proposition 24 will create the California Privacy Rights and Enforcement Act (CPREA) to replace the CCPA. Supporters of the proposition say that the CPREA will give consumers even more control over their personal data and make it harder for the Legislature to change privacy laws. Accordingly, AB 713 was preemptively passed in an attempt to preserve exemptions for medical information, just in case Proposition 24 affects the CCPA’s pre-existing exemptions for de-identified information.
All of this potential change highlights that public agencies need to be on high alert for amendments, changes, and modifications to the CCPA and other California privacy laws, to ensure that they or their vendors are in compliance with this continually evolving area of the law.
(AB 713 amends Section 1793.130 of the Civil Code and adds Sections 1798.146 and 1798.148 to the Civil Code.)