California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

Share this article on:

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers.

CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR).

The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold.

The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law which they consider unworkable and several technical issues that are likely to have negative and unintended consequences.

The CCPA is not due to take effect until January 1, 2020, which gives Californian lawmakers plenty of time to make amendments. There are likely to be several amendments made before the law comes into effect, the first of which have just been passed.

On August 31, 2018, the legislature passed SB 1121 which includes several technical edits to the CCPA and a notable change to the implementation of the CCPA. The compliance date has remained the same, although SB 1121 clarifies that the CCPA will go into effect as soon as it is signed into law. This is seen as an effort to ensure that California localities will not be able to pass conflicting laws before January 1, 2020.

Entities covered by the CCPA will be given additional time to ensure compliance, as SB 1121 changed the date by which the California Attorney General must publish its implementation regulations. The final date for publication of the implementation regulations is now July 1, 2020. Further, the Attorney General will not be permitted to bring CCPA enforcement actions against any company found not to be in compliance with CCPA until six months after the publication of the implementation guidelines.

In contrast to HIPAA, the CCPA includes a private right of action which allows California residents to take legal action against companies that have experienced data breaches as a result of a failure to implement appropriate security measures. In its previous form, any consumer that chose to take legal action for the exposure of their personal data was required to notify the attorney general within 30 days of filing a legal action. That notification requirement has now been dropped.

SB 1121 has also clarified exemptions for data already covered by other legislative acts, including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GBLA), and the Driver’s Privacy Protection Act (DPPA).

All data handled pursuant to HIPAA, GBLA and the DPPA are exempt from the CCPA. Further, SB 1121 has confirmed that the CCPA will not apply to HIPAA-covered entities and neither to information collected by a HIPAA-covered entity or business associate that is part of a clinical trial.

SB 1121 has been passed, although the state governor has until September 30, 2018 to sign the amendment.

Author: HIPAA Journal

Share This Post On