Listen to the content...
Voiced by Amazon Polly

Tim Kosty, R.Ph., M.B.A.

On January 1, California implemented the California Consumer Privacy Act (CCPA) that was passed in 2018. The CCPA was a compromise in place of a more aggressive approach passed in a 2017 ballot initiative. The ballot initiative was rescinded as part of the negotiations to pass the CCPA. Here we review the reasons California politicians felt the need to pass the CCPA, specific provisions, and the potential impact on consumer privacy laws.

Control over Consumer Information and Use

Two high-profile programs illustrate the consumer privacy issues. The Wall Street Journal reported on Google’s “Project Nightingale” (WSJ, Nov. 11, 2019). Google contracted with Ascension to obtain patient healthcare data from Ascension’s 2,600 hospitals, doctors’ offices, and other facilities. As a result of that project, 150 Google employees have access to data on millions of patients with the stated purpose to “design new software, underpinned by AI (artificial intelligence) and machine learning, that zeroes in on individual patients to suggest changes to their care,” says the Wall Street Journal article.

Google’s project goals are “ultimately improving outcomes, reducing costs, and saving lives,” says Tariq Shaukat, president of Google Cloud. Google is not charging Ascension for the project. Ascension stated that “it hopes to mine data to identify additional tests that could be necessary or other ways in which the system could generate more revenue from patients,” according to the article. This program is protected under the healthcare operations exemption under HIPAA. However, how many Ascension patients would proactively agree to share their personal healthcare information with Google?

The second example, reported in the WSJ on Aug. 22, 2019, concerns the disclosures made by FamilyTreeDNA to the FBI. According to author Amy Dockser Marcus, the FBI approached the FamilyTreeDNA president about helping solve heinous crimes by using the genetic information from the company’s customers to generate investigative leads. When a match was found, the FBI was provided information on the customer, including contact information and percentage of DNA in common with the suspect. FamilyTreeDNA received an avalanche of negative publicity and was forced to publicly apologize for its actions in an attempt to placate customers.

These examples bring up two questions:

  • What have I signed up for?
  • How do you create regulations and plan for advances in technology?

Consumers seem to value convenience over privacy. For example, how many readers have read the cookie or privacy policy of their favorite websites? I haven’t met anyone who reads these policies; we are more interested in the information we are seeking than protecting our web-surfing habits. These issues led California to debate and pass the CCPA.

California Consumer Privacy Act of 2018

The California Constitution includes the following:

  • The right of privacy among the “inalienable” rights of all people, “a legal and enforceable right of privacy for every Californian.”
  • Allowing consumers to control use of their personal information.
  • The reasonable expectation of privacy even when citizens disclose their personal information to a third party.
  • The findings and declarations in the CCPA preamble state:
  • Businesses profit from buying and selling personal information for commercial purposes.
  • Californians have lost control over their ability to protect and safeguard their privacy; that’s why the CCPA needed to be passed and implemented.
  • Consumers are in a position of relative dependence on businesses that collect their information.

Consumers should be able to control the use of their personal information and stop businesses from selling it.

California Consumer Rights


Examples of Personal Information (PI)

·  Email address

·  IP address

·  Real name, alias Real name, alias

·  Social Security Number

·  Geolocation data

·  Biometric data

·  Internet activity

·  Psychometric information

·  Inferences from other PI data collected

The following list is a summary of the CCPA main provisions concerning consumers’ privacy rights:

  • The right to know what personal information (PI) a business has collected about them, where it was sourced from, what it is being used for, and whether it is being disclosed or sold and to whom.
  • The right to “opt out” of allowing a business to sell their PI to third parties
  • The right to have a business delete their PI, with some exceptions.
  • The right to receive equal service and pricing from a business, even if they exer-
    cise their privacy rights under the CCPA.
  • Businesses Required to Comply with THE CCPA
  • The CCPA applies to businesses that conduct business in California. One of the following three criteria must be met.
  • Annual gross revenues of $25 million.
  • Buys or sells the personal information of 50,000 or more consumers.
  • Derives 50% or more of its annual revenue from selling consumers’ PI.

Not-for-profits, small companies and/or those that don’t traffic in large amounts of personal information, and do not share a brand with an affiliate that is covered by the act, will not have to comply with the act.

Do you have a question about CCPA? Share it below

Right to Say No to the Sale of Personal Data

A business that sells consumers’ personal information must disclose that information to consumers for the consumer to have the right to opt out. The consumer has the right, at any time, to direct a business that sells personal information about the consumer not to sell the consumer’s personal information. A business that received notice from a consumer not to sell the consumer’s personal information shall be prohibited from doing so. Finally, consumers can reverse course and authorize sale of PI after they have opted out.

Business Compliance

Businesses required to comply with the CCPA must make available to consumers two or more designated methods for submitting requests for information — at minimum a toll-free telephone number and a website address. Businesses must disclose and deliver the required information to a consumer free of charge within 45 days after receiving a verified request. Businesses must ensure all individuals responsible for handling consumer inquiries about the business’s privacy practices are informed of all the requirements. Finally, a business is not required to provide information to the same consumer more than once in a 12-month period.


The CCPA lists several exemptions to the law. Specifically, it does not apply to:

  • Protected health information (PHI) that is collected by a covered entity governed
    by HIPAA. Requirements for handling and managing PHI and the covered entity
    from the federal privacy rule shall apply.
  • Businesses that collect and sell a consumer’s personal information if every
    aspect of such commercial conduct takes place entirely outside of California.
  • Cooperation with law enforcement agencies concerning conduct or activity
    that the business reasonably and in good faith believes may violate federal, state, or
    local law


Pharmacy Impact

The impact on pharmacy operations with the CCPA should be minimal with the HIPAA exemption. However, the CCPA will impact big retailers, with their consumer loyalty programs and other consumer engagement strategies. The CCPA will require retailers with operations in multiple states to decide whether to implement separate California processes or adopt the new CCPA across all states to ease administrative overhead. At a minimum, the CCPA raises awareness on patient privacy concerns and should cause management and their IT departments to revisit security processes and procedures.

Unintended Consequences

Time will tell whether the CCPA will be a model consumer privacy law for other states to adopt similar laws or privacy regulations. For businesses that must comply, the CCPA will create higher administrative costs, including internal auditing of compliance with new policies and procedures. The CCPA will create litigation exposure that will likely be tested sooner rather than later. Will this be a new secret shopper service that tests companies’ compliance? Finally, the CCPA has the potential to slow down innovation leveraging the latest technology and data analytics.

Will It improve Consumer Privacy Controls?

The CCPA will likely have a minimal impact on changing consumer behavior. Consumers want convenience and are willing to give their personal information to businesses that provide the services desired. There will be some consumers who opt out and force businesses to demonstrate compliance. The result is that technology will keep changing faster than legislation can hope to keep up. CT

Tim Kosty, R.Ph., M.B.A., is co-founder of Pharmacy Healthcare Solutions, and has more than 30 years of pharmacy experience, predominantly in upper-level management.
He can be reached at