Is GDPR Coming to the US? CCPA and Its Impact on Research
Remember on the older The Price Is Right game shows with Bob Barker, when the announcer would describe to the contestant they could win “a brand-new car!” and then proceed to describe the car? Part of the description was always that the car had “California emissions.” Why was that? What was so special about California? Turns out the state of California had different, more restrictive pollution rules from the rest of the country; if you wanted to sell cars in California, you had to meet the California standards. It was difficult for car manufacturers to produce separate cars just for California, so eventually the country normalized on one standard, which looked a lot like the original California emissions standard.
Why are we talking about car emissions? Well, the new California Consumer Privacy Act of 2018 (CCPA), which went into full effect with penalties in force as of July 1, 2020, is doing for privacy regulations what California did to vehicle emission standards all those years ago.
You may be asking, why do I need to know about California state privacy regulations? In short, because the new California regulations apply to companies who have information about residents of California regardless of where the company is located. So, these new regulations may impact you even if you are not headquartered in the state.
In this blog we are going to explore the basics of the CCPA, and specifically its impact on research.
The Basics
California’s regulation is modeled off the European Union’s General Data Privacy Regulation (GDPR) regulation. If your company complies with GDPR, then you likely already have the necessary compliance framework to comply with CCPA. Similar to GDPR, the CCPA generally applies to all types of data, not just certain research-related data. And CCPA applies beyond the state, meaning it doesn’t matter where you are processing or holding the data: If the data originated from residents of California, then CCPA potentially applies to that data.
Very similar to GDPR, the CCPA gives residents of California certain rights under the Act:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to provide or post public notices regarding their privacy practices. Those privacy practices must provide residents with at least two ways to send a request to learn what information a company knows about them.
Applicability
The CCPA applies, with some limited exceptions, to personal information collected from residents of the State of California. Personal information under CCPA is information that identifies, relates to, or could reasonably be linked with the resident or their household. For example, it could include name, social security number, email address, medical records, records of products purchased, internet browsing history, geolocation data, etc. Certainly, most identifiable research-related data qualifies.
Protections under the Act follow the data. The resident from whom the data originated is afforded the basic rights listed above.
CCPA requirements apply to certain companies who retain or process CCPA protected data. Any for-profit businesses who “do business in California” and meet any of the following must comply to CCPA:
- Have a gross annual revenue of over $25 million (not just revenue in California: revenue for the whole company); OR
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; OR
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Note these are all “OR” conditions. A large business with a small presence in California may have to comply with CCPA even if they only have personal information about one resident. Companies also must “do business” in California (e.g., have a business license somewhere in the state).
CCPA does not apply to non-profit or government entities.
Implications for Research
CCPA applies to personal information about residents of the State of California. Hard stop. So, just like GDPR, data generated specifically for research is not immune to the protections afforded by CCPA. Non-profit and government research entities are specifically excluded, which means most university research programs do not need to concern themselves with needing to comply with CCPA (there are plenty of other California-specific research regulations for them to worry about).
However, keep in mind the Act’s protections and rights apply to the data. If a non-profit institution, who does not need to comply with CCPA, sells or transfers personal information (e.g., research data, bio-specimen banks, etc.) to a for-profit business that meets the above requirements, then the protections afforded the data will transfer with the data. Sponsors, CROs, and for-profit research centers receiving personal information from non-profit research institutions in California need to pay careful attention.
CCPA also provides a specific research exception to the resident’s right to delete information. The exception is limited and has not yet been tested in court. However, the exception essentially allows for-profit businesses to forgo a resident’s request to delete personal information if the information was originally gathered in the public interest under informed consent as part of a research study in accordance with applicable ethics laws, and such deletion from the research records would “likely render impossible or seriously impair the achievement of the research.” A fairly high bar. The exemption applies only to the right of deletion. Other CCPA protections continue to apply. There are a few other specific exemptions from CCPA. It is recommended that businesses to whom the CCPA applies get some help to best understand how the CCPA may apply to them.
Penalties for non-compliance are enforced by the California Attorney General against companies who do not comply with CCPA requirements (e.g., failure to post a compliant privacy policy) and range up to $7,500 for each violation. Similar to HIPAA enforcement from Office of Civil Rights and GDPR, violations are counted “per incident, per consumer,” so fines for noncompliance wrack up fast and could be hefty.
Conclusion
For many years, the saying “as goes California, so goes the nation” has held true. Time will tell if CCPA will end up being the model for data protection in the US. Many other countries have adopted GDPR-like standards; CCPA may force the US to follow suit across the country. One thing is clear: GDPR and CCPA are now in effect, and all organizations, be they research or otherwise, have to pay attention and comply.
If you need help evaluating how CCPA, GDPR, or other regulations apply to your organization, contact Advarra Consulting for support.