As high-profile data breaches become more commonplace, states are taking measures to protect their residents. Fifteen states have introduced privacy legislation aimed at protecting consumer information and the federal government is considering proposals for national standards. Two significant privacy measures have recently taken effect: the California Consumer Privacy Act and Nevada SB 220.
The California Consumer Privacy Act is considered the most comprehensive U.S. privacy law to date. When it takes effect Jan. 1, 2020, it will allow Californians to opt out of having their personal information sold. What sets the California measure apart from other privacy laws is its sweeping definition of personal information. Under CCPA, protected information doesn’t need to directly identify a consumer; if it can reasonably be associated with someone, it’s considered sensitive. Examples of the personal information covered includes aliases, IP addresses and employment information.
Nevada SB 220 amends the existing Nevada Privacy of Information Collected on the Internet from Consumers Act to provide a consumer right to opt out from the sale of personal information. Its protections are narrower than California’s, however, protecting consumer information only if it is directly identifiable to an individual, such as name or social security number. The provisions of SB 220 went into effect earlier this fall.
Why is it important for companies to be aware of these privacy laws? First, failure to comply can lead to heavy consequences. For example, the penalty for an intentional violation of the California Consumer Privacy Act is a fine of $7,500 – per violation. Violate the privacy of 10,000 consumers at once and your organization will pay a steep fine. Second, no one expects privacy law developments to slow down any time soon. As various states continue to develop their privacy standards, businesses need to remain attentive to the changing landscape. Here are three tips to help companies prepare for evolving privacy regulations.
The most important factor in privacy law compliance is simple: It’s your company’s responsibility to know what data is collected, how it’s being processed and how recipients will use it if it’s sold or shared. Using the California act as an example, when a privacy violation occurs, a company can be held responsible if it was involved at any point in the process. Best practice is to delete information no longer needed to avoid accidental violations. It’s also important to invest in security and have a policy in place in case of data breach.
Organizations should know when one law ends and another begins. For example, the California Consumer Protection Act has an exemption for companies regulated by the Health Information Portability and Accountability Act; however, it depends on why the information is collected. If protected health information is collected for medical reasons, then it’s protected by HIPAA. However, if a company collects personal information about people who are not yet patients but may become so in the future, it may well be in danger of violating California’s measure if the data is not properly protected.
When trying to be compliant with privacy laws, efficiency is key. Organizations should prepare to process consumer requests for access to or deletion of their personal data quickly and accurately. Failure to meet these requests within a certain timeframe can lead to penalties. Look into privacy management technology to streamline this process instead of relying on manual solutions.
It’s important to remember privacy laws apply wherever an organization does business: not just where it’s headquartered. People do not always receive health care services in the state where they reside, so a business located in a state without its own privacy regulations could still be liable under other state laws; this is even more relevant for companies offering health and medical products. As the health care industry continues to digitize, organizations need to think through their data collection and protection processes to ensure they can easily adapt to evolving privacy standards.
What does your Form 990 say about your nonprofit hospital? Read more for communications guidance on what to say — and what to do when there’s not enough spa...