California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot.

The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law.

Effective date and timeline for enforcement

The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer’s right to access their personal information). Enforcement of the CPRA amendments will not begin until July 1, 2023.

The CCPA’s existing exemptions for business contacts, employees, job applicants, owners, directors, officers, medical staff members and independent contractors will remain in effect until December 31, 2022.

The newly created California Privacy Protection Agency (“Agency”) will be required to adopt final regulations by July 1, 2022. For more information about the Agency and its role in enforcing the amended CCPA, see our previous article.

The passage of the CPRA does not affect the enforceability of the CCPA as currently implemented.

New rights under the CPRA

In addition to the CCPA’s rights to know, to delete, and to opt out of the sale of personal information, the CPRA creates the following new rights for California consumers:

  • The right to correct personal information
  • The right to limit the use of sensitive personal information
  • The right to opt out of the “sharing” of personal information

These rights are explained in greater detail in our previous article.

New compliance obligations for businesses subject to the CPRA?

The CPRA creates new obligations that are similar to the data processing principles found in the European Union’s General Data Protection Regulation (GDPR). Such responsibilities include:

  • Transparency: Businesses must specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice;
  • Purpose limitation: Businesses may only collect consumer’s personal information for specific, explicit and legitimate disclosed purposes and may not further collect, use or disclose consumers’ personal information for reasons incompatible with those purposes;
  • Data minimization: Businesses may collect consumers’ personal information only to the extent that it is relevant and necessary to the purposes for which it is being collected, used and shared;
  • Consumer rights: Businesses must provide consumers with easily accessible means to obtain their personal information, delete it or correct it, and to opt out of its sale and the sharing across business platforms, services, businesses and devices, and to limit the use of their sensitive information; and
  • Security: Businesses are required to take reasonable precautions to protect consumers’ personal information from a security breach.

The Agency’s rulemaking will also contain a number of new requirements, including:

  • A requirement that businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (i) perform a cybersecurity audit on an annual basis; and (ii) submit to the Agency on a regular basis a risk assessment with respect to their processing of personal information;
  • A requirement that businesses provide access and opt-out rights with respect to their use of automated decision-making technology, including profiling, and requiring a business’ response to access requests to include meaningful information about the logic involved in that decision-making process; and
  • Expanded the requirements and technical specifications for an opt-out preferences signal to indicate a consumer’s intent to opt out of the sale or sharing of personal information or to limit the use or disclosure of the consumer’s sensitive personal information.

Additional obligations are described in more detail in our previous article.

Do businesses need to scrap their CCPA compliance programs and start over with a new CPRA compliance program?

Absolutely not. An existing CCPA compliance program will be an important and necessary foundation for CPRA compliance. Businesses subject to CPRA will, however, need to expand their existing compliance programs to include, for example, updates to privacy notices (including their privacy policy and notice at collection), procedures for additional consumer rights, updates to service provider and contractor agreements, new record-keeping requirements and cybersecurity assessments.

What should businesses be doing now?

Although the CPRA’s amendments will not be enforceable until 2023, we recommend that businesses:

  • Review the revised definition of “business” to determine whether the amended CCPA will still apply to their operations. The proposed amendments: (i) increase the threshold related to buying, selling or sharing personal information from 50,000 consumers or households to 100,000 consumers or households; (ii) narrow the “common branding” applicability test to bring into scope only commonly branded related entities with whom a business shares consumers’ personal information; (iii) bring into scope joint ventures or partnerships where the businesses involved have at least a 40% interest; and (iv) bring into scope any business that voluntarily certifies to the Agency that it is in compliance with and agrees to be bound by the law.
  • Consider how the business will document and map its uses of sensitive personal information for purposes of complying with consumer requests right to limit the use of their sensitive personal information.
  • Determine whether the new obligations and requirements can be implemented only for California consumers, or whether it would be easier for the business to implement these obligations and requirements for all of its consumers, whether or not they reside in California.
  • Consider and plan for the budget and resources you may need to bring your current CCPA program into compliance with the CPRA amendments.

Are more changes to California privacy law expected?

Because the CPRA is subject to amendment by the California legislature through the normal legislative process, we recommend continuing to monitor the developments and modify preparations accordingly.

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier.

The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA.

