California's new Consumer Privacy Act, the toughest data privacy law in the nation, will impose stringent new requirements on the state's high-profile tech companies in 2020. Its impacts on the life sciences industry, though, remain unclear. Albeit fraught with the potential to add new regulatory burdens to companies from drug developers to medical device-makers, efforts in California's capital, Sacramento, are underway to address the industry's concerns. They face a short window of opportunity to make small fixes in a complex and hastily passed law, suggesting that more substantive work will have to wait until next year.
The act, also known as Assembly Bill 375 or the CCPA, requires covered businesses to disclose the categories of personal information they collect, sell or share about California consumers. It gives those consumers a right to opt out of the sale of their personal information, a right to its deletion, and rights to receive a copy of "specific pieces" of it, among other obligations, attorneys for the law firm Morrison Foerster recently explained. Personal information is broadly defined in the act, but specifically described as including biometrics: physiological, biological, behavioral, or health details, including DNA.
California's legislature rushed the bill to passage in June during a last-ditch effort to head off an even more stringent privacy initiative that would have appeared on the state's November ballot. Because California ballot propositions can create new rules that can be difficult to amend or repeal, the motivation to enact a substantive response to the desire of California voters that handily supported the proposition's inclusion on the ballot was high. By passing the CCPA, legislators convinced the initiative's authors to pull it from consideration. Still, AB 375 retained significant power to govern the handling of personal information, at least some of which has potential to apply to life sciences companies.
The act will apply to for-profit businesses that collect and control California residents' personal information, do business in the state, and meet one of the following conditions: having annual gross revenues in excess of $25 million; receiving or disclosing the personal information of 50,000 or more California residents, households or devices on an annual basis; or deriving 50 percent or more of their annual revenues from selling California residents' personal information. It can be enforced by the California attorney general, subject to a 30-day "cure period" for violations. The civil penalty for intentional violations is steep: up to $7,500 per violation.
The act also provides a private right of action in connection with certain unauthorized access and exfiltration, theft or disclosure of a consumer's nonencrypted or nonredacted personal information, events that seem to find their way into the headlines with increasing frequency.
To sidestep at least some of the potential conflicts with existing state and federal legislation, the CCPA specifically disclaims an application to health information covered by California's Confidentiality of Medical Information Act or the Health Insurance Portability and Availability Act of 1996 (HIPAA). But depending on who you ask, those exceptions may not be as airtight or protective as they may have been intended to be, Brett Johnson Sr., director of policy and regulatory affairs for the California Life Sciences Association (CLSA), told BioWorld. "There's still some question as to the use of third parties to handle product complaints and adverse event reports," Johnson said, noting that those arrangements are "crucial to protecting patient safety."
The CLSA is also hearing concerns about the potential impact of the CCPA on real-world trials and other trial-related data collection, both that are required by the FDA and collected by companies through smartphone apps or other devices. "That data can touch many hands. And, while most of those protocols are already overseen by institutional review boards, here we have a state law that's creating another regulatory liability and another compliance hurdle," Johnson said.
Ultimately, the added layers of compliance could slow clinical research, Fielding Greaves, director of state government and regional affairs at the Advanced Medical Technology Association, recently told Bloomberg Law.
The CCPA has been likened to the EU's recently enacted General Data Protection Regulation, but with regulations developed to implement the CCPA not due to go into effect until Jan. 1, 2020, the urgency to address industry's concerns isn't quite as intense yet. Still, there may be less time to shape the CCPA's implementation than companies think, at least in the near term.
With California legislators returning from their summer recess Monday, they have just three weeks before Aug. 24, the last day to work through technical fixes to the act. The legislative session ends on Aug. 31. With a race to the general election in November and an orientation period for new legislators taking up much of December, little more is likely to happen until next year.
There appears, so far, to be a commitment from both the legislature and industry to pursue technical fixes that will iron out some of the open questions regarding its impacts, CLSA said. "I don't think there's a single member of the legislature whose intent is to limit clinical research," Oliver Rocroi, senior director of state government relations for CLSA, told BioWorld. "Life science companies have the benefit that our business model is not to sell data. In our case, we're just trying to protect our ability to conduct research."