4 Effects of New Data Privacy Law on Healthcare Marketers

On January 1, 2023, the California Privacy Rights Act (CPRA) officially goes into effect. The CPRA builds on, and expands, the California Consumer Protection Act (CCPA) which currently governs data privacy for California residents. CPRA will require marketers to make many changes in the areas of disclosure, reporting, and operations, but there are four notable areas for healthcare marketers:

1. California did not renew the B2B exemption.

Since CCPA went into effect in 2020, there has been an exemption for B2B communications. With most pharma communications to healthcare professionals (HCPs) categorized as B2B, some organizations chose to ignore CCPA under this exemption. However, California did not renew this exemption and it is set to expire on December 31st of this year. Therefore, in 2023, all marketing interactions with HCPs need to comply with CPRA.

2. Behavior-based advertising is not clearly regulated.

Previously, CCPA established that a “sale” goes beyond financial transactions and includes data sharing based on “valuable consideration.” Even with this definition, some in the digital media and advertising technology space argued that the use of personal information to select advertising does not constitute a sale and therefore was not governed by California’s law.

The new CPRA eliminates any ambiguity by specifically stating that using personal information in behavior-based advertising constitutes a “sale” of this data and is therefore governed under the legislation.

In short, this clarification means that all aspects of the digital advertising ecosystem will need to comply with the new law.

3. Data owners must inform clients and partners of opt-outs.

In CCPA, data brokers, defined as a company that resells personal information (such as DMD, an IQVIA business), have an obligation to support a consumer’s request to opt-out of future use, but there was no immediate obligation to inform the licensees, i.e., the clients of the data broker, of this opt-out.

But now, under CPRA, when a valid opt-out request is received, data brokers will have an obligation to proactively inform the client or partner who has licensed that record, and the client will have the obligation to immediately stop using that record. Unfortunately, the current text of the CPRA does not specify how long the data broker must maintain this notification, so we expect that California’s Attorney General (AG) will set a regulation on this issue prior to the CPRA coming into effect.

Because of this requirement, data brokers will need to create new operational procedures for the handling of opt-outs and will need to communicate these processes to their clients and partners.

4. Third-party data resellers are required to contact HCPs.

Under CPRA, a data broker who licenses data from a third-party (that is, the data broker does not have a direct relationship with the consumer) will have to contact every consumer who is a California resident and give them the option to opt-out of the data broker reselling their information. This, of course, includes any healthcare professional who is also a resident of California.

Because the relicensing of personal data is very common, healthcare marketers should now ask if their data brokers have a first-party relationship with the covered HCPs. If they don’t, marketers should request in writing an assurance that their data broker has taken the necessary steps to comply with CPRA.

At DMD, we are excluded from this requirement because we have a direct relationship with HCPs through our proprietary Healthcare Communications Network (HCN).

Data privacy remains an emerging area with additional laws from VA, CO, CT and UT coming into effect in a few months. Be sure to work with a data broker who is an expert in this area and can help you with compliance. For a broader view of compliance, please check out our Consent at Scale framework, which can be found at