Process for Opting Out of Sale of Personal Information

The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail about how a business should provide the right to opt out of the sale of personal information. Specifically, the Department of Justice:

  • Provides illustrative examples of how a business that collects personal information offline can provide its opt-out notice offline—through paper forms, posting signage directing consumers to an online notice or orally over the phone.
  • Makes clear that the methods for submitting opt-out requests should be easy for consumers to find and execute. For example, consumers should not have to search or scroll to find where to submit a request to opt out after clicking on the “Do Not Sell My Personal Information” link. A business should not use confusing language, try to impair a consumer’s choice to opt out or require a consumer to read through or listen to reasons why they should not opt out before confirming their request. In addition, the process for requesting to opt out shall collect only the amount of personal information necessary to execute the request.

Verifying Authorized Agent

The Department of Justice added language to Section 999.326(a) clarifying what a business may request to verify that an agent is authorized to act on a consumer’s behalf. Specifically, a business may require an authorized agent to provide proof of signed permission from the consumer for the agent to submit the request. In addition, the business may require the consumer to either verify their own identity directly with the business or directly confirm with the business that they provided the authorized agent permission to submit the request. Previously, a business had to go through the consumer to verify the authorized agent. Now, a business can verify the authorized agent directly.

Notices to Consumers Under 16 Years of Age

Finally, the Department of Justice clarified in Section 999.332(a) that all businesses that sell personal information about children must describe in their privacy policies the processes used to obtain consent from the child or parent (as applicable). Previously, the regulations were worded such that only a business that sells the personal information of both consumers under 13 and consumers between 13 and 15 had to describe the processes used to comply with the CCPA’s consent requirements for minors.

Next Steps

The Department of Justice stated that it will accept written comments on the new proposed modifications until October 28, 2020. All timely comments will be reviewed and responded to by the Department’s staff as part of the compilation of the rulemaking file. In the meantime, we recommend reviewing forms and procedures used to comply with the CCPA’s opt-out, agent verification and children’s consent requirements against the proposed modifications to determine whether any updates may be needed.

National Telehealth Takedown Highlights Opportunity for Providers to Enhance Compliance Efforts

The US Department of Justice and the US Department of Health and Human Services Office of Inspector General recently announced a significant healthcare fraud takedown involving $4.5 billion in allegedly false and fraudulent claims involving telehealth. The allegations involved telehealth executives paying healthcare providers to order unnecessary items and services, as well as payments from durable medical equipment companies, laboratories and pharmacies for those orders. While the alleged conduct is not representative of the legitimate and crucial telehealth services offered by the vast majority of healthcare providers, the government’s continued focus on telehealth arrangements, combined with the ongoing expansion of coverage for telehealth services, provides an important opportunity for healthcare providers to evaluate their telehealth service offerings and arrangements and to further enhance their related compliance activities.

In Depth

On September 30, 2020, the US Department of Justice (DOJ) issued a press release describing the largest national healthcare fraud and opioid enforcement action in the DOJ’s history (the Takedown). The Takedown involved coordination with the US Department of Health and Human Services Office of Inspector General (OIG) and other federal and state law enforcement agencies, and resulted in cases against more than 345 defendants in 51 judicial districts. The government charged the defendants with participating in healthcare fraud schemes involving more than $6 billion in alleged losses to federal health care programs, with the vast majority of alleged losses ($4.5 billion) stemming from arrangements involving alleged “telefraud.”

According to the DOJ press release, a recently announced National Rapid Response Strike Force led the initiative focused on telehealth. The National Rapid Response Strike Force is part of the Health Care Fraud Unit of DOJ’s Criminal Division Fraud section, and its mission is to “investigate and prosecute fraud cases involving major health care providers that operate in multiple jurisdictions, including major regional health care providers operating in the Criminal-Division-led Health Care Fraud Strike Forces throughout the United States.”


In recent years, the government has increasingly focused on alleged healthcare fraud schemes involving telehealth services. In connection with the Takedown, OIG issued a fact sheet and graphic highlighting the increase in “telefraud” arrangements leveraging “aggressive marketing and so-called telehealth services.” The individuals charged in the Takedown included telehealth company executives, medical providers, marketers and business owners who allegedly used telemarketing calls, direct mail, and television and internet advertisements to collect information from unsuspecting patients.

Many of the cases involved telehealth executives who allegedly paid healthcare providers to order unnecessary durable medical equipment (DME), genetic and other diagnostic testing, and medications, either without any patient interaction or with only a brief phone call. The government alleged that the arrangements involved kickbacks to telehealth executives after the DME company, laboratory or pharmacy billed Medicare or Medicaid for items and services that the government asserts were often not provided to beneficiaries or were “worthless to patients . . . and delayed their chance to seek appropriate treatment for medical complaints.”

