October 17, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

How Will the New California Consumer Privacy Act of 2018 Will Affect Your Business?

On June 28, 2018, California legislated into law A.B. 375, otherwise known as the California Consumer Privacy Act of 2018 (“California Privacy Act”).  Effective January 1, 2020, among other requirements, the law will expand privacy rights of California consumers as well as require businesses to disclose the what, why, and how consumers’ personal information are being used.  Failure to comply with these new laws could be costly to businesses with civil penalties resulting from an action by the state attorney general of up to $7,500 per violation.  In addition, in the event of a breach of personal information, the California Privacy Act provides consumers with statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.  Therefore, the California Privacy Act will have a significant impact on businesses, including the healthcare sector.

Business Types Affected.

Generally, the California Privacy Act will affect business entities that are for-profit business entities that collect consumers’ personal information and that meet one or more of the following criteria: (1) have annual gross revenues greater than twenty-five million dollars ($25,000,000); (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.  The law applies to businesses who collect, use, or share personal information of California residents, including those who are outside the state for temporary or transitory purposes (e.g., travelers).  California’s privacy law does not apply to protected health information regulated by California’s Confidentiality of Medical Information Act or by HIPAA’s privacy, security, and notification rules, but, it does apply to the other personal information held by an organization that meets the criteria above and doing business in California. 

Consumer Rights Expanded.

Additionally, the California Privacy Act will provide California residents more control over their personal information.  For example, consumers will have the right to know the type of personal information collected by the business, the purpose for which the information is being collected, and with whom the information is being shared with.  Also, consumers will have the “right to be forgotten” by requesting the deletion of their personal information from the businesses’ systems (with certain exceptions that may apply).  Under the new law, consumers will have the right to prohibit businesses from selling their personal information.  Furthermore, the California Privacy Act will also provide consumers protection from discriminatory action by businesses for exercising these privacy rights.  Overall, the expansion of consumers’ rights to their personal information are similar to the requirements set forth in the European Union’s General Data Protection Regulation (“GDPR”) policies.  Therefore, in this regard, the good news is that the work businesses have been doing to be GDPR compliant will most likely comport with the California Privacy Act.

Business Response Required.

Also, the California Privacy Act will mandate businesses, affected by the law, to comply with several requirements that will ensure consumers’ awareness of their privacy rights.  For example, the law will require businesses to make available at least two methods for consumers to make requests for information required to be disclosed (at a minimum a toll-free telephone number and, if applicable, a Web site address).  Businesses will be required to disclose and deliver the requested information, free of charge to the consumer within 45 days of the request (although businesses will not have to provide such information more than twice a year to a single consumer).  Furthermore, businesses will be required to ensure that all individuals handling consumer inquiries about the business’s privacy practices or the business’s compliance with the law understand all the requirements under the California Privacy Law.  Therefore, businesses will need to make sure that its online privacy policies and/or California-specific consumers’ privacy rights are updated to include these new rights.

As mentioned above, the California Privacy Act reaches businesses beyond the borders of the state.  According to the International Association of Privacy Professionals (“IAPP”), more than 500,000 U.S. businesses (most being small- to medium-sized enterprises) will be affected by the privacy law.  Because the California Privacy Act follows in the footsteps of the GDPR, the work businesses have done to be in compliance with the GDPR will most likely comport with California’s privacy law.  But those businesses who have not, should begin making changes to their policies and procedures to ensure they are in compliance by the end of 2019.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Patricia M. Wagner, Epstein becker green, health care, life sciences
Member

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

202-861-4182
Daniel Kim, Epsten Becker Law Firm, Washington DC, Healthcare law
Associate

DANIEL KIM is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. He will be focusing his practice on FDA marketing approval of medical devices and pharmaceutical, reimbursement and compliance matters affecting health care medical device manufacturers, telehealth and telemedicine, HIPAA privacy and security, regulatory health care due diligence, and compliance issues.

Mr. Kim received his J.D., cum laude, from American University Washington College of Law. He obtained an M.A. in Anatomy and Neurobiology from Boston University School of Medicine, where he served as a surgical technician. He also received a B.A. in Biology, with a concentration in Neuroscience, from Boston University.

While attending law school, Mr. Kim clerked at the U.S. Attorney’s Office for the District of Columbia and at the Medicare Operations Division of the U.S. Department of Health and Human Services’ Departmental Appeals Board. Later, he interned at the Commissioner’s Office of the U.S. Food and Drug Administration and at the Office of General Counsel for Doctor on Demand, Inc., where he assisted in researching state telehealth laws and regulations, and developing and implementing HIPAA privacy and security and company compliance policies.

Before going to law school, Mr. Kim worked for six years as a research assistant at Boston Children’s Hospital, studying potential therapeutic treatments for spinal cord injuries.

 

202-861-1829