Significant Privacy Bills Enacted and Vetoed by California Governor Gavin Newsom

By Jennifer S. Elkayam¹ and Cody Venzke²

---

Governor Newsom closed out the 2019-20 California Legislative session by signing into law two California privacy bills and vetoing two others.  This article discusses the two bills that were signed (both of which amended the CCPA, one of which is effective immediately): Assembly Bill (AB) 713 amending the CCPA’s provisions regarding patient data to, among other things, address de-identification and information used for research and public health purposes, and AB 1281, which provides a much-requested extension to the employee and business-to-business (B2B) exemptions under the CCPA that were set to expire this year.  The article also describes the bills the Governor vetoed: Senate Bill (SB) 980 that would have created the Genetic Information Privacy Act (GIPA), and AB 1138 which would have required social media companies to obtain additional types of parental consent for the use of their services by California residents under 13 years of age.

Newsom Signs AB 713 Amending the CCPA to Provide Clarity to Health Care and Life Sciences Companies

After the California Consumer Privacy Act (CCPA or the Act) went to into effect in January 2020, many questions were left unanswered, including the extent of the health care and research exemption under the Act.  On August 31, 2020, the California legislature passed AB 713 amending the CCPA to more closely align the Act with Health Insurance Portability and Accountability Act (HIPAA) and other laws governing human subjects research, effective January 1, 2021. More specifically, AB 713 seeks to harmonize the CCPA with the de-identification standards set forth in HIPAA and provide other important clarifications for life sciences companies, medical researchers, and health care providers. AB 713 was signed into law by Governor Newsom on September 29, 2020. The salient principles of AB 713 are described below:

HIPAA De-identification

Although the CCPA already excludes de-identified data from its definition of personal information if general technical safeguards and business processes are used, the CCPA does not provide further insight into the specific standards required for de-identification. Without the CCPA amendment included in AB 713, it is possible for data that has been de-identified under the HIPAA de-identification standard to constitute “personal information” under the CCPA because CCPA and the HIPAA Privacy Rule include different language for their respective de-identification standards. This has complicated CCPA-regulated businesses’ strategies for licensing or otherwise commercializing HIPAA de-identified data.

AB 713 resolves the potential disconnect between the CCPA and HIPAA’s de-identification standards by expressly providing that the CCPA does not apply to information that meets the following conditions:

• The information has been de-identified in accordance with either HIPAA de-identification method by removal of the specified 18 identifiers (known as the “safe harbor”) or by expert determination.

• The information was derived from patient information that was originally collected, created, transmitted or maintained by an entity subject to HIPAA, the California Confidentiality of Medical Information Act (CMIA) or the Federal Policy for the Protection of Human Subjects (Common Rule). “

• The information has not been re-identified.

This exception applies to HIPAA de-identified data held by entities that are not themselves directly regulated by HIPAA, the CMIA, or the Common Rule, such as certain pharmaceutical, medical device or life sciences companies, provided that the de-identified data is derived from patient information that was originally collected, created, transmitted or maintained by an entity regulated by HIPAA, the CMIA or the Common Rule.

Prohibition Against Re-Identification of De-identified Patient Information

AB 713 also prohibits a CCPA-regulated business or other person from re-identifying, or attempting to re-identify, any de-identified patient information unless the re-identification activity is for one of the following purposes:

• A HIPAA-regulated entity’s treatment, payment, or health care operations purposes;

• Public health activities or purposes set forth in HIPAA;

• Research, as defined by HIPAA and carried out in accordance with the Common Rule; or

• Performance of a contract that engages an entity to re-identify the de-identified patient information for testing, analysis, or validation of the de-identification.

A CCPA-regulated businesses and other persons that seek to re-identify any de-identified patient information must evaluate whether the CCPA applies to it and permits the re-identification.

Expanded Consumer Privacy Notice Requirements

Although AB 713 exempts de-identified patient data from the CCPA’s applicability, it adds a disclosure requirement for such information. Under the new bill, a CCPA-regulated business that sells or discloses de-identified patient information must include this in its privacy policy and must and must describe the HIPAA de-identification method used to de-identify the information (i.e., safe harbor or expert determination). Companies that sell, license or transfer HIPAA de-identified data to third parties should consider whether they will need to update their CCPA consumer privacy notices to comply with this requirement.

Exception for HIPAA Business Associates

Although the CCPA as enacted excepted from its applicability any protected health information collected by a HIPAA covered entity or business associate and also contains an exception for all HIPAA covered entities to the extent that they maintain, use or disclose patient information in the same manner as protected health information subject to HIPAA, it does not presently include a similar entity-based exception for HIPAA business associates and the patient information they protect in the same manner as protected health information.

AB 713 amends the CCPA to except all business associates to the extent that they maintain, use, or disclose patient information in the same manner as protected health information. Accordingly, a CCPA-regulated business associate that collects patient information through a service line that is not subject to HIPAA, such as a direct-to-consumer offering, would not need to comply with the CCPA with respect to such information if the business associate applies HIPAA protections to the information.

Medical Research Exception

The CCPA currently includes an exception for personal information collected as part of clinical trials that are subject to the Common Rule, international good clinical practice guidelines, or the human subject protection regulations of the US Food and Drug Administration (FDA). AB 713 expands the exception to except any personal information collected, used or disclosed in any biomedical research (as defined by HIPAA) that is subject to institutional review board (IRB) standards and the ethics, confidentiality, privacy and security rules of 45 CFR Part 164 (e.g., the HIPAA Privacy and Security Rules), the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation or FDA human subject protection requirements. Thus, the CCPA’s research exception will no longer be limited to clinical trials.

Product and Medical Device Tracking

AB 713 also provides a limited carveout for personal information collected by a business for product registration and tracking consistent with U.S. Food and Drug Administration (FDA) regulations, activities related to quality, safety or effectiveness regulated by the FDA, or for other federally regulated public health activities and purposes. However, this exemption applies only to some of the provisions of the CCPA.  The disclosure and breach enforcement provisions would still apply.    

New Contracting Requirements

AB 713 requires a contract for the sale or license of de-identified patient information, where one of the parties resides or does business in California, to include the following provisions:

• A statement that the de-identified information being sold or licensed includes de-identified patient information;
• A statement that the CCPA prohibits the purchaser or licensee from re-identifying, or attempting to re-identify, the de-identified patient information;
• A statement that prohibits the purchaser or licensee from further disclosing the de-identified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

While the CCPA generally only applies to “businesses” that process the personal information of California consumers and have an annual revenue of at least $25 million (or meet another threshold), the new contracting requirements under AB 713 also apply where “one of the parties is a person residing or doing business in” California even if the business is not based in California.

Now that AB 713 has been signed by Governor Newsom, CCPA-regulated businesses that license or otherwise disclose de-identified patient information, and licensees and purchasers of the information, should assess whether their contracts covering the information must be amended, revise their consumer privacy notices as needed to comply with the new de-identification disclosure requirement and consider updating their de-identification policies and procedures to reflect the new flexibility created by AB 713.

Newsom Signs AB 1281 Extending CCPA Business Exceptions

AB 1281, which Governor Newsom signed into law on Sept. 29, 2020, extends two exceptions for businesses under the CCPA for one year to January 1, 2022, unless Proposition 24 (CPRA) is approved by the voters on November 3rd.  Proposition 24 would extend the exemptions by two years, until January 1, 2023. 

As amended in September 2019, the CCPA exempted businesses from complying with the CCPA’s rights to know, delete, and opt-out for personal information collected from a “natural person” acting as a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” Cal. Civil Code § 1798.145(h)(1). The exception did not—and does not—apply to a consumer’s rights to notice or to bring a private right of action under the CCPA. Id. § 1798.145(h)(3).

To qualify for the exception, a business may use the personal information only “within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of,” or in another position listed in the statute. As originally enacted in September 2019 by AB 1355 and its companion bills, the exception was set to expire on January 1, 2021.  AB 1281 extends the exception to January 1, 2022, unless Proposition 24 is approved.

AB 1281 also amends a second business-related exception to the CCPA’s provisions, known as the business-to-business or “B2B” exception. Cal. Civil Code § 1798.145(n). That exception exempted a business from complying with the CCPA’s provisions regarding notice and the rights to know, delete, and opt out for any “written or verbal communication or a transaction” between a business and a “natural person” who is “acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency.” Id. § 1798.145(n)(1). The exception applies only if the communication or transaction occurs solely “within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.”

The B2B exception was set to expire on January 1, 2021; AB 1281 extends the deadline by one year to January 1, 2022.