DOJ provided a summary of the cases prosecuted, which included a wide variety of alleged fraudulent schemes involving telehealth, including the following:

  • A marketing company that recruited Medicare beneficiaries to obtain medically unnecessary genetic testing ordered by telehealth physicians who received illegal kickbacks and bribes from telehealth companies.
  • An owner and operator of a telehealth company who paid kickbacks and bribes to call centers and healthcare professionals in exchange for referrals and orders for medically unnecessary genetic cancer screening tests for Medicare beneficiaries.
  • A laboratory owner who conspired to pay kickbacks for genetic testing orders and specimens to run medically unnecessary diagnostic testing.
  • Laboratory owners who were charged with paying kickbacks to a network of marketers to procure DNA samples for genetic testing that they knew to be medically unnecessary and not reimbursable by the patients’ health care benefit programs. Beneficiaries were solicited through methods such as telemarketing, door-to-door sales and appearances at senior health fairs, and the tests were approved by a range of medical professionals, including doctors operating on telehealth platforms, who had not previously treated the patients and had little or no contact with the patients in connection with prescribing the testing.

Practical Implications

The Takedown is an example of the government’s continued and growing focus on telehealth services arrangements. Although the alleged fraudulent practices are not representative of the broader community of telehealth providers that deliver necessary care to patients in a convenient and efficient way, the government’s actions offer insights that can help legitimate telehealth providers further enhance their ongoing compliance practices. As telehealth becomes an increasingly common method for delivering healthcare, current telehealth providers and those organizations considering expanding into telehealth services, as well as individual healthcare providers who may provide telehealth services through another company, should consider the following issues when reviewing their existing telehealth programs or before establishing a new telehealth service line or entering into arrangements with third parties to provide telehealth services.

Patient-Provider Relationship. Two common features of many of the Takedown cases, according to DOJ, were the lack of meaningful interaction between provider and patient and the ordering of medically unnecessary products or services. These cases often involved alleged inappropriate patient marketing activities where a potential patient received a “cold call” followed by a telephonic examination if the potential patient expressed a willingness to speak to a provider. The requirements for establishing a sufficient patient-provider relationship for diagnosis, treatment, and the ordering of medical equipment and laboratory testing are determined primarily by state laws and regulations. These laws and regulations may be unclear on the types of technology modalities required to conduct a patient examination that supports the issuance of a prescription or order. In addition to complying with state law requirements, a valid patient-provider relationship is typically required to bill payors for telehealth services. Identifying the sometimes blurry line between appropriate and inappropriate conduct is critical to ensuring that appropriate care is delivered and to mitigating legal risk.

Employee Moonlighting. Provider organizations should consider evaluating any “moonlighting” activities by their employed or contracted providers. In light of the Coronavirus (COVID-19), many physicians and other providers are seeking additional opportunities to provide care to patients because of the sharp decline in in-person visits. Providers may begin providing telehealth services through other companies or entities during their “off” hours. These providers should ensure that they engage with reputable telehealth companies to avoid getting caught up in the types of alleged telefraud arrangements that were the focus of the Takedown. Provider organizations should understand what their physicians are doing outside of their regular jobs; if a physician is unknowingly participating in a potentially fraudulent telehealth arrangement, that could negatively affect the provider organization’s reputation. Provider organizations that permit their employed and contracted staff to “moonlight” can help mitigate risk by offering education and resources to individual providers to ensure they are aware of the existence of fraudulent telehealth companies and networks that may not have the providers’—or their patients’—best interests in mind.

Coverage and Billing Requirements. Increasing recognition of the value and benefits of telehealth is resulting in the rapid evolution of coverage and billing requirements for telehealth services. While these changes can positively affect a telehealth program’s operations, organizations should carefully review and stay up-to-date on government and commercial payor requirements for telehealth services, as they are not always as broad or liberating as they may first appear. Organizations should ensure that appropriate checks are in place to make certain that they use proper billing and reimbursement codes.

COVID-19 Waivers and Their Eventual Expiration. During the COVID-19 public health emergency, the Centers for Medicare and Medicaid Services (CMS) expanded payment for telehealth under its 1135 waiver authority and permitted providers to use dozens of new billing codes for telehealth services. Telehealth regulations have also been relaxed at the state level, as we previously detailed here and here. This rapid regulatory change has allowed more flexibility for providers and improved access to telehealth services for patients during the COVID-19 pandemic. Despite these changes, legitimate telehealth providers should develop medically appropriate clinical protocols to govern care provided via telehealth, ensure the use of safe and secure technology, and establish operating guidelines to ensure care is provided consistent with all state and federal requirements. In addition, the COVID-19-related emergency declarations that allow for these changes will end, and providers should be prepared to comply with pre-pandemic laws and regulations.

