By Brad Adatto, JD, Partner, ByrdAdatto

Med spas and other aesthetic practices should be aware of the new California Consumer Privacy Act of 2018 recently passed and signed into law. With seemingly daily reports of data breaches or improper sharing of user data, consumer privacy is a growing concern. California is the latest State to take action to protect consumers' personal information and has passed a law that provides strong and broad protections to do so. Signed into law on June the 28, 2018, the California Consumer Privacy Act of 2018 ("Privacy Act") creates some of the strongest consumer privacy protections in the nation.

New Privacy Act Details

The Privacy Act creates a right for consumers to

1. Request that businesses disclose what information they have collected, sold, or shared on them,
2. If they so choose, to have that collected information deleted, and
3. To proactively opt-out of future data collection, selling, and sharing.

These protections in turn create numerous compliance, notice, and penalty issues for businesses who collect information from California residents.

Businesses subject to the Privacy Act will need to provide proper notice of the types of information collected and the rights of the consumer under the act before any information is collected. Businesses also will need to ensure that their data collection and use practices involve only the types of information and uses that have been properly disclosed to the affected consumer.

Additionally, businesses will need to have trained personal to accept, verify, and respond to consumer requests within the statutory deadlines. And finally, businesses subject to the Privacy Act will need to have data systems capable of securely storing the information while providing for rapid and accurate access for requests, and to delete the information if requested.

Additional Details Regarding Patient Privacy

Medical businesses who are covered under the Health Insurance Portability and Accountability Act ("HIPAA") or California's Confidentiality of Medical Information Act ("CMIA") have additional hurdles to overcome. The Privacy Act exempts "protected" or "health information" that is already covered under the prior laws. However, medical businesses will need to determine what information they have and comply with the Privacy Act for other types of information not covered by HIPAA or CMIA.

The safe and accurate handling of information and consumer requests will be critical to medical practices in particular as the Privacy Act creates substantial penalties for failure to maintain compliance, mishandling of information, and failure to respond appropriately to consumer requests. Luckily medical practices in California have some time to learn more about what is covered before being subjected to penalties, as the Privacy Act is slated to take effect on January 1, 2020.

Read the full text of the law here. If you have concerns on how the California Consumer Privacy Act of 2018 may impact your business consult a healthcare attorney familiar with California law.

AmSpa members may take advantage of their annual compliance consultation with the business, healthcare, and aesthetic law firm of ByrdAdatto. Become a member today to gain access to business and legal compliance tools to keep your practice profitable and on the right side of regulations.

Brad Adatto, JD, is a partner at ByrdAdatto, a business, healthcare, and aesthetic law firm that practices across the country. He has worked with physicians, physician groups, and other medical service providers in developing ambulatory surgical centers, in-office and freestanding ancillary service facilities, and other medical joint ventures. He regularly counsels clients with respect to federal and state health care regulations that impact investments, transactions, and contract terms, including Medicare fraud and abuse, anti-trust, anti-kickback, anti-referral, and private securities laws.