December 21, 2021

California Passes Suite of New Privacy Laws

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

California continues to be at the vanguard of privacy protection.  On October 11, 2021 California's Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:

  • AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out right. This exemption applies to vessel information and ownership information shared between vessel owners and dealers, if the sharing is because the entity anticipates or is effectuating a warranty repair or vessel recall.
  • AB 430, which amends California's identity theft and debt collection laws. The amendment permits victims of identity theft to provide an FTC identity report in lieu of a police report in instances (i.e., stopping debt collection, civil judgment for identity theft) that formerly required a police report.
  • AB 694, which adds technical and non-substantive changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency's authority begins six months after it notifies the AG that it is prepared for rulemaking.
  • AB 825, which expands California's existing data breach notification laws to include genetic data in the definition of "personal information." This indirectly broadens the CCPA's private right of action for some data breaches that use this definition.
  • AB 1391, which addresses the sale of data obtained unlawfully. This law:
    • prohibits selling data and selling access to data that was obtained pursuant to the commission of a crime;
    • makes buying data unlawful if the buyer has actual or constructive knowledge that the data was accessed or obtained through criminal activity; and
    • carves out exceptions including press reporting matters of public concern, whistleblowers, and obtaining data for specific security purposes.
  • AB 1184, which amends the Confidentiality of Medical Information Act and the Insurance Code to increase privacy protections for patients receiving sensitive healthcare services including mental health, reproductive health, and gender-affirming care. The law restricts certain disclosures even where the patient is not their health insurance's policyholder.

California also joins a minority of states in passing a new law protecting the privacy of genetic information.  SB 41, which creates the Genetic Information Privacy Act, requires direct-to-consumer genetic testing companies to:

  • clearly inform consumers how the company collects, uses, maintains, and discloses genetic data;
  • obtain express consent for use, collection, and disclosure of genetic data;
  • obtain separate express consent for specific activities including transfers to third parties, storage of biological samples, and marketing facilitated by genetic data;
  • implement mechanisms through which consumers may easily access and delete their account and genetic data;
  • destroy the consumer's sample and associated data within 30 days of consent revocation, unless the company is otherwise prohibited from doing so; and
  • maintain and implement reasonable security practices and procedures.

Notably, none of the new laws passed by California permit a new private right of action.  AB 825, however, adds genetic data to the definition of "personal information" under California Civil Code § 1798.81.5(d)(1)(A) and thus expands the CCPA private right of action for data breaches involving "personal information" under this law.

AB 1184 increases protections for certain medical information that is particularly sensitive (mental health, reproductive health, gender-affirming care).  The Confidentiality of Medical Information Act (CMIA) already has a private right of action for negligent release of medical information.  Thus, the private right of action is expanded to include violations of the heightened protections that result in negligent release of the sensitive info.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

New York Restricts Automated Decision Making in Employment

By Timothy Dickens Ballard Spahr August 29 , 2022

Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023.

Status Update: Federal Contractor Vaccine Mandate Injunction Narrowed

By Lila A. Sevener Ballard Spahr August 29 , 2022

On August 26, 2022, the United States Court of Appeals for the Eleventh Circuit narrowed the nationwide injunction of Executive Order 14042, which requires federal contractors and employees who work on or in connection with a covered federal contract, or share a workplace with another employee who works on or in connection with such contracts, to be fully vaccinated against COVID-19.

Unions Cannot Force OSHA to Issue Permanent COVID Standard

By Shannon D. Farmer Ballard Spahr August 26 , 2022

On August 26, 2022, the U.S. Court of Appeals for the District of Columbia Circuit turned back efforts by a group of unions seeking to force the Occupational Safety and Health Administration (OSHA) to quickly issue a permanent rule establishing protections for healthcare workers from COVID-19.

More From Consumer Protection

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

Featured Stories