There are several privacy regulations that marketers need to be aware of, especially marketers who are working in the healthcare sector.
These privacy acts are the California Consumer Privacy Act (CCPA), the California Privacy Rights
Act (CPRA), and the General Data Protection
Regulation (GDPR).
While the CCPA and CPRA are specific to California and the GDPR is for companies in the European Union (EU), they are all still crucial for US marketers working in any state.
In this article, we’ll discuss each of these privacy acts and how healthcare marketers can ensure they remain compliant.
What is CCPA?
The CCPA is the privacy act that revolutionized how marketers and brands approach data privacy in the United States and beyond. It was signed into law in June 2018 and went into effect on January 1, 2020.
The CCPA intends to increase privacy rights for California residents. It accomplishes this by regulating how personal data flows between businesses.
Who it affects
Anyone who processes the personal information of a California resident should comply with CCPA. That includes companies that operate outside of California but still serve California consumers. As California represents the world’s fifth-largest economy, most mid-to-large businesses with an international presence will be impacted.
In particular, companies that meet the following criteria are required to comply with CCPA:
Earn a gross annual revenue of $25 million or more
Obtain the private information of at least 50,000 California residents, households, or devices per year
Generate at least 50% of the company’s annual income from selling California residents’ information.
What is required
Under the CCPA, consumers must be informed of what personal information they share with businesses. They also must have the option to forbid companies from selling their personal data.
Additionally, individuals can request that companies delete their data or stop selling their information. Companies must include a prominent link on their website titled “Do Not Sell My Personal Information.”
If a company does sell a person’s data, California residents have the right to sue them. There must be a mandatory opt-in to sell data for minors (classified as anyone under 16).
What is CPRA?
The CPRA is the follow-up to the CCPA and will go into effect on January 1, 2023. It builds on the CCPA with new provisions, including establishing the California Privacy Protection Agency (CPPA), a dedicated agency to interpret and regulate the law.
Also, under the CPRA, businesses need to give special notice to people if they intend to use or collect personal information. Finally, companies must wait at least 12 months before they can ask individuals who opted out of sharing their data for consent.
Who it affects
The CPRA impacts the same people who are affected by the CCPA.
What is required
Businesses must follow the CCPA and all additional guidelines set out by the CPRA.
What is GPDR?
The EU enacted the GPDR in May 2018 to build on its existing data privacy protection framework, the Data Protection Directive, which was signed into law in 1995.
The GDPR gives EU citizens more say in how their personal data is collected, stored, and used. It requires businesses that collect personal data to protect that data from exploitation.
Who it affects
As with the CCPA, the GPDR impacts business globally. Any organization that serves EU citizens should follow GPDR guidelines.
What is required
Businesses need to assign a processor who maintains personal data records and how it is processed. They also need to assign a controller who determines how and why data is processed in the first place.
Are You Compliant?
Staying on top of compliance can be challenging for marketers, but it is critical in today’s fast-paced digital world.
HealthLink Dimensions can help you build a digital healthcare marketing strategy that is compliant with the CCPA, CPRA, and GPDR. Contact us to learn more.