new California law, the California Consumer Privacy Act of 2018 (CCPA), may affect how you do business—even if your facility is not based in California. The law, which raced through the state legislature in June and was signed by Governor Jerry Brown almost immediately, is the first statewide legislation in the United States that not only applies to California businesses, but to any business that engages and sells services to California consumers online.
The CCPA was a compromise measure. Its quick execution was primarily to preempt an even more stringent alternative that was already slated for the state’s November ballot.
What is CCPA?
The CCPA gives California consumers greater protection and control of their personal data. Under the CCPA, consumers have the following rights:
Right to know ALL data collected by a business on them.
Right to say NO to the sale of their personal information.
Right to DELETE their data.
Right to be informed of what categories of data will be collected about them prior to its collection, and to be informed of any changes to this collection.
Mandated opt-in before sale of children’s information (under age 16).
Right to know the categories of third parties with whom their data is shared.
Right to know the categories of sources of information from whom their data was acquired.
Right to know the business or commercial purpose of collecting their personal information.
Private right of action when companies breach consumer data, to make sure these companies keep the information safe.
The Attorney General of the State of California will enforce the legislation. Penalties for noncomplicance include:
Consumer statutory damages of $100 to $750 per violation. Civil penalties of up to $7,500 for each violation.
Does the Law Affect Your Practice?
More than 500,000 small- to medium-sized businesses will be affected by CCPA, according to the International Association of Privacy Professionals (IAPP). But most individual medical practices and medspa businesses will likely not be immediately impacted. This is because one of the following three criteria must apply to your business:
Have annual gross revenue that exceeds $25 million;
Annually buy, sell, acquire or share personal information of 50,000 or more consumers; or
Generate 50 percent or more of your revenue by selling consumer information.
If your medspa or aesthetic practice—whether in California or another state—does not meet any of the three criteria, you are not forced to do anything at this time. However, if your business meets any one of these three criteria, you must take steps to become compliant. The good news is, enforcement will not start until January 1, 2020, so you have time to get up to speed.
Where Privacy Regulations Are Going
Although this specific law may not immediately affect your practice, consumer privacy legislation and concerns are not going away. These concerns are driven by recent news about consumer privacy and data issues, including Facebook’s Cambridge Analytica data breach scandal, privacy issues regarding the Federal Communication Commission’s removal of Net Neutrality, and Equifax’s customer data breach. Business Insider recently published an article listing 15 major stores from which customer data was stolen in the past year. This included brands such as Macy’s, Sears, Delta Airlines, Best Buy, Saks Fifth Avenue and even fast food retailers like Arby’s and Sonic.
What we are seeing is likely the tip of the iceberg. It is anticipated that a number of other states will follow California’s lead in developing laws to protect their constituents’ privacy and information.
Medical practices, particularly high-volume nonsurgical cosmetic practices that sell products to customers online and invest in highly targeted digital marketing, will need to continue keep their eyes open on this issue. Even if your practice does not fall within the criteria to require CCPA compliance, it may be affected. There are a number of direct and indirect consequences of this growing privacy issue.
Marketing. Changes in privacy laws will impact the medical aesthetic industry’s ability to continue laser-
targeting consumers based on their online behaviors, demographics, geo-specific locations, purchasing habits and other personal data. How you collect personal data to conduct internal marketing, particularly email campaigns, may also be affected.
For instance, to address consumers’ opt-out rights, the CCPA requires a “clear and conspicuous” link on the complying business’s home page titled “Do No Sell My Personal Information,” in addition to a link to the business’ privacy policy. As more consumers become acquainted with this visual call-to-action, they will likely expect it with all websites, and future legislation may require it for small-er businesses.
Increased Infrastructure and Compliance Costs. Complying with privacy concerns means additional expenses. For example, Google’s 2018 Chrome browser update (Chrome 68) visibly notifies users when a website is not secure ("HTTP" instead of "HTTPS"). That means practices may have to invest in a website upgrade.
Thanks to HIPAA demands, many aesthetic practices are already much further along in their processes, infrastructure and culture than businesses in other industries. Still, now is the time to work with your web developer and internet marketing providers to ensure compliance with privacy regulations and consumer expectations.
Bill Fukui is the director of sales and marketing at Page 1 Solutions, a full-service digital marketing agency serving dentists, attorneys and doctors. Contact him at [email protected].
Image copyright Getty Images