State Licensure. In order to legitimately provide and bill for telehealth services, providers should be licensed to practice their respective profession in the state in which the patient is located at the time of the encounter, unless an exception exists. In response to COVID-19, many states have waived or loosened the licensure requirements.

Key Takeaways
Telehealth providers should:

  • Carefully consider the implications before entering into an arrangement with other parties, including DME companies, laboratories and pharmacies, and contemplate what different parties will provide in connection with the arrangement.
  • Be particularly diligent in the design and compliance oversight of marketing strategies to confirm that patients are reached through appropriate channels, which may not include “cold calls.”
  • Ensure that state-level requirements to establish a legitimate physician-patient relationship are satisfied. This involves evaluating the proposed arrangement under applicable state laws and regulations. Many of these laws and regulations have changed in light of COVID-19.
  • Ensure that the provider’s compliance program appropriately addresses issues brought up by telehealth arrangements, including careful review of marketing materials and compensation and billing arrangements.
  • Carefully evaluate coding and billing practices to ensure such practices are consistent with both government and commercial payor requirements. Again, these requirements have changed considerably because of COVID-19 and likely will continue to evolve.

Please do not hesitate to contact your regular McDermott lawyer or any of the authors of this On the Subject if you have questions or need assistance with structuring and evaluating telehealth arrangements and related compliance practices and issues.

CCPA Amendment Update: California Governor Approves CCPA Amendment with Exceptions for HIPAA De-Identified Information and Other Health Data

On September 25, 2020, Governor Gavin Newsom signed into law California AB 713, which amends the California Consumer Privacy Act (CCPA) to create expanded exceptions for: HIPAA business associates; information that has been de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and information collected, used or disclosed in certain human subjects research. AB 713 reflects an intense lobbying effort by medical technology, pharmaceutical, and other health and life sciences industry stakeholders. AB 713 became effective immediately following Governor Newsom’s signature, as the bill included an urgency clause calling for immediate action to mitigate the CCPA’s potential negative impact on health-related research.

AB 713 eases some of the CCPA compliance challenges experienced by the health care and life sciences industries by more closely aligning the CCPA with HIPAA and other laws governing human subjects research. However, AB 713 also creates new compliance obligations by requiring entities subject to requirements for “businesses” under the CCPA, as well as other entities residing or doing business in California, to include certain provisions in license agreements or other contracts for the sale or license of de-identified patient information. While AB 713 becomes effective immediately, as discussed below, it requires compliance with the new contracting requirement beginning January 1, 2021.

We summarize below the salient provisions of AB 713.

Exception for De-identified Patient Information

AB 713 provides relief to health care, life sciences and other organizations that have been grappling with how to achieve compliance with the previously inconsistent de-identification standards under HIPAA and the CCPA. Without AB713’s CCPA amendment, it was possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data. For example, HIPAA protected health information that has been de-identified under HIPAA may still contain identifiers of California physicians or other individuals who serve patients. These identifiers may have constituted “personal information” under the CCPA when held by a CCPA-regulated business, creating a right under the CCPA for the individuals to opt out of sales of the personal information. For more information about the inconsistent HIPAA and CCPA de-identification standards, see our On the Subject.

AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:

  • The information has been de-identified in accordance with a HIPAA de-identification method (i.e., the safe harbor or expert determination method).
  • The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “Patient information” means protected health information or individually identifiable health information under HIPAA, identifiable private information under the Common Rule or medical information under the CMIA.
  • The information has not been re-identified.

This exception applies to HIPAA de-identified data held by entities that are not themselves directly regulated by HIPAA, the Common Rule or the CMIA, such as certain pharmaceutical, medical device or life sciences companies, provided that the de-identified data is derived from patient information that was originally collected, created, transmitted or maintained by an entity regulated by HIPAA, the CMIA or the Common Rule.

Prohibition Against Re-Identification of De-identified Patient Information

AB 713 also prohibits a CCPA-regulated business or other person from re-identifying, or attempting to re-identify, any de-identified patient information unless the re-identification activity is for one of the following purposes:

  • A HIPAA-regulated entity’s treatment, payment or health care operations purposes
  • Public health activities or purposes set forth in HIPAA
  • Research, as defined by HIPAA and carried out in accordance with the Common Rule
  • Performance of a contract that engages an entity to re-identify the de-identified patient information for testing, analysis or validation of the de-identification
  • Compliance with legal requirements.

