Digital Communications & Technology in Healthcare Blog DMD Intelligence

This is the sub-headline of the hero

5 min read

Data Privacy Update: How to License Email Addresses Under CCPA

On October 10, 2019, the California Attorney General released draft regulations intended to provide clarification around the implementation of the California Consumer Privacy Act (CCPA). These regulations offer important guidance to companies that license personal information such as email addresses.

The regulations distinguish between companies that collect personal information through a first-party relationship with the consumer and companies that obtain personal information through a third-party relationship.

What’s the difference between first-party sourced and third-party sourced data? A first-party relationship is established when a consumer (remember: healthcare providers are consumers too!) enters personal information at a company owned website. There is no “middle man” collecting data between the company and the consumer. DMD data is 100% first-party sourced; all healthcare provider and patient consumer data we collect, including opt-in, is through a first-party relationship with the individual.

Third-party relationships describe data sellers who license data from another seller, or when the data seller collects personal information without an opt-in by scraping, manufacturing or aggregating.

Since CCPA aims to provide consumers with more visibility into which companies are using their personal information and how it is being used, CCPA mandates that vendors selling third-party sourced data do one of the following:

  • Contact the consumer directly to provide notice that the business sells their personal information and provide the right to opt-out as specified by the CCPA. This last part is very important. Many data sellers who do not have a first-party relationship often claim they have an opt-in because they send an email to the consumer with a general statement such as: “if you don’t opt-out, we will assume that you opted-in.” According to CCPA, however, email notices such as these have to have specific formatting and language. This means than any previous notification by a vendor to the consumer will not count under CCPA. All data sellers licensing third-party sourced data will need to send a new CCPA-compliant notice to their database prior to the January 1st effective date of this new law.
  • Obtain, in writing, a guarantee that the initial source of the personal information provided a CCPA-compliant notice to the consumer and include an example of this notice. In this scenario, if a data seller obtained personal information from three different sources (which is not uncommon for vendors who aggregate data) they would be required to provide three written legal guarantees that the information was collected in a CCPA-compliant manner along with example notices from each source.

The Bottom Line

Licensing personal information, including an email address, from a data seller who has a first-party relationship with the consumer (whether patient or healthcare provider) will reduce the potential risk of non-compliance with CCPA.

  • Data sellers who source personal information using third-party methods have a greater burden under CCPA, and are required to contact each consumer in the manner specified by the law or provide a written guarantee, with proof, that the data was collected in a CCPA-compliant manner.
  • Companies that license personal information from a data seller can be held accountable when that data is non-compliant with CCPA. Companies that do not ensure that the licensed data was collected in one of the ways described above, open themselves to penalties or even lawsuits under CCPA.

What Should You Do Next?

  1. License personal information from data providers who have established first-party relationships with healthcare providers and patient consumers – but make them verify their work by demonstrating it to you. Insist that these data providers show you examples of how they collect first-party sourced personal information, as well as demonstrate how the collection method complies with the CCPA. Archive this proof of a first-party relationship in case it is ever needed in a lawsuit or penalty action.
  2. If you have to use a data provider who does not have a direct, first-party relationship, ensure they provide you with documented examples of how they comply with the CCPA regulations discussed above. At a minimum, this documentation should consist of either their CCPA-compliant communication with consumers or the written guarantee from the original source of data that collection occurred in a CCPA-compliant manner.
  3. Ask these questions of any seller of personal information:
    1. Did you collect this information directly from the consumer:
      1. If “yes” then request proof of this first-party relationship and archive it.
      2. If “no” then go to question b.
    2. Have you communicated with each consumer (probably through email) to provide them a CCPA-compliant Notice of Collection and to provide them a CCPA-compliant Notice to Opt Out?
      1. If “yes” then collect proof of this communication and archive it.
      2. If “no” then obtain a written guarantee that the source of the personal information collection did so in a CCPA-compliant manner. For each source of information, obtain an example of the CCPA-compliant Notices and archive them.

The New Landscape of Data Privacy

The CCPA creates a brand new landscape for healthcare marketers. Companies that license personal information must now understand the source of that information and exactly how it was collected. In all cases the company licensing the data should request CCPA-compliant documentation from the data seller and archive this information in case of a lawsuit or penalty action. Continuing to take a data provider’s verbal assurances regarding sourcing exposes your company to significant risk under the law.

Ebook

The Ultimate Email Authentication Guide

Strategic insights, technology tools and tips from the industries leading healthcare data pros.

About DMD

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.