How a rushed California law will change the privacy and security landscape for mobile health apps

By Adam H. Greene
Share

About the Author: Adam H. Greene, JD, MPH, a partner and co-chair of Davis Wright Tremaine’s health information practice, and former Senior Health Information Technology and Privacy Specialist at the HHS Office for Civil Rights, where he was responsible for applying the HIPAA Privacy, Security, and Breach Notification Rules to health IT.

California passed the most comprehensive privacy law in the U.S. on June 28, 2018, with a compliance date of Jan. 1, 2020. For mobile health app developers, that date may seem far away, but the California law will require significant and challenging operational changes. It is unclear whether the law will apply to protected health information of mobile health app developers who are business associates under HIPAA. But for more consumer-focused apps that fall outside of HIPAA, the California law will certainly require significant changes, ranging from updating privacy policies to implementing a consumer right of erasure. The law will affect most businesses that do business in California and have information about California residents, even if the business is located outside of California.

The California Consumer Privacy Act of 2018 (Assembly Bill No. 375), or the CCPA for short, was passed after only a week of legislative debate in response to a ballot initiative that would have imposed more onerous obligations on businesses. A deal was struck that the backers of the ballot initiative would withdraw it if the California legislature instead passed comprehensive privacy legislation that met certain requirements by a June 28th deadline. The rushed CCPA was the result. While different in many respects from the EU’s General Data Privacy Regulation (GDPR), the CCPA is the closest U.S. law to the GDPR, in that it applies to practically any consumer information and it provides a broad range of privacy rights with respect to such information.

The CCPA governs all “personal information,” whether collected online or offline. Unlike most state breach notification laws, the CCPA’s definition of personal information is not limited to sensitive categories of information, but rather includes any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household and that is not publicly available. It does not include de-identified or aggregated consumer information; however, the definition of what constitutes de-identified or aggregated data is limited. Accordingly, if a mobile health app developer has any information about a consumer or household that is not publicly available, it may fall under CCPA, unless it has been de-identified (either a de-identified individual record or part of a de-identified aggregate data set).
The CCPA governs all for-profit companies that do business in California that meet one of the following criteria:

  • Gross revenue (not limited to California) of more than $25 million;
  • Annually handles personal information of 50,000 or more California residents, households, or devices; or
  • Derives 50% or more of its annual revenue from selling California residents’ personal information.

The CCPA excludes protected health information of a “covered entity” under HIPAA, or medical information governed by the California Confidentiality of Medical Information Act (“CMIA”). Because it only excludes protected health information of covered entities under HIPAA, a court or regulator may interpret that protected health information held by a business associate is not exempt and, instead, is subject to the CCPA and its penalties. Accordingly, if a mobile health app developer is a business associate under HIPAA, there is a risk that CCPA applies to any personal information of California residents.

Additionally, while the CMIA broadly governs medical information held by personal health record vendors, it does not govern many other types of mobile health apps (which would therefore potentially be subject to CCPA). For entities that are subject to the CMIA (such as personal health record vendors), the CCPA excludes medical information, but still seems to apply to other information (such as demographic information of consumers, or any personal information of California employees).

If the CCPA applies to a mobile health app developer, then some requirements include:

  • If the app developer sells personal information, then the developer’s homepage must include a clear and conspicuous link titled “Do Not Sell My Personal Information” that allows California residents to opt out of the sale of their personal information. A California resident may opt out of the sale of their personal information, while the app developer may only sell data of California residents who it knows are under 16 years of age if they, or their parents or guardians if the residents are under age 13, affirmatively opt in.
     
  • The app developer will need to inform a California resident, at or before the point of collection, about the categories of information the mobile app will collect and the purposes for which the categories of personal information will be used.
     
  • A California resident can request, and the app developer must provide within 45 days, information about:
    • The categories of personal information collected about the consumer;
    • The sources from which the information was collected;
    • The business or commercial purposes for collecting or selling the personal information;
    • The categories of third parties with whom the app developer shares personal information; and
    • The specific pieces of personal information that the app developer has collected about the consumer.
       
  • A California resident will have the right to request that the app developer erase any personal information about the consumer, except that there are numerous exceptions, including if the personal information is solely to enable internal uses that are reasonably aligned with the consumer’s expectations. This may lead to significant fights over what information needs to be erased because its use is outside of reasonable expectations.

The California Attorney General will be able to fine a business $7,500 for each violation of the CCPA. Each California resident’s information potentially represents a separate violation. But the business will be able to avoid fines if it cures any violation within 30 days of notification. It is unclear how an impermissible disclosure that has already occurred can be “cured.”

The biggest concern is the private right of action. California’s existing breach notification law applies to a more limited definition of “personal information” (information such as name and medical information or Social Security number). The CCPA provides California residents with a private right of action where they can receive between $100 and $750 per violation for a breach in which their unencrypted personal information (as the term is more narrowly defined in the existing breach notification law) is accessed, exfiltrated, stolen, or disclosed as a result of the failure of a business to implement reasonable security practices. Accordingly, if a mobile health app developer has a breach that includes 10,000 California residents, for example, then this can mean a class action for $7.5 million, even if there is no evidence of actual harm to the consumers. The CCPA includes a defense if the violation is cured within 30 days, but it is unclear how a breach can be “cured.”

Jan. 1, 2020 may seem like a long way away. But it is not too early for mobile health app developers to start addressing whether the CCPA will apply, from where they are collecting personal information, to whom is it being sold, how can they erase individuals’ records, and how will they need to change their privacy notices. Most importantly, if the app developer’s business model includes sale of personal information, the developer should consider how this will be impacted by notice and opt out provisions, and strict opt-in requirements for children’s personal information. If you are not ready by January 2020, the plaintiffs’ attorneys likely will be — and will be watching for violations.