[co-author: Kelsey Fayer]
California continues to be at the forefront of privacy protection. On October 11, 2021, California Governor Newsom signed several bills dealing with privacy and data security. These new laws come into force on January 1, 2022 and include:
- AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) right to opt-out of sales of consumer personal information. This exemption applies to vessel information and ownership information shared between vessel owners and licensees, if the sharing is due to the entity anticipating or performing a warranty repair or vessel recall.
- AB 430, which amends California’s identity theft and debt collection laws. The amendment allows victims of identity theft to provide an FTC identity report instead of a police report in cases (ie.
- AB 694, which adds technical and non-substantial changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency authority begins six months after it informs the AG that it is ready for rule making.
- AB 825, which expands existing data breach notification laws in California to include genetic data within the definition of “personal information.” This indirectly expands the ACCP’s private right of action for certain data breaches that use this definition.
- AB 1391, which deals with the sale of illegally obtained data. This law :
- prohibits the sale of data and the sale of access to data obtained as a result of the commission of a crime;
- makes the purchase of data illegal if the buyer has actual or implied knowledge that the data was accessed or obtained through criminal activity; and
- provides for exceptions, including press reporting on matters of public interest, whistleblowers and obtaining data for specific security purposes.
- AB 1184, which amends the Law on Confidentiality of Medical Information and the Insurance Code to increase the protection of the privacy of patients receiving sensitive health services, including mental health, reproductive health and gender care. The law restricts certain disclosures even when the patient is not the policyholder of his health insurance.
California is also joining a minority of states in passing a new law protecting the confidentiality of genetic information. SB 41, which creates the Genetic Information Privacy Act, requires genetic testing companies that speak directly to consumers:
- clearly inform consumers of how the company collects, uses, stores and discloses genetic data;
- obtain express consent for the use, collection and disclosure of genetic data;
- obtain separate express consent for specific activities, including transfers to third parties, storage of biological samples and marketing facilitated by genetic data;
- implement mechanisms through which consumers can easily access and delete their account and genetic data;
- destroy the consumer sample and associated data within 30 days of revocation of consent, unless otherwise prohibited by the company; and
- maintain and implement reasonable security practices and procedures.
Notably, none of the new laws passed by California authorize a new private right of action. AB 825, however, adds genetic data to the definition of “personal information” under California Civil Code Â§ 1798.81.5 (d) (1) (A) and thereby extends the CCPA’s private right of action for data breaches involving “personal information” under this law.
AB 1184 strengthens the protection of certain particularly sensitive medical information (mental health, reproductive health, gender care). The Medical Information Confidentiality Act (CMIA) already has a private right of action for negligent disclosure of medical information. Thus, the private right of action is extended to include breaches of enhanced protections that result in the negligent disclosure of sensitive information.