CCPA – Securing Consumer Data with Stringent Compliance Framework

Overview of California Consumer Privacy Act (CCPA)

It’s been almost a year that the General Data Protection Regulation (GDPR) came into effect. Soon after, data privacy and security started to be the top priority of businesses across the globe like never before. It served as an alarm reminding companies dealing with customer data that its high time that your data handling should be put to check to prevent any misuse.

Now as the GDPR storm went by, here another one is ready to give businesses a nightmare. Yes, we are talking about the buzz word, CCPA that most of you might have come across is finally set to be effective, bringing more stringent data protection regulations. The California Consumer Privacy Act (CCPA) or as officially called AB-375 is a bill passed by the California State Legislature. The bill was duly signed into law on June 28, 2018, by Governor of California, Jerry Brown. Ed Chau, the member of the California Assembly and Robert Hertzberg, the state Senator were the ones to introduce the act as part of amending Part 4 of Divison 3 of the California Civil Code. The bill with amendments to the CCPA was passed on September 13, 2018.

Like the way GDPR was meant to protect the personal data of European Union (EU) citizens; similarly, CCPA is intended to protect consumer’s personal information by enhancing the privacy rights of the residents of California, the United States through stringent law and regulation. The act is soon going to be implemented from January 1, 2020, which is only a few months away. With the importance given to data privacy and security, AB-375 provides California residents the rights to control their personal information used by companies. California consumers can even sue the company if they do not abide by the privacy guidelines, as stated by the CCPA and also incorporates hefty non-compliance fines.

Key Provisions of CCPA

Amidst data breaches, misuse and data theft, CCPA aims to secure the data of the state’s residents. The implementation of the act will provide California residents with the following rights in relation to their data:

  • Right to Know
  • Right to Access
  • Right to Deletion
  • Right to Equal Service
  • Right to Opt-out

What Data CCPA Considers As “Personal Information”?

When it comes to identifying and determining what data comes under ‘’personal information,” AB-375 act has a broader approach. Here are the following information of California residents that the CCPA consider as ‘’personal information’’:

Individual identifiers including real name, email address, postal address, account name, Social Security number, IP address, passport number, driver’s license number, and other similar details.

Educational details include all the information coming under personally identifiable information (PII) as stated in the Family Educational Rights and Privacy Act

Commercial information such as purchase history, services or products availed, personal property, purchase tendencies, etc.
Information pertaining to the internet or any other electronic network use including search or browsing history, data derived from consumer’s interaction with an advertisement, website, or application.
Interpretations derived from a customer profile that projects consumer preferences, behavior, abilities, characteristics, psychological trends, attitudes, aptitudes, and predispositions.
Employment or profession related data,Biometric information,Geo-location information,Electronic, thermal, visual, audio or similar data, Characteristics as classified under California or federal law

*Note: However, a recent amendment passed in April exempts employee information from the regulation.

Which Companies Need to Comply with CCPA?

CCPA applies to those for-profit companies or businesses who collects and processes California consumer’s personally identifiable information, and meets one or more of the following norms:

  • Earns annual gross revenues of $25,000,000.
  • Receive, share, buy, or sell at least 50,000 California consumer’s personal, devices, or household information per year.
  • Derives 50% of annual revenue from selling the personal information of California consumers.

Does CCPA Apply to B2B Companies?

Although CCPA is drafted as “Consumer Privacy Act,’’ the law applies to business-to-business (B2B) companies as well. As long as businesses meet any of the above criteria listed by the act, CCPA is applicable even though they may not directly deal with consumers. If the employees of the B2B company are California residents and/or the company have business contacts who meet the specific criteria as mentioned earlier, then the company will have to abide CCPA.

Just by the use of the term consumer, businesses should not get confused as the definition of ‘consumer’ has a broader sense under CCPA and refers to any individual who resides in California or is domiciled in California from an outside state for a temporary purpose.

What Should Companies Do to Respond to CCPA?

At some or the other point, every company might have or are still collecting what CCPA defines as personal information of the California consumers. To stay compliant and to avoid penalties, companies must cross-check what data they collect and must ensure that data privacy and security is on point. Here is what they need to review and put in place before the CCPA comes into play:

  • Information collected
  • Source of information collected
  • How the information is stored
  • How the information is used
  • For how long the information is stored and why
  • With whom information is shared and for what purpose
  • Review all third-party agreements and revise them
  • Ensure the procedure to respond to data access and deletion requests
  • Keep systems ready to honor and keep consumer’s opt-out request
  • Give employees proper training with regards to CCPA
  • Amend privacy notice immediately

The privacy requirements set by CCPA makes it compulsory for businesses to have a hard look at their consumer’s personal data-governance processes and capabilities and if needed they need to make changes.

Does CCPA Apply to Business Associates or Covered Entity Falling Under HIPAA?

The California Consumer Privacy ACT does not apply to business associates or entities dealing with Protected Health Information (PHI) of California residents as it already falls under the HIPAA regulations. Any personal information outside of PHI is otherwise subject to the provisions of CCPA.

Is MedicoReach CCPA-ready?

MedicoReach is always ready when it comes to any kind of compliance and regulation checks. We have always abide by the data privacy and security regulations specific to every region we have our customers in. Our compliance team pays special attention to changing laws and regulations across various economies that are related to our area of work. As a data provider we never compromise on data privacy and ensure proper measures to prevent any kind of misuse or theft. We have competent and advanced security systems installed in our systems and our employees are trained to handle sensitive customer data with utmost priority.

Our healthcare database comprises data derived from various trusted and permissioned sources where no personal information is obtained, used or processed without the customer’s or user’s consent. So, while other providers may be in a state of panic with the implementation of CCPA, MedicoReach is well-prepared in advance and have already ensured that none of our practices violate the CCPA. Our clients need to worry as MedicoReach is CCPA-ready.

Here are the steps that we took to prepare for CCPA:

  • Identified and classified personal data.
  • Evaluated our data-governance capabilities.
  • Examined our privacy measures, updated technologies, and enhanced processes to eliminate any loopholes if any.
  • Had set up a CCPA program management office to handle regulation remediation, accountability, and implementation.
  • Implemented regulation monitoring procedures to stay compliant in the long-run.

Need to Talk About CCPA?

“ Compliance is key to protect valuable consumer data. We’re ready to address your CCPA inquiries.”

If you want to know about our CCPA-compliant data, then you can reach us anytime via email at sales@medicoreach.com or can call us at +1-214-396-5617.

* For further details about CCPA compliance, do check California State Legislature’s official website for more accurate information.