CCPA Healthcare Checklist: What Does CCPA Compliance Mean for Your Business and What Changes Should You Make?

The California Consumer Privacy Act (CCPA), which was enacted on January 1, 2020, gives consumers more control over the collection and sale of their personal information by businesses. Covered businesses will need to make changes to their website and internal customer management processes by following this CCPA healthcare checklist:

• Notify consumers before or at the time of collection which categories of personal information will be obtained and how they’ll be used
• Include a link on your homepage that allows consumers to opt-out of having their personal information sold and allow consumer’s (or their guardians) under 16 to opt-in 
• Update your privacy policy to reflect California consumer’s new rights
• Provide at least two methods for a consumer to make a verifiable request about his or her personal information (at a minimum, a toll-free telephone number and website)
• Train employees to process verifiable consumer requests

What does the CCPA mean for your business and what changes should you make?

The CCPA gives businesses a 6-month grace period before the California attorney general can bring a case against an entity. Failure to adhere could result in penalties costing up to $7,500 per violation and consumer lawsuits. Additionally, a 12-month “look back” period from January 1, 2020 requires businesses to have records of consumer’s personal information dating back to January 1, 2019.

CCPA Compliance

A covered business must provide California consumers with all the rights listed below.

Opt-Out

A consumer is entitled to opt-out of having his or her personal information sold. A business that sells a consumer’s personal information must: 

• Add a clearly visible “Do Not Sell My Personal Information” link on the homepage of its website to a separate web page that enables the consumer to opt-out.   (You can avoid this home page link by maintaining a separate and clearly visible California consumer-specific webpage that includes the required disclosure.)
• Disclose the right to opt out in its privacy policy or any “California-specific description of consumers’ privacy rights,” along with a link to the opt-out page.
• Train all staff responsible for handling customer inquiries about the right to opt out and how to help a customer do so.

Businesses cannot require a consumer to create an account in order to complete the opt-out process.

Opt-in for Minors 

The opt-out requirement for the CCPA is modified for children under the age of 16 and businesses must collect opt-in consent in order to sell such personal information. 

The CCPA prohibits the sale of personal information collected from a consumer who is:

• Age 13 up to 16 unless the consumer has opted in
• Under age 13 unless a parent or legal guardian has affirmatively authorized the sale

Covered businesses will need to ask consumers whether they are 16 or older, or they will be responsible for violating the law if a child’s personal information is sold. Businesses that intentionally disregard the consumer’s age and sell a child’s data will be prosecuted as having had actual knowledge. 

Right to Know and Access

When a business collects personal information from or about a consumer, the consumer can request the following:

• The categories of personal information and specific pieces that have been collected, sold or disclosed in the past 12 months preceding the request
• The source from which that information was collected
• The business or commercial purpose for the collection or sale of that information
• The specific third parties and categories of third parties with whom or which that information is shared

Businesses are also required to disclose on their website privacy policy or elsewhere on the site: 

• The categories of personal information collected and how the business will use such information, at or before the time of collection
• How a consumer can exercise his or her right to know about the collection and sale or other disclosure of personal information
• Separate lists of the categories of personal information sold and disclosed during the preceding 12 months or a statement that no sale or disclosure was made

The right to access does not apply to information collected for a single transaction as long as the information is not sold or retained for the purpose of linking it to personal information.

Right to Delete

Consumers have the right to request that a business delete their personal information. Covered businesses will also need to inform consumers of their right to have personal information deleted in the organization’s privacy policy. However, this does not apply to protected health information, since those rules are governed by HIPAA.

Nine exceptions exist for the right of the consumer to delete information if it’s necessary to retain consumers’ personal information for the following reasons:

1. Transactional: Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
2. Security: Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
3. Errors: Debug to identify and repair errors that impair existing intended functionality.
4. Free Speech: Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
5. CalECPA Compliance: Comply with the California Electronic Communications Privacy Act
6. Research in the Public Interest: Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research if the consumer has provided informed consent.
7. Expected Internal Uses: To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
8. Legal Compliance: Comply with a legal obligation.
9. Other Internal Uses: Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If the business refuses to delete the information, it must inform the consumer of its reason for refusal and any right to appeal.

Verifiable Consumer Request

Covered businesses are required to offer at least two methods for verifiable consumer requests. One must be a toll-free number, and the second a website, if the business has one. Complete rules surrounding what a verifiable consumer request is, have not yet been written. However, the California attorney general is required to adopt regulations to help businesses determine when a consumer request is verifiable by June 28, 2019. The CCPA regards a consumer’s request “submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account” as verifiable. However, a business may not require a consumer to create an account in order to submit a verifiable request.

Businesses are not required to respond to more than any two verifiable consumer requests from the same consumer during a 12-month period. The business must provide this information free of charge through the consumer’s account with the business, or the consumer’s preference by post mail or in electronic communication that easily allows the consumer to transmit the information to another party. 

Businesses have 45 days to respond to a verifiable consumer request, but the period may be extended by an additional 45 days if there is complexity or a large number of requests. Businesses must inform the consumer of the extension within 45 days. The response to the request should cover the 12-month period preceding the date on which the business received it.

Right to Equal Service and Price

A business cannot discriminate against a consumer who exercises his or her right under the CCPA by denying goods or services, charging a different price, providing different or lower-quality goods or services, or suggesting different prices, quality, or service.

However, the CCPA does permit a business to provide different prices, levels or quality of goods and services if the difference is “reasonably related” to the value of the consumer’s data. A business also may offer financial incentives to a consumer in exchange for the collection, sale or deletion of his or her personal information in the case that superior quality, service or pricing is directly related to the value of the consumer’s data. Consumers must be able to opt-in and opt-out of such a program at any time.

We pride ourselves on maintaining a position at the cutting edge of technology awareness and protection. Not only are we experts on HIPAA, ADA, and GDPR compliance for the healthcare industry, but we also offer custom audits for CCPA compliance. Contact us online or call (866) 932-9944 to learn more.