No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Open Season for the CCPA

A Case Study in Employee Health Care Benefits Enrollment

by Katherine Catlos
January 31, 2020
in Data Privacy
doctor holding chalkboard reading "open enrollment"

Kaufman Dolowich Voluck’s Katherine Catlos and Katherine Alphonso analyze the privacy roles of various organizations and their obligations under the California Consumer Privacy Act (CCPA) and GDPR.

with co-author Katherine Alphonso

Allow us to paint a picture: Your Company (“YC”), as part of its employment package, offers health care benefits to all full-time employees. For the most part, the employees engage the health insurance company directly, providing the necessary personal data needed to obtain its services. The only part of this process that YC even involves itself in is footing the bill.

To be invoiced, however, YC transfers its employees’ contact information and date of birth, which were all collected at hire, to the health insurance company for employee verification. It’s not uncommon to see a situation such as this. Employers are more and more willing to provide fringe benefits on top of a competitive salary as an incentive for their employees to stay (or take the job). Understandably, many companies are now unsure of their responsibilities regarding data privacy protection given the current landscape.

Obligations Under the CCPA

Under the CCPA, which became effective on January 1, 2020, YC must first determine if its business is governed by the law. The CCPA applies to entities that collect personal information, do business in California and satisfy one or more of the following thresholds:

  • has annual gross revenues in excess of $25 million;
  • alone or in combination, annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
  • derives 50 percent or more of its annual revenues from selling consumers’ personal information.[1]

A recent amendment, AB 25, carved out a one-year moratorium for certain “HR data” that employers collect from applicants, employees, independent contractors and corporate officers and directors in an employment-context.[2] In other words, personal information collected by an employer for employment-related reasons (for example, an applicant’s driver’s license information for the I-9 form) is exempt information.

Here, YC is not collecting information strictly as an incident of employment. It is collecting information it will also provide to an outside organization (the health insurance company) to verify employee enrollment in health care benefits and cover the bill.

Read: Are healthcare Organizations Protecting Customer Data as Well as They Think?

Once YC determines it is a company covered under CCPA and the collected information does not fall within the “HR data” exception, it must determine and specify whether the health insurance company is a “third party” or a “service provider.” It is important to distinguish between the two, because YC’s obligations vary depending on the above-established relationship.[3]

The law defines “third parties” in the negative, stating it is not any of the following:

  • the business that collects personal information (in this case, YC); and
  • a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.[4]

Separately, it defines “service providers” as legal entities that “process information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”[5] Here, the health insurance company is likely a service provider, because it does not have authority to use the employee’s information (provided by YC) for any other purpose;[6] it may only use the information to verify with YC that the employee did in fact enroll in health care benefits, and to bill for that enrollment. With that said, YC must have a written agreement with the health care insurance provider.

YC’s written agreement must state the health care insurance company will not retain, use or disclose personal information for any purpose other than what’s specifically spelled out in the agreement, including for a commercial purpose other than providing the services to YC.[7] The agreement must further limit the collection, sale or use of the disclosed personal information, except as necessary to perform the “business purpose” for which the service provider was retained.[8] Again, in the case of this hypothetical, the health insurance company is limited to using YC’s information sharing to verify an employee’s enrollment in health care benefits and to invoice for enrollment. Lastly, the service provider must represent it has read and understood its obligations under the CCPA’s requirements.[9]

The GDPR by Contrast

Under the GDPR, YC should first investigate which role each company would play: controller or processor. Once the roles are determined, the legal obligations and liabilities are a little more straightforward. Unfortunately, determining the roles isn’t always easy.

Since a controller “determines the purposes and means of the processing,”[10] and a processor acts “on behalf of the controller,”[11] YC must look at the processing activity actually taking place. Here, YC is collecting the information directly from the data subject (its employee). It determines the purpose of that collection by using it to pay for the employees’ health insurance. It also determines the means of processing by limiting the health insurance company’s use to verification and billing purposes only. It is likely that YC is a controller.

When the health insurance company engages the employee directly, collecting information such as age, weight, social security number and driver’s license information, it is to provide health insurance for that employee. That processing activity is different from the processing activity YC engages in since the latter’s purpose is for using an employee’s contact information and date of birth to verify that employee’s enrollment in health care benefits and to bill for the enrollment. In this scenario, it is more likely that the insurance company is YC’s personal processor.[12]

A controller-processor relationship then triggers Article 28, requiring YC to be under contract with only those processors who are compliant with the legislation.[13]

The above hypothetical barely scratches the surface for understanding and implementing either the California Consumer Privacy Act or the EU’s General Data Protection Regulation. As both laws continue to change and develop, an important first step is to really examine an organization’s data inventory/mapping. Only with this understanding can an organization begin to tackle the issues around compliance, including processes and contracts around vendor management.

 


[1] Cal. Civ. Code § 1798.140(c)(1).

[2] Cal. Civ. Code § 1798.145(g).

[3] Cal. Civ. Code §1798(d) (if a business sells personal information to a third party, not only must it provide notice of the sale to the consumer, it must also provide an opportunity for the consumer to opt out of that sale).

[4] Cal. Civ. Code § 1798.140(w).

[5] Cal. Civ. Code § 1798.140(v).

[6] Please note that YC may also analyze whether an outside organization is a “third party” or “service provider” by looking at the Act’s definition of “sell, selling, sale or sold.” See Cal. Civ. Code § 1798.140(t).

[7] Cal. Civ. Code § 1798.140(v).

[8] Cal. Civ. Code § 1798.140(w)(2).

[9] Id.

[10] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Article 4.

[11] Id.

[12] How to determine whether you are a controller or processor? Information Commissioner’s Office (as of Nov. 7, 2019). It is important to note that a single entity may be both a controller and a processor for different processing activities.

[13] GDPR, at Article 28.


Tags: California Consumer Privacy Act (CCPA)GDPR
Previous Post

The Risks and Realities of Overboarding

Next Post

Airbus to Pay $3.9B+ in Penalties to Resolve Foreign Bribery and ITAR Case

Katherine Catlos

Katherine Catlos

Katherine Catlos Esq., CIPP/US, CIPM is a partner in the San Francisco office of Kaufman Dolowich & Voluck LLP, where she handles employment law and privacy law matters. She is also the firm’s Chief Diversity & Inclusion Officer.

Related Posts

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

origami tiger

Paper Tigers Won’t Protect You: The Reality of Effective NIS2 Compliance

by Hans Kayaert
March 24, 2025

Why Belgium's early adoption model could prevent another round of ‘compliance theater’ across Europe

Next Post
airbus A380 plane at landing

Airbus to Pay $3.9B+ in Penalties to Resolve Foreign Bribery and ITAR Case

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights