Privacy & Information Security Law Blog

On September 26, 2025, California Governor Gavin Newsom signed into law Assembly Bill 45 (AB-45), which amends existing law to strengthen privacy protections for the personal information of individuals receiving or providing health care services, including reproductive health care. AB-45 restricts the processing of personal information collected within the precise geolocation of family planning centers and in-person health care facilities. The law also regulates geofencing practices and sets new standards for the protection of research records related to individuals receiving health care services. Notably, AB-45 provides for a limited private right of action for individuals aggrieved by certain violations of the law. The law will take effect on January 1, 2026.

Key requirements of AB-45 include:  

• New Definitions/Expanded Scope of Application:
  • AB-45 extends the scope of existing law to apply to any “person” (i.e., natural person, association, proprietorship, corporation, trust, foundation, partnership or any other organization or group) engaging in the restricted or prohibited activities set forth in the law (the law previously applied only to “businesses,” as the term is defined under the CCPA).
  • AB-45 uses the CCPA’s definitions of “sale,” “personal information,” and “precise geolocation” (but broadens these definitions to apply to all “persons,” not only “consumers” or “businesses,” as these terms are defined in the CCPA).
  • “Collection” is broadly defined to mean “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a natural person by any means. This includes receiving information from the natural person, either actively or passively, or by observing the natural person’s behavior.”
  • “Family planning center” means “a facility categorized as a family planning center by the North American Industry Classification System . . . including, but not limited to, a clinic or center that provides reproductive health care services.”
  • “Geofence” means “any technology that enables spatial or location detection to establish a virtual boundary around, and detect an individual’s presence within, a ‘precise geolocation’ as defined in [the CCPA].”
  • “Share”: The definition of “share” is broader than the CCPA’s definition, and means “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a natural person’s personal information by another person to a third party, whether or not for monetary or other valuable consideration.”

• Strict Limits on Processing of Personal Information Collected Near Family Planning Centers. AB-45 prohibits the collection, use, disclosure, sale, sharing or retention of personal information of any individual at or within a precise geolocation of a family planning center, unless it is necessary to provide the goods or services explicitly requested by the individual (or as otherwise provided by law or in a collective bargaining agreement).
  • Private Right of Action: Individuals and entities aggrieved by a violation of these provisions can sue for damages up to three times the actual damages and any other expenses, costs or reasonable attorneys’ fees.
  • Exemptions: Providers of health care, health care service plans and contractors (as defined in Cal. Civ. Code Sect. 56.05) and HIPAA covered entities and business associates are exempted from coverage. (With respect to contractors and business associates, the exemption applies only if such entities are contractually obligated to comply with all applicable state and federal privacy laws.)

• Prohibition on Geofencing Health Care Facilities. AB-45 prohibits the use of geofencing technology around in-person health care facilities for the purpose of tracking, identifying, collecting personal information from, or sending targeted ads or notifications to, persons seeking, receiving or providing health care services. The law further makes it unlawful to sell personal information to, or share personal information with, third parties for the above-listed prohibited purposes. The law also prohibits the use of personal information obtained in violation of these prohibitions.
  • Exemptions: The law does not prohibit an in-person health care facility from geofencing the facility’s own location to provide necessary health care services, nor does it prohibit a reproductive health care provider from using geofencing technology to provide security to protect patients, staff or property. The law also exempts lawful warrants and subpoenas, certain matters regarding labor union activities, and certain research conducted pursuant to federal law.

• Protection of Research Records. The law prohibits the release of personally identifiable research records of individuals seeking or obtaining health care services in response to subpoenas or requests made pursuant to other states’ laws that interfere with a person’s rights under the California Reproductive Privacy Act or a foreign penal civil action.
• Penalty for Noncompliance. In addition to the law’s limited private right of action, the California Attorney General is empowered to enforce the law. Violations may result in injunctive relief and a civil penalty of $25,000 per violation. Penalties fund the California Reproductive Justice and Freedom Fund, which supports reproductive and sexual health education initiatives.