No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Open Season for the CCPA

A Case Study in Employee Health Care Benefits Enrollment

by Katherine Catlos
January 31, 2020
in Data Privacy
doctor holding chalkboard reading "open enrollment"

Kaufman Dolowich Voluck’s Katherine Catlos and Katherine Alphonso analyze the privacy roles of various organizations and their obligations under the California Consumer Privacy Act (CCPA) and GDPR.

with co-author Katherine Alphonso

Allow us to paint a picture: Your Company (“YC”), as part of its employment package, offers health care benefits to all full-time employees. For the most part, the employees engage the health insurance company directly, providing the necessary personal data needed to obtain its services. The only part of this process that YC even involves itself in is footing the bill.

To be invoiced, however, YC transfers its employees’ contact information and date of birth, which were all collected at hire, to the health insurance company for employee verification. It’s not uncommon to see a situation such as this. Employers are more and more willing to provide fringe benefits on top of a competitive salary as an incentive for their employees to stay (or take the job). Understandably, many companies are now unsure of their responsibilities regarding data privacy protection given the current landscape.

Obligations Under the CCPA

Under the CCPA, which became effective on January 1, 2020, YC must first determine if its business is governed by the law. The CCPA applies to entities that collect personal information, do business in California and satisfy one or more of the following thresholds:

  • has annual gross revenues in excess of $25 million;
  • alone or in combination, annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
  • derives 50 percent or more of its annual revenues from selling consumers’ personal information.[1]

A recent amendment, AB 25, carved out a one-year moratorium for certain “HR data” that employers collect from applicants, employees, independent contractors and corporate officers and directors in an employment-context.[2] In other words, personal information collected by an employer for employment-related reasons (for example, an applicant’s driver’s license information for the I-9 form) is exempt information.

Here, YC is not collecting information strictly as an incident of employment. It is collecting information it will also provide to an outside organization (the health insurance company) to verify employee enrollment in health care benefits and cover the bill.

Read: Are healthcare Organizations Protecting Customer Data as Well as They Think?

Once YC determines it is a company covered under CCPA and the collected information does not fall within the “HR data” exception, it must determine and specify whether the health insurance company is a “third party” or a “service provider.” It is important to distinguish between the two, because YC’s obligations vary depending on the above-established relationship.[3]

The law defines “third parties” in the negative, stating it is not any of the following:

  • the business that collects personal information (in this case, YC); and
  • a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.[4]

Separately, it defines “service providers” as legal entities that “process information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”[5] Here, the health insurance company is likely a service provider, because it does not have authority to use the employee’s information (provided by YC) for any other purpose;[6] it may only use the information to verify with YC that the employee did in fact enroll in health care benefits, and to bill for that enrollment. With that said, YC must have a written agreement with the health care insurance provider.

YC’s written agreement must state the health care insurance company will not retain, use or disclose personal information for any purpose other than what’s specifically spelled out in the agreement, including for a commercial purpose other than providing the services to YC.[7] The agreement must further limit the collection, sale or use of the disclosed personal information, except as necessary to perform the “business purpose” for which the service provider was retained.[8] Again, in the case of this hypothetical, the health insurance company is limited to using YC’s information sharing to verify an employee’s enrollment in health care benefits and to invoice for enrollment. Lastly, the service provider must represent it has read and understood its obligations under the CCPA’s requirements.[9]

The GDPR by Contrast

Under the GDPR, YC should first investigate which role each company would play: controller or processor. Once the roles are determined, the legal obligations and liabilities are a little more straightforward. Unfortunately, determining the roles isn’t always easy.

Since a controller “determines the purposes and means of the processing,”[10] and a processor acts “on behalf of the controller,”[11] YC must look at the processing activity actually taking place. Here, YC is collecting the information directly from the data subject (its employee). It determines the purpose of that collection by using it to pay for the employees’ health insurance. It also determines the means of processing by limiting the health insurance company’s use to verification and billing purposes only. It is likely that YC is a controller.

When the health insurance company engages the employee directly, collecting information such as age, weight, social security number and driver’s license information, it is to provide health insurance for that employee. That processing activity is different from the processing activity YC engages in since the latter’s purpose is for using an employee’s contact information and date of birth to verify that employee’s enrollment in health care benefits and to bill for the enrollment. In this scenario, it is more likely that the insurance company is YC’s personal processor.[12]

A controller-processor relationship then triggers Article 28, requiring YC to be under contract with only those processors who are compliant with the legislation.[13]

The above hypothetical barely scratches the surface for understanding and implementing either the California Consumer Privacy Act or the EU’s General Data Protection Regulation. As both laws continue to change and develop, an important first step is to really examine an organization’s data inventory/mapping. Only with this understanding can an organization begin to tackle the issues around compliance, including processes and contracts around vendor management.

 


[1] Cal. Civ. Code § 1798.140(c)(1).

[2] Cal. Civ. Code § 1798.145(g).

[3] Cal. Civ. Code §1798(d) (if a business sells personal information to a third party, not only must it provide notice of the sale to the consumer, it must also provide an opportunity for the consumer to opt out of that sale).

[4] Cal. Civ. Code § 1798.140(w).

[5] Cal. Civ. Code § 1798.140(v).

[6] Please note that YC may also analyze whether an outside organization is a “third party” or “service provider” by looking at the Act’s definition of “sell, selling, sale or sold.” See Cal. Civ. Code § 1798.140(t).

[7] Cal. Civ. Code § 1798.140(v).

[8] Cal. Civ. Code § 1798.140(w)(2).

[9] Id.

[10] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Article 4.

[11] Id.

[12] How to determine whether you are a controller or processor? Information Commissioner’s Office (as of Nov. 7, 2019). It is important to note that a single entity may be both a controller and a processor for different processing activities.

[13] GDPR, at Article 28.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

The Risks and Realities of Overboarding

Next Post

Airbus to Pay $3.9B+ in Penalties to Resolve Foreign Bribery and ITAR Case

Katherine Catlos

Katherine Catlos

Katherine Catlos Esq., CIPP/US, CIPM is a partner in the San Francisco office of Kaufman Dolowich & Voluck LLP, where she handles employment law and privacy law matters. She is also the firm’s Chief Diversity & Inclusion Officer.

Related Posts

eu flag

Preparing Your Company for the Latest GDPR Data Transfer Developments & Upcoming Deadlines

by Kevin L. Coy
November 30, 2022

An EU court decision and legislative moves in the U.S. and UK make compliance with privacy regulations increasingly difficult. Arnall...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

uk ico data access

UK’s Data Protection Regulator Signals Crackdown on Access Request Violations

by Jonathan Armstrong and André Bywater
October 5, 2022

Data privacy laws in the EU and UK established the right of individuals to find out what personal information organizations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

Next Post
airbus A380 plane at landing

Airbus to Pay $3.9B+ in Penalties to Resolve Foreign Bribery and ITAR Case

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT