In a flurry of legislative activity, the California legislature passed a number of last-minute privacy bills that now await the signature of Governor Gavin Newsom in order to go into effect. As was expected, the California legislature voted to extend the employee and business-to-business (B2B) exemptions in the California Consumer Privacy Act (CCPA) (that are currently set to expire on January 1, 2021) to January 1, 2022 (depending on whether the California Privacy Rights Act (CPRA) is voted into law). More surprisingly, the California legislature also passed bills regulating health privacy and genetic privacy. These laws supplement the obligations that businesses already have under the CCPA and are passed in the backdrop of Californians voting on the CPRA on November 3 (which we have previously written about here).
This blog post summarizes these bills and identifies the compliance obligations that each law poses on businesses. For each of these bills, Governor Newsom has until September 30 to sign them into law.
CCPA Employee and B2B Exemptions
The California legislature passed AB 1281, which extends the current versions of the employee and B2B exemptions in the CCPA until January 1, 2022, unless Californians vote in favor of passing the CPRA on November 3. If the CPRA passes, AB 1281 never goes into effect but the CCPA’s employee and B2B exemptions extend until January 1, 2023, because of a provision in the CPRA. Practically speaking, this means that businesses have at least another year to expand their privacy programs to cover employee and B2B information. Notably, AB 1281 does not change the scope of the employee and B2B exemptions in the CCPA (which means, in the case of the B2B exemption, it still does not apply in every B2B situation and businesses must still provide B2B contacts with the right to opt out of sale).
Other than extending the CCPA’s employee and B2B exemptions, the CPRA itself does not explicitly address these categories of information, except to make clear in the introductory paragraphs of the law that “the privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” Should the CPRA pass into law, it is likely that the California legislature will have to independently address the issue of employee and B2B information prior to when most of the law’s substantive provisions go into effect and when the current exemptions expire (which is January 1, 2023, for both).
Health Privacy
The California legislature also passed a law regulating health privacy and revising the CCPA’s exemption for information regulated under the Health Insurance Portability and Accountability Act (HIPAA). AB 713 requires a business that “sells” (as that term is defined in the CCPA) or discloses deidentified patient information (as defined by a new provision in the law, elaborated on below) to notify consumers in its privacy policy of the fact that the business sells or discloses deidentified information and to identify whether the information in question is deidentified pursuant to the HIPAA expert determination method or the HIPAA safe harbor method.
The bill also both expands and narrows the scope of the CCPA’s HIPAA and Confidentiality of Medical Information Act (CMIA) exemptions. First, the law clarifies that patient information processed by healthcare providers is exempt from the CCPA only if it is maintained, used and disclosed pursuant to HIPAA or the CMIA (as opposed to previously only needing to be “maintained” pursuant to those laws to be exempt). The law then goes on to expand the CCPA’s HIPAA exemption so that it explicitly applies to information that is 1) deidentified pursuant to the HIPAA standards; and 2) derived from patient information that was originally collected, created, transmitted or maintained by an entity regulated by HIPAA, the CMIA or the Common Rule. However, the law makes clear that information that was previously deidentified but that was subsequently reidentified is no longer exempt from the CCPA upon reidentification. (This California language does not directly address whether such a reidentification would otherwise violate, for example, the HIPAA deidentification standards). The law further states that deidentified patient information can be reidentified only for certain specified purposes (including treatment, research and public health activities) (again, without discussing whether re-identification—even for these specific purposes—would create tensions with the HIPAA requirements for reidentification).
Finally, the law states that any contract for the sale of deidentified patient information must include the following:
- A statement that the deidentified information being sold or licensed includes deidentified patient information;
- A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to Section 1798.146 and Section 1798.148(c)(2) (of the revised CCPA); and
- A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
This new obligation will create an additional compliance obligation for certain entities that sell deidentified information, even if the underlying information that has been deidentified is not itself subject to CCPA because of other exemptions.
AB 713 does not create its own separate penalties, meaning that it adopts those currently in the CCPA (violations are enforceable only by the California AG and can lead to penalties up to $7,500 per violation). Should AB 713 be signed into law, it would go into effect on January 1, 2021.
Genetic Privacy
In addition to a health privacy bill, the California legislature also passed SB 980 or the “Genetic Information Privacy Act.” This bill requires “a direct-to-consumer genetic testing”1 company, or any other company that collects, uses, maintains or discloses genetic data2 collected or derived from a “direct-to-consumer genetic testing” product or service or directly provided by a consumer to: 1) provide consumers with clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance and disclosure (as applicable) of genetic data by making available to the consumer a summary of the business’s privacy practices with regards to genetic data, the business’s privacy policy, and notice that the consumer’s deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes; and 2) obtain consumers’ express consent for collection, use and disclosure of the consumer’s genetic data (that must meet certain disclosure requirements).
Businesses subject to this law are also required to:
- Provide a mechanism for consumers to revoke their consent;
- Implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification or disclosure;
- Develop policies and procedures to enable a consumer to access or delete their genetic data;
- Create a process for a consumer to request that their biological sample be destroyed; and
- Refrain from discriminating against consumers for exercising any of their rights.
Further, a direct-to-consumer genetic testing company, or any other company that collects, uses, maintains or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or provided directly by a consumer, is prohibited from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment, or to any entity that provides advice to an entity that is responsible for performing those functions (subject to a narrow exception).
As is the case with the CCPA, the Genetic Information Privacy Act does not apply to medical information regulated under HIPAA or the CMIA or to information that healthcare providers or business associates maintain, use and disclose pursuant to HIPAA. The bill also exempts scientific research conducted pursuant to the Common Rule.
Negligent and willful violations of the law can lead to penalties of up to $1,000 and $10,000 per violation, respectively, and the law makes clear that each individual violation can lead to a separate penalty. The law does not have a private right of action and is enforceable only by the California AG or by a California district attorney, city attorney, county counsel or city prosecutor. Like AB 718, the Genetic Information Privacy Act would go into effect on January 1, 2021, if signed into law.
1 A “direct to consumer genetic testing” company is defined broadly as an entity that does either of the following: 1) Sells, markets, interprets or otherwise offers consumer-initiated genetic testing products or services directly to consumers; or 2) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.
2 “Genetic Data” is also defined broadly as “any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.”