Darshan: So we've all seen a situation where people are talking about GDPR, people are talking about HIPAA. Everyone understands what this means, yet there's a second set of laws that people are ignoring. People don't realize what's at stake. People don't understand where we're going. What's a common example of this, is the state laws. CCPA is the most common one of them. CCPA stands for the California Consumer Privacy Act. It's generally broader than HIPAA, and in terms of what constitutes a private data. It was passed in June 2018. It has some very, very onerous requirements and that some might say actually exceeds what HIPAA actually requires.
Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks, or the show's website at darshantalks.com
Darshan: Let's start with what's actually covered. Under CCPA, the real name, your alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license, passport or other similar identifiers are all covered as personal information. Commercial information, including records of property, products or services purchased, obtained or considered would all be considered personal information under CCPA.
Darshan: If you went online and I'm looking at hopefully trying to buy something and looking up reviews of a house, I'm actually trying to buy a house, and I want to look at who's owned the house previously. The concern with that is if I land up in this situation, I may not be able to get that access, and that's appropriate for the privacy of the people before me. Geolocation data would be considered to be private. Audio, electronic, thermal data, olfactory data would be covered. This is really like next generation stuff when you say olfactory data or visual data would be considered to be personal information. I'm not even sure how you... how someone quantifies my olfactory data.
Darshan: Professional employment related information would be considered to be personal information. Education information would be considered to be personal information. So obviously there are going to be some serious ramifications in how employment occurs in California because of this law. And inferences drawn from any of the information that's previously been listed, I just listed out for you, and the impact on the consumer's preferences, characteristics, psychological trends, preference, dispositions, behavior, attitudes, intelligence and aptitudes would all be considered to be personal information. Interestingly enough, employee data is exempted so we've got to figure out what that actually means, how does this play out.
Darshan: So what are the implications? So businesses must disclose data collection sharing practices to consumers. Consumers have the right to request that that data be deleted. So again, if you think about GDPR, this is reminiscent of the right to be forgotten.
Darshan: Consumers have the right to opt out of the sale or sharing of their personal information. Makes sense. Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent. Makes sense. So that's a opt-out, sorry, opt-in sort of knocked out. Companies must allow consumers to choose not to have their data shared with third parties. So if you are, say Google who's coming up with a new system, you need to basically say, "Would you like to opt-in to these services?" And chances are, you could just put a geo fence around California and say anyone who's up here is subject to it. But theoretically, do you really want to start restricting it? Maybe you do, maybe you don't.
Darshan: Companies cannot refuse users equal service. This is an interesting one. Companies cannot refuse users equal service, but they can offer incentives to users who provide personal information. So this provision where you subject to change, but it gives you the ability to offer discounts to people who are willing to have their data shared or sold to third parties. This is different from what we've had before, but it basically lets you monetize your data. The only difference is someone else decides the price. Do you want that? Do you not? You've got to start to thinking through that.
Darshan: The California consumer has the right to find out what information a company collects about them within 45 days. If this includes information on what information they had, was it sold, who was it sold to. If it was sold to third parties over the last 12 months, it must give the names and addresses of those third parties. Since the rule covers the last 12 months, again, the companies need to start complying pretty much immediately.
Darshan: So this is all well and good. This is great, great. There's a law out there. Good to know. Why should I care? Are there penalties? So civil penalties can range from $2,500 for non-intentional violation to $7,500 for an intentional violation. So that basically means, well sometimes $100 doesn't seem like a lot of money, right? Now multiply that by a million records. That's suddenly a lot of money.
Darshan: What's interesting enough is CCPA also has a private right of action, which means that now users... If I live in California, I can actually sue a company that violates my rights and I could theoretically get a piece of the action, and that's hugely profitable. So if I was a company operating in California, I'd be careful of this.
Darshan: How is this different from GDPR? Again, there are dozens and dozens and dozens of differences, but it applies to people who are in Europe. It's not even restricted to EU residents. On the other end, for CCPA, it applies only to California residents. Under GDPR, it applies to controllers including nonprofit organizations. CCPA has a bunch of different factors, one of which is if it's a not-for-profit, you are exempt. I can list out a whole bunch of them. If you collect this information on our behalf of which such information... collect personal information.
Darshan: If you do business in California, you may actually be subject to it, and if you meet the following thresholds. You have annual gross revenues in excess of 25 million, alone or in combination, you annually buy, receive for the company's commercial purposes 50,000 or more records basically, or you derive 50% or more of your annual revenue from selling consumer personal information, you may be subject to CCPA.
Darshan: GDPR has specific obligations on processors. On the other hand, CCP applies to any entity that controls or is controlled by the business. So there are tons of exceptions.
Darshan: So is there any connection with HIPAA? Maybe it's not the same thing as GDPR. Does CCPA actually have a connection with HIPAA, because we know California in the US HIPAA, a US law. Well, CCPA actually creates an exemption designed around HIPAA. The statute says, "This title shall not apply to a covered entity governed by HIPAA to the extent that the covered entity maintains patient information in the same manner as PHI." Well, that sounds great, right? It means that if you're a hospital, you aren't subject to CCPA.
Darshan: The problem is it's not as simple as that, or at least a lot of lawyers are not taking it to be as simple as that. An organization that's otherwise subject to CCPA, such as a for-profit hospital entity operating in California and has more than 50,000 consumers or else gross revenues in excess of 25 million, they try to find shelter under HIPAA. But most attorney, the courts may not read it in the same way. They're worried that the organization may... The courts may look at the intent. And well you as a hospital doing this for patient health information or you're doing it for sales, or you're doing it for marketing? So is the organization exempt or is the purpose exempt? That's going to be interesting as well.
Darshan: What's interesting also is, is California the only state with these laws. So Nevada enacted a Senate bill, which also has certain similar provisions to CCPA. New York has two different laws that are trying to go down and protect individual's privacy. One is the Stop Hacks And Improve Electronic Data Security handling, which is called the SHIELD Act, and there's also the pending New York Privacy Act. Massachusetts has a similar CCPA bill. New Hampshire, Washington, Illinois, Oregon, Texas and Maryland are all in different versions off these privacy laws.
Darshan: CCPA is a harbinger, but it's not the only one and... Well, it's not the only one that's going to be around in a few months, in a few years. What is the problem with this? It means that you're getting a patchwork of laws. If you are a company that's operating across the US or even across the world, these types of patchworks of laws are hugely problematic because now you're trying to comply with different rules across different sectors, across different countries. That just becomes more and more problematic. Now if you start getting into different States, that's even more problematic.
Darshan: I would say that in the short term, you're going to see companies trying to deal with this patchwork of laws. In the longterm, and there was actually a Senate bill that I saw in the news being proposed, which is going to try to solidify privacy across the country. So we'll see how that plays out as well.
Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com.