California Consumer Privacy Act of 2018
The California Consumer Privacy Act of 2018 (CCPA), which grants California residents new rights with respect to the collection and sale of their personal information, will go into effect on January 1, 2020. To learn more about the CCPA and how it impacts people, you can visit California Attorney General CCPA homepage.
1) The right to request disclosure of your business’ data collection and sales practices in connection with the requesting consumer, including the categories of personal information you have collected, the source of the information, your use of the information and, if the information was disclosed or sold to third parties, the categories of personal information disclosed or sold to third parties and the categories of third parties to whom such information was disclosed or sold;
2) The right to request a copy of the specific personal information collected about them during the 12 months before their request (together with right #1, a “personal information request”);
3) The right to have such information deleted (with exceptions);
4) The right to request that their personal information not be sold to third parties, if applicable; and
5) The right not to be discriminated against because they exercised any of the new rights.
The CCPA requires covered businesses to make disclosures in their public-facing privacy policies and to update annually such disclosures, in addition to those disclosures already required by current law, in those policies starting January 1, 2020.
[i] Note the CCPA’s requirements do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. Moreover, providers of health care subject to CMIA and covered entities subject to HIPAA are not covered businesses under CCPA if they maintain all patient information in the same manner they maintain “medical information” or “protected health information” subject to CMIA and HIPAA, respectively. CCPA also exempts information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act or the California Financial Information Privacy Act as well as other exemptions. In contrast, the GDPR has no such carve out for health-related data.