[co-author: Kelsey Fayer]
California continues to be at the vanguard of privacy protection. On October 11, 2021 California’s Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:
- AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out right. This exemption applies to vessel information and ownership information shared between vessel owners and dealers, if the sharing is because the entity anticipates or is effectuating a warranty repair or vessel recall.
- AB 430, which amends California’s identity theft and debt collection laws. The amendment permits victims of identity theft to provide an FTC identity report in lieu of a police report in instances (i.e., stopping debt collection, civil judgment for identity theft) that formerly required a police report.
- AB 694, which adds technical and non-substantive changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency’s authority begins six months after it notifies the AG that it is prepared for rulemaking.
- AB 825, which expands California’s existing data breach notification laws to include genetic data in the definition of “personal information.” This indirectly broadens the CCPA’s private right of action for some data breaches that use this definition.
- AB 1391, which addresses the sale of data obtained unlawfully. This law:
- prohibits selling data and selling access to data that was obtained pursuant to the commission of a crime;
- makes buying data unlawful if the buyer has actual or constructive knowledge that the data was accessed or obtained through criminal activity; and
- carves out exceptions including press reporting matters of public concern, whistleblowers, and obtaining data for specific security purposes.
- AB 1184, which amends the Confidentiality of Medical Information Act and the Insurance Code to increase privacy protections for patients receiving sensitive healthcare services including mental health, reproductive health, and gender-affirming care. The law restricts certain disclosures even where the patient is not their health insurance’s policyholder.
California also joins a minority of states in passing a new law protecting the privacy of genetic information. SB 41, which creates the Genetic Information Privacy Act, requires direct-to-consumer genetic testing companies to:
- clearly inform consumers how the company collects, uses, maintains, and discloses genetic data;
- obtain express consent for use, collection, and disclosure of genetic data;
- obtain separate express consent for specific activities including transfers to third parties, storage of biological samples, and marketing facilitated by genetic data;
- implement mechanisms through which consumers may easily access and delete their account and genetic data;
- destroy the consumer’s sample and associated data within 30 days of consent revocation, unless the company is otherwise prohibited from doing so; and
- maintain and implement reasonable security practices and procedures.
Notably, none of the new laws passed by California permit a new private right of action. AB 825, however, adds genetic data to the definition of “personal information” under California Civil Code § 1798.81.5(d)(1)(A) and thus expands the CCPA private right of action for data breaches involving “personal information” under this law.
AB 1184 increases protections for certain medical information that is particularly sensitive (mental health, reproductive health, gender-affirming care). The Confidentiality of Medical Information Act (CMIA) already has a private right of action for negligent release of medical information. Thus, the private right of action is expanded to include violations of the heightened protections that result in negligent release of the sensitive info.