During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.
CPRA Amendment Bills
AB-694:
- This bill amends Section 1798.199.40 of the CPRA to clarify that the California Privacy Protection Agency (“CPPA”) must issue implementing CPRA regulations the later of either (1) July 1, 2021 or (2) within six months of the CPPA providing the California Attorney General with notice that it is prepared to assume rulemaking responsibilities under the CPRA.
- The bill also makes a number of non-substantive changes to the California Consumer Privacy Act (“CCPA”)/CPRA.
AB-335:
- This bill amends Section 1798.145 of the CPRA to exempt from the opt-out of sale right the sharing of vessel information or ownership information between a vessel dealer and the vessel’s manufacturer, to the extent the data is shared for the purpose of effectuating a vessel repair covered by a vessel warranty or recall, provided that the information is not sold, shared or used for any other purpose.
- This bill becomes effective January 1, 2022.
Genetic Data: California Data Breach Notification and Data Security Law Amendment Bill
AB-825:
- This bill amends California’s (1) data breach notification law (for both government agencies (Cal. Civ. Code Section 1798.29) and businesses (Cal. Civ. Code Section 1798.82))and (2) data security law (Cal. Civ. Code Section 1798.81.5) to add “genetic data” as a category of personal information that would trigger individual and regulator notification if breached (data breach notification law) and is required to be protected (data security law).
- The bill defines “genetic data” as “any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (“RNA”), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.”
Genetic Data: Genetic Testing Privacy Bill
SB-41:
- This bill, effective January 1, 2022, imposes a number of privacy and data security requirements on direct-to-consumer genetic testing companies.
- The bill defines a “direct-to-consumer genetic testing company” (“DTC Company”) as an entity that does any of the following: (1) sells, markets, interprets or otherwise offers consumer-initiated genetic testing products or services directly to consumers; (2) analyzes genetic data obtained from a consumer (unless the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition); or (3) collects, uses, maintains or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.
- The bill uses the same definition of “genetic data” as provided for in AB-825.
- Notice: The bill requires DTC Companies to provide:
(1) a summary of its privacy practices;
(2) a privacy notice that contains complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security and retention and deletion practices (and how to file a complaint alleging a violation of the law); and
(3) a notice that the consumer’s deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes.
- Consent: The bill requires DTC Companies to obtain consumers’ express consent for the collection, use and disclosure of consumers’ genetic data, including separate and express consent for:
(1) the use of genetic data through the genetic testing product (including who has access to the data, how genetic data may be shared and the purposes for which the data will be collected);
(2) the storage of the consumer’s biological sample after the testing required by the consumer has been fulfilled;
(3) each use of genetic data beyond the primary purpose of the genetic testing;
(4) each transfer or disclosure of genetic data or biological sample to third parties other than service providers, including the name of each third party to which the genetic data or biological sample will be disclosed; and
-
- The requirement to list the identity of each third party is notable, as it goes beyond that which is required under the CCPA, which requires that only the categories of third parties be disclosed to consumers.
(5) the marketing by a DTC Company to a consumer based on the consumer’s genetic data or the marketing by a third party based on fact that the consumer used the genetic testing product.
-
- DTC Companies do not, however, need to obtain express consent to market to consumers on their own website or mobile app based, as long as the ads do not depend on any information specific to the consumer except for the fact that the consumer purchased a product from the DTC Company.
- Consumers must also be able to revoke their consent, and DTC Companies must destroy such consumers’ biological samples within 30 days of any such revocation of consent.
- Disclosure Restrictions: Subject to certain exceptions, DTC Companies cannot disclose consumers’ genetic data to (1) any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance or employment; or (2) any entity that provides advice to an entity that is responsible for performing these functions.
- Service Provider Contracts: The law requires contracts between DTC Companies and service providers to prohibit the service provider from:
(1) retaining, using or disclosing the biological sample, extracted genetic material, genetic data or any information regarding the identity of the consumer (including whether that consumer has solicited or received genetic testing) for any purpose (including any commercial purpose) other than for the specific purpose of performing the services specified in the contract; and
(2) associating or combining the biological sample, extracted genetic material, genetic data or any information regarding the identity of the consumer (including whether that consumer has solicited or received genetic testing, as applicable) with information (a) the service provider has received from or on behalf of another person or persons or (b) has collected from its own interaction with consumers or as required by law.
- Consumer Rights: DTC Companies must develop procedures and practices to enable consumers to exercise the following rights:
(1) access to their genetic data;
(2) deletion of their consumer account and genetic data (except for genetic data that is required to be retained to comply with applicable legal and regulatory requirements);
(3) destruction of their biological sample; and
(4) non-discrimination for exercising the above rights (including denial of goods or services, charging different prices for goods and services, providing (or suggesting) a different level or quality of goods or services or considering the exercise of consumer rights as a basis for suspicion of criminal wrongdoing or unlawful conduct).
- Security: DTC Companies must implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.
- Exemptions: The bill does not apply to:
(1) providers of health care governed by the CMIA;
(2) covered entities or business associates governed by HIPAA;
(3) medical information governed by CMIA or protected health information governed by HIPAA;
(4) scientific research or educational activities conducted by certain educational institutions;
(5) the California Newborn Screening Program;
(6) tests conducted exclusively to diagnose whether an individual has a specific disease (subject to certain conditions);
(7) genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent necessary to comply with applicable law;
(8) data made available to the public by the consumer; and
(9) deidentified data (that meets the requirements for deidentification under the law).
- Penalties for Non-Compliance: The law will be enforced by the California Attorney General or certain district attorneys or city prosecutors. Penalties for negligent violations of the law can result in civil penalties up to $1,000 (plus court costs). Willful violations of the law can result in civil penalties of at least $1,000 up to $10,000 (plus court costs).
Medical Data: CMIA and Californian Insurance Code Amendment Bill
AB-1184:
- This bill amends the CMIA and California Insurance Code to require health care service plans or health insurers to accommodate requests for confidential communication of medical information regardless of whether there is a situation involving “sensitive” services (g., mental health, sexual health) or a situation in which disclosure would endanger the individual.
- This bill also amends the CMIA and California Insurance Code to prohibit a health care service plan or health insurer from requiring a protected individual, as defined, to obtain the policyholder, primary subscriber or other enrollee’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care. The bill also requires health care service plans and health insurers to direct all communications regarding a protected individual’s receipt of sensitive services directly to the protected individual, and prohibits the disclosure of that information to the policyholder, primary subscriber, or any plan enrollees without the authorization of the protected individual. Further, the bill requires health care service plans to notify subscribers and enrollees, and health insurers to notify insureds, that they may request a confidential communication in a specified format and how to make the request. The bill also requires health care service plans and health insurers to provide this information in a specified manner, including on the internet website of the health care service plan or health insurer.
- This bill becomes effective July 1, 2022.
Illegally Obtained Data
AB-1391:
- This bill makes it unlawful to sell data, or sell access to data, that has been obtained or accessed as a result of a crime. It also makes it unlawful to purchase or use data from a source that a person knows or reasonably should know has obtained or accessed data through the commission of a crime.
- The bill uses the broad definition of “data” that is found in the California penal code (and goes beyond personal information): “a representation of information, knowledge, facts, concepts, computer software, or computer programs or instructions,” which may be “in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.”
- A violation of the bill does not constitute a crime.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code