Thus, CCPA-regulated businesses and other persons that seek to re-identify any de-identified patient information need to evaluate whether the CCPA applies to it and permits the re-identification.

New Contracting Requirements

Beginning January 1, 2021, AB 713 requires a contract for the sale or license of de-identified patient information, where one of the parties resides or does business in California, to include the following provisions:

  • A statement that the de-identified information being sold or licensed includes de-identified patient information
  • A statement that the CCPA prohibits the purchaser or licensee from re-identifying, or attempting to re-identify, the de-identified patient information
  • A statement that prohibits the purchaser or licensee from further disclosing the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

While the CCPA generally only applies to “businesses” that process the personal information of California consumers and have an annual revenue of at least $25 million (or meet another threshold), the new contracting requirements under AB 713 also apply where “one of the parties is a person residing or doing business in” California even if the business is not based in California. To learn more about whether a company is a CCPA-regulated business, see “Your Guide to CCPA Compliance.”

Accordingly, beginning January 1, 2021, a party entering into a contract involving the sale or license of de-identified patient information that resides or does business in California should assess whether the contract must include the provisions required by AB 713. Purchasers or licensees of de-identified patient information from an entity that resides or does business in California should evaluate whether they can comply with the contract provisions and flow down the restrictions on re-identification to third parties with whom they further share the de-identified patient information. An open question is whether AB 713 requires contracts entered into prior to January 1, 2021 to be amended to include the contract provisions by such date or at any date of renewal or amendment after such date.

Expanded Consumer Privacy Notice Requirements

Although AB 713 excepts de-identified patient information from the CCPA’s applicability, it requires a CCPA-regulated business that sells or discloses de-identified patient information to include in its CCPA consumer privacy notice a statement describing the sale or disclosure and the HIPAA de-identification method used to de-identify the information (i.e., safe harbor or expert determination). Companies that sell, license or transfer HIPAA de-identified data to third parties should consider whether they will need to update their CCPA consumer privacy notices to comply with this requirement.

Exception for HIPAA Business Associates

Before AB 713 took effect, the CCPA excepted from its applicability any protected health information collected by a HIPAA covered entity or business associate. The CCPA also contained an exception for all HIPAA covered entities to the extent that they maintain, use or disclose patient information in the same manner as protected health information subject to HIPAA. However, the CCPA did not include a similar entity-based exception for HIPAA business associates and the patient information they protect in the same manner as protected health information.

AB 713 amends the CCPA to except all business associates to the extent that they maintain, use or disclose patient information in the same manner as protected health information. Accordingly, a CCPA-regulated business associate that collects patient information through a service line that is not subject to HIPAA, such as a direct-to-consumer offering, does not need to comply with the CCPA with respect to such information if the business associate applies HIPAA protections to the information.

Research Exception

The CCPA previously included an exception for personal information collected as part of clinical trials that are subject to the Common Rule, international good clinical practice guidelines, or the human subject protection regulations of the US Food and Drug Administration (FDA). AB 713 expands the exception to except any personal information collected, used or disclosed in any research (as defined by HIPAA) that is carried out in accordance with applicable ethics, confidentiality, privacy and security rules of 45 CFR Part 164 (e.g., the HIPAA Privacy and Security Rules), the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation or FDA human subject protection requirements. Thus, now, the CCPA’s research exception is no longer limited to clinical trials.

Next Steps

In light of AB 713’s enactment, entities that license or otherwise disclose de-identified patient information, and licensees and purchasers of the information, should

  • Assess whether their contracts covering the information must include the newly required contract provisions and, if so, revise the contracts,
  • Revise their consumer privacy notices as needed to comply with the new de-identification disclosure requirement and
  • Consider updating their de-identification policies and procedures to reflect the new flexibility created by AB 713.

For assistance with these steps, contact your regular McDermott lawyer or either of the authors.

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor.

It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and regularly needed to transfer personal data from Europe to the United States.

Schrems II impacts not only the over 5,300 US companies that enjoyed Privacy Shield self-certification, but also the many thousands of EU and US companies that rely upon US companies in their supply chain for data processing. This supply chain could include outsourcing, cloud services, data processing, data storage, telecommunications and the like.

Click here to read the full article, and many more in our latest International News: Focus on Global Privacy and Cybersecurity.