Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

ANALYSIS: Think You’re Outside the Scope of CCPA? Think Again

Oct. 22, 2020, 6:51 PM

A little-noticed provision in a recent amendment to the California Consumer Privacy Act (CCPA) extends a sliver of the Act’s reach beyond those who satisfy the statutory definition of a “business.” Yes, the new provision applies even to nonprofits and to organizations with annual gross revenues below $25 million.

Kudos to Ann Waldo, a solo practitioner in D.C., who highlighted this anomaly Wednesday at the Virtual Privacy + Security Forum.

AB 713, which was approved by Gov. Gavin Newsom Sept. 25, aligns certain CCPA exemptions with the federal Health Insurance Portability and Accountability Act (HIPAA). Among other things, it broadens the CCPA’s exemptions for health data by harmonizing the CCPA’s definition of “deidentified” with HIPAA. Health data is now exempt from the CCPA if it is de-identified in accordance with HIPAA and derived from “patient information” governed by HIPPA. AB 713 also broadens the definition of medical research data outside the CCPA.

Significantly, AB 713 imposes new contract requirements for any sale or license of de-identified patient data — and that’s where the CCPA’s scope has grown.

As codified in Cal. Civ. Code § 1798.148(c), the contract requirements apply “where one of the parties [to the contract] is a person residing or doing business in the state.” Note that the text does not refer to a “business,” but to a “person,” which the CCPA defines more broadly as “any … organization or group of persons acting in concert” Cal. Civ. Code § 1798.140(n).

While the overall exemptions in the CCPA need to be considered when analyzing the full effect of these changes, the use of “person” instead of “business” is noteworthy.

Waldo recommends that any organization involved with the sale or license of de-identified patient data take a careful look at the new law and the CCPA exemptions. She adds that including a contractual ban on the downstream re-identification of de-identified data is generally a wise practice in any case.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.