Return to list
Thought leadership

California Consumer Privacy Act: What Does It Mean for Healthcare Brand Marketers?

Jeff Greene, Evoke VP, StrategyBy Jeff Greene, VP, Strategy

Download a PDF copy of this article here

Beginning January 1, 2020, all companies with over $25 million in revenues who do business in California must comply with the California Consumer Privacy Act, or CCPA. This is groundbreaking privacy regulation that is modeled on Europe’s GDPR, and is expected to ultimately trigger a nationwide privacy law. CCPA requires marketers to be more transparent about their data-collection policies and give consumers clear methods to request their personal data and to prevent its sale to third parties, among other requirements.

Fines for noncompliance can be levied by the State of California starting in July 2020, and civil lawsuits could raise the stakes even higher. To note, while the law says “consumer” it applies to all California residents, including physicians.

Healthcare brand marketers, including pharma marketers, need to pay close attention to three parts of the law where they are likely to have the greatest exposure:

1. Collected data must be made available to California residents on request.

The law seems quite clear here. If I ask to see what personal data you’ve collected about me in the past year, you must provide it. Hopefully, your company has built a process to enable these requests at the corporate level; the concern for brands is that third-party partners must also be in compliance. Most vendors will have the ability to answer California data requests by January, but some partners may not be ready. We think DTC marketers may be at risk, since many offer patient support tools that collect data via mobile apps, web modules, and a variety of content partners. Either way, all partner contracts must contain specific language to protect both vendor and marketer from potential penalties under CCPA.

Recommended Action Items

Ask your vendors that provide or collect personal information about the process by which they plan to respond to CCPA requests. Ask legal to review all partner contracts to ensure compliance.

2. Privacy policies on websites and other digital assets must comply.

CCPA requires marketers to explicitly list categories of personal information they are collecting and how they are using it. Again, your legal department probably has this covered at the corporate level. However, healthcare brands may still be required to update their owned assets. For example, the law says companies must notify California residents “at or before the point of collection” about their privacy rights. Does that mean on a CRM sign-up form? Before downloading an app that tracks health data? Legal teams are trying to answer these questions prior to the law taking effect.

Recommended Action Items

Inform legal of all data collection points and privacy language your brand currently uses. Updates may be required to comply with CCPA.

3. Clear and conspicuous link to “Do Not Sell” page.

This component of CCPA is aimed at companies that sell or share data as a business model, such as list vendors. These companies must create a website link that says: “Do Not Sell My Personal Information.” When users click, they must be allowed to opt-out of having their information sold or shared. Yet pharma legal departments, which are understandably cautious, could interpret this requirement more broadly. Suppose a diabetes brand collects a list of physician emails, then shares it with another business unit owned by the same company. Could that constitute “sharing” under the law? ^Some privacy experts think it could.

Recommended Action Items

Confirm with legal if you need a “Do Not Sell” link on any branded or unbranded websites, where it should be placed, and what it should link to.

What's Next?

CCPA was written quickly, by legal standards, and numerous amendments and language updates are pending. However, other states, including New York, New Jersey, and Massachusetts, are drafting their own privacy legislation. In light of many recent, high-profile breaches, data privacy is an important issue that will grow more complex over time. Brand marketers can take some simple steps now to protect themselves from noncompliance with CCPA. Moving forward, increasing your data transparency will ultimately help build trust with customers. At Evoke, we conduct audits and risk assessments of healthcare marketing assets to make it easier for brand marketers to prepare for data transparency. Contact us to learn more about our marketing assessment offerings.


The information provided in this POV is not intended as, and should not be taken as, legal advice.