Gov. Gavin Newsom signed three bills this session that amend the California Consumer Privacy Act of 2018 (CCPA), slated to take effect Jan. 1. The CCPA gives consumers the right to know what information about them a business holds, to restrict a business from sharing their information, and to have a business delete information about them, and assures other privacy rights.
The law exempts non-profit organizations from the definition of “business,” and exempts information protected by the Confidentiality of Medical Information Act or HIPAA.
However, investor-owned facilities that have over $25 million in annual revenues were scheduled to be required to comply with the CCPA with respect to employee, medical staff, and business-to-business transaction information, as well as information collected about visitors or others.
At the request of CHA and others, the Governor signed Assembly Bill (AB) 25 (Chau, D-Arcadia), which exempts from the CCPA personal information collected about a job applicant, employee, owner, director, officer, medical staff member, or contractor until Jan. 1, 2021 — except for the requirement to tell these individuals the categories of information collected about them.
In addition, Gov. Newsom signed AB 1355 (Chau, D-Arcadia), which exempts personal information collected during business-to-business communications until Jan. 1, 2021. This one-year delay will give stakeholders time to negotiate a compromise on employee privacy rights.
Finally, AB 874 (Irwin, D-Thousand Oaks) was signed to narrow the definition of “personal information” and exempt de-identified information from CCPA requirements.
Investor-owned facilities should review their information collection practices to determine whether they must comply with the CCPA for information related to gift shop or cafeteria patrons, visitor parking lot users, or visitor management. Not-for-profit facilities should review their corporate structure to determine if they manage any for-profit subsidiaries or affiliates that collect consumer information subject to the CCPA.