California’s new privacy rules, the California Consumer Privacy Act (CCPA), took effect early this year. The CCPA is the state’s effort to protect the privacy of California residents by setting ground rules for collection and use of their “personal information.” These rules have caused quite a lot of confusion, however. High on the “confusing” list: information covered by other privacy-related laws such as HIPAA and Gramm-Leach-Bliley Act (GLBA).
The CCPA is very clear that information covered by such other privacy laws is exempt from CCPA requirements. This is a welcome exception, presumably enacted in order to avoid increasing the burden on companies that must comply with other privacy laws.
Unfortunately, the exception only applies squarely to the limited sets of information specifically defined in those laws (such as “personal health information” for HIPAA). The exception does not apply to any other “personal information” that might be covered by the CCPA’s extremely broad definition.
Thus, for example, a health care entity covered by HIPAA might find itself having to comply with both laws: the HIPAA requirements regarding health data, and also with the CCPA requirements covering any non-health-related “personal information,” such as credit card, Social Security number, email address, and so forth. The same is true of any company covered by an existing privacy regime and now subject to the CCPA.
In order to understand your compliance requirements, it is critical that you know what data you capture about California residents and what you do with it. Because the rights and obligations may be very different under your existing privacy rules and CCPA, you should talk about that data with qualified privacy counsel.
For most businesses, the bottom line is this: be careful when relying on any of the CCPA’s exceptions for existing privacy law. They are not as broad as they seem.