- The California legislature has passed amendments to the sweeping California Consumer Privacy Act that would, among other changes, exempt HIPAA covered entities and business associates from the state law’s requirements.
It would also exempt PHI collected by a HIPAA covered entity or business associate or as part of a clinical trial from the state law.
The governor has until Sept. 30 to sign the amendments.
The California Consumer Privacy Act, passed by the legislature and signed into law by the governor in June, is intended to substantially strengthen consumer privacy rights and data security protections for state residents. It takes effect Jan. 1, 2020.
The law applies to commercial entities that do business in the state and collect personal data from consumers.
It provides consumers the right to access their personal information collected by a business, the right to delete the information, the right to know what information is being collected, the right to know whether and what personal information is being sold or disclosed, the right to stop a business from selling their information, and the right to equal service and price.
In addition, the law provides a modified, private right of action for data breaches and allows for enforcement by the state attorney general for other violations.
In particular, the law grants consumers the following rights:
- To request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared
- To request deletion of personal information
- To request that a business that sells the consumer’s personal information or uses it for a business purpose disclose the categories of information that it collects, the categories of information, and the categories of third parties to which the information was sold or disclosed
The law requires a business that collects personal information to do the following:
- To make disclosures about a consumer’s personal information that it collects and the purposes for which it is used
- To delete a consumer’s personal information that it collects, upon receipt of a verified request
- To provide the categories of personal information that it sold or disclosed for a business purpose and the categories of third parties to which the personal information was sold or disclosed, in response to a verifiable consumer request
The law allows a consumer to opt out of the sale of personal information by a business; prohibits a business from discriminating against the consumer for opting out, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data; allows businesses to offer financial incentives for collection of personal information; prohibits a business from selling the personal information of a consumer under age 16; and prescribes requirements for receiving, processing, and satisfying these requests from consumers.
The law provides a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information; provides that a business is in violation of the law if it fails to remedy any alleged violation within 30 days after being notified of alleged noncompliance; and stipulates that any business, service provider, or other person that violates the law is liable for a civil penalty in a civil action brought by the attorney general.
The law provides that any person, business, or service provider that intentionally violates a provision of the law is liable for a civil penalty up to $7,500 for each violation.
Commenting on enactment of the California Consumer Privacy Act, the sponsor of the bill, Assembly Member Ed Chau, said: “Today, California took a historic step in enacting legislation to protect children and consumers by giving them control over their own personal data. Consumers should have a right to choose how their personal information is collected and used by businesses. It is your data, your privacy, your choice.”