California’s GDPR: Implications of CCPA for HealthTech Companies

Darshan: So we've all seen a situation where people are talking about GDPR, people are talking about HIPAA. Everyone understands what this means, yet there's a second set of laws that people are ignoring. People don't realize what's at stake. People don't understand where we're going. What's a common example of this, is the state laws. CCPA is the most common one of them. CCPA stands for the California Consumer Privacy Act. It's generally broader than HIPAA, and in terms of what constitutes a private data. It was passed in June 2018. It has some very, very onerous requirements and that some might say actually exceeds what HIPAA actually requires. Narrator: This is the DarshanTalks Podcast. Regulatory guy, irregular podcast, with host Darshan Kulkarni. You can find the show on Twitter @darshantalks, or the show's website at darshantalks.com Darshan: Let's start with what's actually covered. Under CCPA, the real name, your alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license, passport or other similar identifiers are all covered as personal information. Commercial information, including records of property, products or services purchased, obtained or considered would all be considered personal information under CCPA. Darshan: If you went online and I'm looking at hopefully trying to buy something and looking up reviews of a house, I'm actually trying to buy a house, and I want to look at who's owned the house previously. The concern with that is if I land up in this situation, I may not be able to get that access, and that's appropriate for the privacy of the people before me. Geolocation data would be considered to be private. Audio, electronic, thermal data, olfactory data would be covered. This is really like next generation stuff when you say olfactory data or visual data would be considered to be personal information. I'm not even sure how you... how someone quantifies my olfactory data. Darshan: Professional employment related information would be considered to be personal information. Education information would be considered to be personal information. So obviously there are going to be some serious ramifications in how employment occurs in California because of this law. And inferences drawn from any of the information that's previously been listed, I just listed out for you, and the impact on the consumer's preferences, characteristics, psychological trends, preference, dispositions, behavior, attitudes, intelligence and aptitudes would all be considered to be personal information. Interestingly enough, employee data is exempted so we've got to figure out what that actually means, how does this play out. Darshan: So what are the implications? So businesses must disclose data collection sharing practices to consumers. Consumers have the right to request that that data be deleted. So again, if you think about GDPR, this is reminiscent of the right to be forgotten. Darshan: Consumers have the right to opt out of the sale or sharing of their personal information. Makes sense. Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent. Makes sense. So that's a opt-out, sorry, opt-in sort of knocked out. Companies must allow consumers to choose not to have their data shared with third parties. So if you are, say Google who's coming up with a new system, you need to basically say, "Would you like to opt-in to these services?" And chances are, you could just put a geo fence around California and say anyone who's up here is subject to it. But theoretically, do you really want to start restricting it? Maybe you do, maybe you don't.