California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
The California Consumer Privacy Act (CCPA) gives consumers more control over how their personal information is collected and used, but it makes a number of exemptions where there are already existing data privacy laws in place. The purpose of these exemptions is to avoid interfering with those regulatory schemes and placing undue burdens on businesses. The most significant exemptions are tied to three federal laws: the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Fair Credit Reporting Act (FCRA).
Critically, these are not blanket exemptions, but are tied to specific types of data collection and usage. A business that is regulated by the GLBA, for example, may still have obligations under the CCPA.
HIPAA is a federal health-care law that regulates, among other things, the disclosure and security of protected health information (PHI). Under the CCPA exemption, the California law does not apply to PHI collected by a covered entity or business associate (similar to a CCPA service provider) that is governed by the privacy, security, and breach notification rules of HIPAA.
Notice that this exemption only covers PHI; these businesses could potentially be collecting and using other personal information that is subject to CCPA requirements. However, the California law also has a total exemption for covered entities to the extent they maintain patient information in the same manner as PHI.
The HIPAA exemption covers all provisions of the CCPA, including the private right of action for data breaches. This is likely because HIPAA already has its own data-protection requirements and the California Confidentiality of Medical Information Act (CMIA) grants a similar right of action to consumers.
The GLBA imposes privacy rules on financial institutions regarding the collection and sharing of consumers’ nonpublic personal information (NPI). NPI is “personally identifiable financial information” collected in connection with providing financial products or services. Under the GLBA’s Privacy Rule, financial institutions must disclose how NPI is collected and shared, as well as provide consumers with the opportunity to opt out of sharing their NPI with third parties.
Because the GLBA already has its own data privacy rules in place, the CCPA includes an exemption for personal information that is subject to the GLBA (i.e., NPI). It is not an entity-level exemption, though. If financial institutions are collecting personal information that is not subject to the GLBA, that personal information may be subject to the CCPA. For example, if a financial institution also provides non-financial products, personal information collected while providing those products could be covered by the CCPA.
Businesses that have already implemented a GLBA-compliance system should have a good idea as to what is or is not NPI. For any personal data that has been determined not to be NPI, businesses should evaluate their obligations under the CCPA.
Importantly, the CCPA does not exempt financial institutions from its private right of action concerning data breaches. Under this provision, California residents can sue businesses when their non-encrypted and non-redacted personal information is subject to unauthorized access, theft, or disclosure due to a business’s failure to implement and maintain reasonable data security procedures.
The FCRA governs how personal information can be used by consumer reporting agencies such as credit bureaus and background-screening companies. It also gives consumers certain rights regarding the accuracy and privacy of their information.
The CCPA has an exemption for personal information that is collected, maintained, used, sold, or shared by consumer reporting agencies and furnishers of information (as defined by the FCRA). It is not an entity-level exemption; it only applies to the extent that the personal information is subject to the FCRA and is used as authorized by that law. If the CCPA did not have this exemption, it would be very disruptive to the overall credit-reporting system. Otherwise California residents could, for example, request the deletion of their entire credit history.
As with the GLBA exemption, this does not apply to the CCPA’s private right of action. Businesses can still be sued by consumers for a cybersecurity breach caused by the business’s failure to implement and maintain reasonable security procedures.
The CCPA takes care to stay out of the way of HIPAA, the GLBA, and the FCRA, but it doesn’t mean businesses that are subject to these laws can completely ignore the CCPA. These businesses should carefully evaluate their practices to determine whether there are any areas where federal compliance ends and CCPA compliance begins.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.