California lawmakers wrapped up this year's legislative session, passing roughly 900 bills this year. Among those were only a few privacy initiatives, which we outline below.

The California Privacy Rights Act (CPRA) was passed in November 2020, amending and expanding the California Consumer Privacy Act of 2018 (CCPA). As we previously reported, the CPRA established the California Privacy Protection Agency (Agency) and vested it with the "full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018." See Civil Code, § 1798.199.10(a). The amendments to the CCPA, via the CPRA, go into effect on January 1, 2023. Since then, the Agency has been hard at work, including an invitation to submit public comments, as we reported here.

Recent bills that have passed in the California Legislature will amend the CCPA and the CPRA.  According to the 2021 legislative calendar, September 10, 2021 was the last day for each house to pass bills, and October 10, 2021 is the last day for Governor Gavin Newsom to sign or veto the bills.

The privacy bills that are currently on Governor Newsom's desk are the following:

  • Senate Bill 41 (SB 41) will create the new Genetic Information Privacy Act (GIPA). You can read our detailed blog post about this bill here.
  • Assembly Bill 825 (AB 825) will help protect against breaches of genetic data by amending California's data breach notification law.
  • Assembly Bill 335 (AB 335) will amend the CCPA to allow marine manufacturers to maintain compliance with federal consumer protection law.
  • Assembly Bill 694 (AB 694) will clarify the timing for the Agency's rulemaking authority.

Any of these bills signed by Governor Newsom would take effect on January 1, 2022.

AB 825 (Personal Information, Data Breaches, Genetic Data)

AB 825 amends the definition of personal information in California's data breach notification law (California Civil Code § 1798.81.5) to include genetic data.

If signed by the Governor, AB 825 will require genetic data to be included in the definition of personal information. "Genetic data" would be defined as any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material. Genetic material, by definition, includes, but is not limited to, DNA, RNA, genes, and chromosomes.

Essentially, AB 825 seeks to modernize California's data breach notification law to better protect California residents' personal information and improve public accountability. This bill is of high importance as, throughout the years, millions of consumers have added their DNA to a commercial ancestry or health database. In the recent years, there have been numerous high-profile data breaches, leaving people's personal information (including genetic data) exposed.

It is interesting to note that AB 825 is a reintroduction of a prior bill, AB 2301, and, as it was introduced, was identical to AB 2301. Notable changes to AB 825, however, were made, which include using the term "genetic data" instead of "genetic information." It was also noted that "data" refers to any symbols representing empirical observations, whereas "information" refers to data that has been processed or contextualized. Thus, using the term "genetic data" tends to recognize the rapidly changing informational value.

AB 335 (Vessel Ownership Information)

AB 335 is an important bill for marine manufacturers. If signed by Governor Newsom, AB 335 will amend the CCPA to clarify that a consumer's right to opt out of the sale or sharing of their personal information does not apply to vessel or ownership information shared between a vessel manufacturer and dealer for the purpose of or in anticipation of a vessel repair covered by a warranty or recall.

This bill would also incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 694, as mentioned below-to be effective only if this bill and AB 694 are enacted, and this bill is enacted last.

AB 694 (Privacy and Consumer Protection: Omnibus Bill)

Finally, AB 694 amends the CPRA by making technical, but non-controversial changes to California Civil Code sections 1798.140 (Definitions), 1798.145 (Exemptions) and 1798.199.40 (Functions of the California Privacy Protection Agency).  This bill also clarifies the timing for the Agency's rulemaking authority.

The purpose of AB 694 is to increase the efficiency of the legislative process and eliminate the need to hear a number of stand-alone bills that might otherwise require individual consideration.

Notably, AB 694 amends California Civil Code § 1798.140 to include definitions, such as advertising and marketing, consent, contractor, and household. Additionally, AB 694 will correct a discrepancy between (1) California Civil Code § 1798.100.40(b), which provides for the Agency to assume responsibility for rule-making the earlier of July 1, 2021, or six months after the Agency provides notice to the Attorney General that it is prepared to assume responsibility; and (2) California Civil Code § 1798.185(d), which specifies that it is the "later" of these two dates. AB 694 now states that it should be the later of the two dates.

This bill would incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 335, as mentioned above-to be operative only if this bill and AB 335 are signed into law and this bill is enacted last.

Other Privacy Bills of Interest

Governor Newsom also signed two laws that protect the privacy of abortion providers and their patients.

AB 1356 strengthens protections, both online and at health care facilities, for patients seeking reproductive health care services. It will increase penalties for current crimes under the California Freedom of Access to Clinic Act and necessitates updates to online privacy laws and peace officer training related to anti-reproduction-rights offenses. If signed into law, it will also create new offenses arising from recording or photographing patients or providers within 100 feet of the entrance to a reproductive health services facility.

Finally, AB 1184 protects the privacy rights of people receiving sensitive health care services, including reproductive health care and gender-affirming care. If signed into law, it will help ensure that patient information is kept confidential, even if the patient is not the primary policyholder for their health insurance.

We will continue to follow the updates relating to these bills and will provide  final report when available. If your business is impacted by these latest legislative initiatives, our Mintz Privacy Team is available to discuss California privacy laws and how they impact your business.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.