Compliance with Privacy Regulations: An Update

Complying with privacy regulations keeps getting more complicated. We are often asked by our clients about whether they need to comply with the European Union’s General Data Protection Regulation (GDPR) and other privacy regulations outside the United States. 

Even if you only have operations in the United States, you may be subject to the EU’s GDPR.  For example, if you advertise in Europe for European customers, or if you receive data from European customers directly or through European companies, you may be subject to the very complicated provisions of the GDPR. Failure to comply can bring with it the full range of legal nightmares, including very substantial financial penalties. 

Similarly, if you take affirmative steps to receive personal information from residents of other countries, you may be subject to the laws of those countries. Many other actions may subject a U.S. business to the privacy laws of another country, and can even subject a business to other laws of the country such as laboratory regulation and taxes. These actions include:

• Advertising in a country
• Maintaining a website directed to residents of the country
• Accepting payment in the currency of the country
• Contracting with agents who operate in the country
• Contracting with health care providers or other laboratories to receive patient samples from country residents to process in the U.S.

We’ve also been asked about the new California Consumer Privacy Act and whether it applies to business that do not operate in California. California’s Consumer Privacy Act does apply beyond its borders. 

While the Act does not apply to companies that are not doing business in California, this is a complex issue under California law.  Most importantly for labs, this Act does not apply to protected health information (PHI) collected by the lab as a covered entity under HIPAA or medical information governed by the California Confidentiality of Medical Information Act, or personal information that is not PHI or such medical information but that is treated by the lab the same as PHI or such medical information. 

Labs do need to confirm whether the Consumer Privacy Act applies to them, and if so, fall within available exceptions, or comply with the requirements of this Act, which provides consumers with the right to certain disclosures, deletion of their data under certain circumstances, the right to know what information has been collected and for what purpose, the right to opt out of the sale of their information to third parties and the right of equal service if they exercise any of these rights. It also includes the establishment of a toll-free number and website for consumer requests. And of course, it establishes financial penalties for violations.