Alerts





 
California Consumer Privacy Act of 2018

August 21, 2018

By Melissa Borrelli

Recently, California passed a sweeping new privacy law, the California Consumer Privacy Act of 2018 (the “Act”), which is being compared to the GDPR.

Mazars Insight

The Act raises a number of practical implementation and compliance questions for those health care entities subject to its stringent requirements.

The major provisions include the following four rights that apply to “consumers,” essentially defined as California residents:

  • Right to Know: consumers have the right to know what personal information a business has collected about them, where it came from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
  • Right to Opt Out: consumers can opt out of allowing a business to sell their personal information to third parties;
  • Right to Delete: consumers can request that a business delete their information, with some exceptions; and
  • Right to Non-Discrimination: those who exercise their privacy rights under the Act cannot be discriminated against in either service or pricing.

There are also protections for minors and numerous requirements regarding the process for consumers to exercise their rights. While the Act does not apply to protected health information, it does apply to “personal information,” which is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

A concerning part of the Act is the private right of legal action that allows consumers, either individually or as a class, to seek statutory or actual damages, injunctions, and other relief. Statutory damages can be between $100 and $750 per resident per incident, or actual damages, whichever is greater. The California Attorney General has also been empowered to enforce the Act, with the civil penalty for intentional violations up to $7,500 per violation (although what constitutes a “violation” has not yet been defined).

Conclusion

While compliance is not required until January 1, 2020, the Act will require significant changes and upgrades to policies, procedures, web sites, and data gathering/storing software systemsIt will also result in the need to review third party agreements, including Business Associate Agreements, and to expand risk assessments and monitoring of third parties.

The Mazars USA Health Care Consulting Group has decades of experience in privacy and information security compliance and operations. If you have questions or need assistance complying with the new Act, the GDPR, creating a vendor risk assessment process, a refresh of your HIPAA training, a review of policies and procedures, or are interested in obtaining HiTrust Certification, please contact us.

 

 

 


Related Posts
Just like our bodies or our cars, organizations need check-ups, too. Unfortunately, unlike us, organizations
Utilizing the Powerful Real-World Consequences of Privacy Violations to Boost the Effectiveness of Compliance Training
A False Claims Act lawsuit was filed by a data analytics company alleging inappropriate business





Publications Industries Perspectives About Us Locations Contact Us



     
     
     
  PUBLICATIONS  
  Alerts  
  Surveys  
  White Papers  
  The Ledger  
     
  INDUSTRIES  
  Banking  
  Financial Services  
  Healthcare  
  Not for Profit  
  Real Estate  
     
  PERSPECTIVES  
  The Good Bank  
  Commitement Letter  
 
       Sign up to receive Mazars USA The Ledger

 
 


Mazars USA LLP is an independent member firm of Mazars Group.

Legal and privacy policy    Contact us    Terms and Conditions

 



     
     
     
  PUBLICATIONS  
  Alerts  
  Surveys  
  White Papers  
  The Ledger  
     
  INDUSTRIES  
  Banking  
  Financial Services  
  Healthcare  
  Not for Profit  
  Real Estate  
     
  PERSPECTIVES  
  The Good Bank  
  Commitement Letter  
 
       Sign up to receive Mazars USA The Ledger

 
 


Mazars USA LLP is an independent member firm of Mazars Group.

Legal and privacy policy    Contact us    Terms and Conditions