CCPA Updates: Exemptions Signed into Law
Governor Newsom of California recently signed into law two new bills that provide clarity on two major exemptions to California’s comprehensive privacy law, the California Consumer Privacy Act (“CCPA”). These exemptions provide clarity for business assessing their compliance obligations. The CCPA applies to for-profit entities, located anywhere in the world, that do business in California, collect (or engage a third party to collect) the personal information of California residents and satisfy at least one of the following: (1) have over $25 million in annual gross revenue; or (2) buy, sell, receive or share for commercial purposes, the personal information of 50,000 or more California residents, households or devices on an annual basis; or (3) derive 50 percent or more of their revenue from the sale of personal information of California residents –unless an exemption applies.
AB 713 addresses and provides clarity to the exemption the CCPA provides for protected health information as defined by the Health Insurance Portability and Accountability Act (“HIPAA”) and medical information as defined under the California Confidentiality of Medical Information Act (“CMIA”). To this end, AB 713 clarifies the following:
- The CCPA does not apply to business associates of a covered entity governed by HIPAA, to the extent that the business associate maintains, uses, and discloses patient information in the same manner as protected health information covered by HIPAA.
- Medical information that is de-identified in accordance with HIPAA and is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA, CMIA, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, is exempt from the CCPA. This exception allows entities that are not directly subject to the foregoing federal regulations to hold data that meets these requirements without being subject to the CCPA. The bill further provides prescriptive contractual and privacy policy requirements if an entity desires to the sell or license such de-identified information when one of the parties to the transaction resides in California. Finally re-identification of this information is restricted except for very limited purposes.
Finally, last month we detailed the extension of the business-to-business exemption from the CCPA under AB1281, here, which has now been signed into law. We will continue to monitor updates to California’s privacy laws, including whether the CPRA passes in the upcoming election, which we previously summarized here.