CCPA & Digital Contact Tracing applications
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and went into effect on January 1, 2020.[1] Signaling a new direction in state data privacy and consumer protection, the CCPA established important rights and protections for California residents with regard to the collection, use, disclosure, and the sale of their personal information.[2] While elements of the CCPA’s regime of rights and consumer protections can be found in other U.S. laws regulating particular sectors or particular identified privacy risks, the CCPA arguably regulates the collection, use and sharing of personal information more broadly than any prior U.S law. [3] In fact, it is said to be the most aggressive privacy law in the U.S.[4]
The CCPA defines personal information broadly to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a parituclar consumer or household.”[5] Broadly, the CCPA grants California residents several important privacy rights with respect to their personal information. First, the Act entitles consumers the right to be informed of the categories and specific pieces of personal information being collected and the purposes for which such information shall be used by a business that has collected such information within the past year, sold to a third party, or disclosed to another person for a business process.[6] Second, the Act requires entitles consumers the right not to have additional personal information collected without further information collected without further notice. [7] Third, the Act entitles consumers the right to request deletion of personal information.[8] Fourth, the Act entitles consumers the right to know whether personal information is being sold or disclosed and to whom.[9] Fifth, the Act entitles the consumers the right to opt out of the sale of personal information.[10] Sixth, the Act provides the right to equal services and prices regardless of whether they exercise prices regardless of whether they exercise privacy rights under the CCPA.[11] It should be noted however, that despite these protections, personal information does not include publicly available information, de-identified information, or aggregate information.193 It also does not include information protected by HIPAA.[12]
Under the CCPA, a covered business is any for-profit entity, including a sole proprietorship, partnership, or corporation, that (1) operates in California, (2) collects or receives consumers’ personal information, and (3) satisfies any of the following thresholds:[13] earns more than $25 million in annual gross revenue; buys, sells, or receives the personal information of 50,000 or more California residents; or derives more than 50% of its annual revenue from the sale of California residents’ personal information.[14]
Even Though the CCPA could possibly cover a digital contact-tracing application, the circumstances in which it would apply are narrow. Since the CCPA pertains only to for-profit businesses, it would not cover applications created by state or local public health authorities.[15] However, it could, apply to a private contractor that develops and runs an application for a state or local agency. Likewise, whether the CCPA is applicable would hinge on the type of data an application collects. Because the CCPA only applies to personal information and excludes information covered by HIPAA,[16] it likely would not cover contact tracing applications that collect only an anonymous identifier or that link an anonymous identifier with a COVID-19 diagnosis. On the other hand, the CCPA could apply to apps that collect users’ location data or other personal information to the extent that the collected information is not PHI subject to HIPAA.
[1] California Amends Online Privacy Policy Law to Require Tracking Disclosures, HUNTON ANDREWS KURTH PRIVACY & INFO.SECURITY LAW BLOG (Sept.30, 2017), https://www.huntonprivacyblog.com/2013/09/30/california-amends-online-privacy-policy-law-to-require-tracking-disclosures/.
[2] California Consumer Privacy Act of 2018, CAL.CIV.CODE § 1798.100 (2018) (effective Jan.1, 2020).
[3] California Amends Online Privacy Policy Law to Require Tracking Disclosures, HUNTON ANDREWS KURTH PRIVACY & INFO.SECURITY LAW BLOG (Sept.30, 2017), https://www.huntonprivacyblog.com/2013/09/30/california-amends-online-privacy-policy-law-to-require-tracking-disclosures/.
[4] Id.
[5] Cal. Civ. Code § 1798.140 (o) states:
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household”
§ 1798.140 (o) (1) (effective Jan.1, 2020).
[6] Id. § 1798.100.
[7] Id.§ 1798.120(a); Id.§ 1798.120 (c).
[8] Id. § 1798.105(a).
[9] Id. § 1798.120(b).
[10] Id.§ 1798.120(a); Id.§ 1798.120 (c).
[11] Kristen J. Mathews & Courtney M. Bowman, The California Consumer Privacy Act of 2018, PROSKAUER ROSE LLP: PRIVACY L.BLOG (July 13, 2018), https://privacylaw.proskauer.com/2018/07/articles/data-privacy-laws/the-california-consumer-privacy-act-of-2018.
[12] CAL. CIV. CODE § 1798.145(c)(1)(A)
[13] Id. § 1798.140(c)(1).
[14] Id. § 1798.140(c)(1)(A)–(C).
[15] § 1798.140(c)(1)
[16] Id. §§ 1798.140(o)(1), 1798.145(c)(1)(A).