As we’ve previously reported, the California Consumer Privacy Act (CCPA) has an overarching objective to give consumers control over their personal information, yet it looms as the first general consumer privacy law that will affect all domestic US industries, including healthcare. In the continued absence of any all-encompassing federal legislation, the CCPA will set a new standard for treatment of consumer information. While many health-focused enterprises will be subject to the CCPA directly, others will need to understand its terms either because they provide services to businesses subject to the CCPA, or because the CCPA will set baseline consumer expectations relative to individual “anticipated” options and the treatment of their personal data.

Already in effect as of January 1, 2020, the intent of the CCPA is to strengthen consumer rights and promote transparency. Four of the most important rights given to consumers by the CCPA include:

1)The right to be told what personal information has been collected within 45 days of submitting a request

2) The right to instruct business not to share consumers’ personal information

3) The right to request a copy of any personal information collected by the business during the previous 12 months

4) The right to continue as a customer after exercising any right protected by the CCPA. In other words, businesses can’t discontinue a commercial relationship just because an individual demands access to his or her personal data

Interestingly, the CCPA considers an individual’s name, IP address, and Social Security number to be consumer’s personal information, but It does not consider medical or health information that has been collected in accordance with California’s Confidentiality of Medical Information Act (CMIA) 1, as one of the categories of information; this has been explicitly excluded by the CCPA. To add a further bit of confusion, medical information is not collected in accordance with HIPPA.  This creates an interesting dilemma for employers and health agents as they strive to comply with federal and state legislation, likely resulting in a focus on the more rigid guidelines, to overdeliver on the less stringent state requirements.

Within the context of this legislation, one of the biggest challenges facing business is an individual’s right to request that a business delete whatever personal information it holds on the individual. For data driven organizations that source PII (personally identifiable information), or PHI (personal health information), from multiple sources via real time APIs, the use of suppressions might serve as a proxy for deletion, but upstream data retailers will have to also remain in compliance. The question also remains as to whether the CCPA impacts personal information on HCPs (health care professionals) considered within a professional environment (B2B). This suggests a potential compliance stumbling block with so many data sets bringing aggregated profiles regarding the same individual. Despite what may amount to court challenges, health marketers must learn to create valuable customer relationships while taking all this into account.

First, even though businesses must wait 12 months before they can ask a consumer to opt-in again, loyalty programs can, and should, remain front and center for both patients and HCPs. Don’t forget to ask your opt-out list to join a new program! This improves the value of the informational offer and make it more personally relevant.

Secondly, given that consumers are entitled to a copy of their own information, health marketers must find new ways to give patients and physicians their data back while also providing value beyond the raw data. It is important to show consumers what they look like through their own data, then add more value with research and insights from the community that can improve health offerings and brand value, but also identify and define new experiences that reinforce “why” you should be a data point in a broader persona spectrum.

Finally, you should demonstrate how incorporating consumers' data into broader geo-demographic profiles may provide them with early insights into health risks, saving them time, money, and anguish associated with late(r) stage detection of chronic conditions.

With new data transparency, healthcare companies need to re-think their rationale to encourage patients and HCPs to participate in their programs, and voluntarily (or via compensation) offer the use of consumers data to achieve bigger purposes and greater good. Whether the net result impacts a consumer’s own personal health outcomes, or new insights for the broader population with similar therapeutic diagnoses, understanding the options and making the value proposition individually clear would leverage the CCPA as corporate strength, and not an incremental liability.