AB 1281 will not become effective if voters ratify “any ballot proposition that amends Section 1798.145” of the Civil Code in the November 3, 2020 election. The only proposition on the ballot that would do so is Proposition 24, also known as the California Privacy Rights Act.  Proposition 24 would extend by two years the the employee and B2B exceptions, through January 1, 2023.

Governor Newsom Vetoes Bill to Establish the Genetic Information Privacy Act

On September 25, 2020, Governor Gavin Newsom vetoed SB 980, the Genetic Information Privacy Act (GIPA), which set out to create a new privacy and security regulatory scheme for direct-to-consumer (DTC) genetic testing companies and others that that collect or process genetic information.

Despite vetoing SB 980, Governor Newsom stated in his message accompanying the veto that he shares the perspective that the sensitive nature of human genetic data warrants strong privacy protections, but is concerned that “the broad language in this bill risks unintended consequences, as the ‘opt-in’ provisions of the bill could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments.”

GIPA  would have required DTC genetic testing companies, i.e., those that sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers, or analyze (except licensed providers diagnosing or treating a medical condition) genetic data obtained from consumers to comply with certain privacy and data security provisions.  In particular, SB 980 as currently written, requires DTC genetic testing companies (or any other company that collects, uses, maintains, or discloses genetic data collected or derived from a DTC genetic testing product or service) to:

• Provide notice regarding the company’s policies and procedures regarding the collection, use, maintenance, and disclosure of genetic data;

• Obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, including separate express consent for each of a number of defined activities, such as the transfer of genetic data to a third party and the marketing to a consumer based on the consumer’s genetic data;

• Provide effective mechanisms for a consumer to revoke consent;

• Honor a consumer’s revocation of consent as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with thefederal regulations on the protection of human subjects and by destroying a consumer’s biological sample within 30 days of the revocation of consent to store the sample;

• Implement and maintain reasonable security procedures and practices to protect consumers’ genetic data against unauthorized access, destruction, use, modification, or disclosure;

• Develop practices and procedures to enable a consumer to access the consumer’s genetic data, delete the consumer’s account and genetic data (except as required to comply with applicable law) and have the consumer’s biological sample destroyed;

• Not disclose, subject to certain exceptions, a consumer’s genetic data to certain entities (e.g., those responsible for making decisions regarding health insurance, life insurance, or employment); and

• Not discriminate against a consumer for exercising his or her rights under GIPA.

In short, GIPA outlines a new privacy and security regulatory scheme with action steps required for compliance. The bill’s veto reflects a disagreement over the details of how best to safeguard genetic information rather than disagreement with the principles of the bill.  Newsom directed the California Health and Human Services Agency and the Department of Public Health to work with the California legislature in order to create legislation that would achieve the privacy aims of SB 980 while preventing inadvertent impacts on COVID-19 testing efforts. SB 980’s author, California State Senator Tom Umberg, publicly stated he will work with the governor’s office to craft a new bill quickly.

Newsome Vetoes AB 1138 The Parent’s Accountability and Child Protection Act

On September 29, 2020, Governor Newsom vetoed AB 1138, which would have prohibited a person or business operating in California from permitting “a person who the business actually knows is under 13 years of age to create an account” on a “social media website or application” operated by the person or business. The person or business, however, would have been permitted to obtain the “consent of the [child’s] parent or guardian” to create a social media account so long as it took “reasonable measures” to ensure that the person giving consent was the child’s parent or legal guardian.

The bill listed eight methods for obtaining parental consent, including any method for obtaining “verifiable parental consent that complies with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. Sec. 6501 et seq.).” The remaining seven methods paralleled methods for obtaining parental consent under COPPA, either as defined by regulation, 16 CFR 312.5(b), or as approved by the Federal Trade Commission.

The bill defined “social media” broadly as any “electronic service or account held open to the general public to post, on either a public or a semipublic page dedicated to a particular user, electronic content or communication, including, but not limited to, videos, still photographs, or messages intended to facilitate the sharing of information, ideas, personal messages, or other content.”

In vetoing the bill, Governor Newsom said, “Given its overlap with federal law, this bill would not meaningfully expand protections for children, and it may result in unnecessary confusion.” AB 1138 would have taken effect on July 1, 2021. 

The views expressed in this article are exclusively those of the authors and do not necessarily reflect those of either Theodora Oringher PC and its partners or of the Center for Democracy & Technology. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.