December 21, 2021

California Passes Suite of New Privacy Laws

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

California continues to be at the vanguard of privacy protection.  On October 11, 2021 California's Governor Newsom signed several bills addressing privacy and data security. These new laws go into effect January 1, 2022 and include:

  • AB 335, which adds an exemption to the California Consumer Privacy Act (CCPA) consumer personal information sales opt-out right. This exemption applies to vessel information and ownership information shared between vessel owners and dealers, if the sharing is because the entity anticipates or is effectuating a warranty repair or vessel recall.
  • AB 430, which amends California's identity theft and debt collection laws. The amendment permits victims of identity theft to provide an FTC identity report in lieu of a police report in instances (i.e., stopping debt collection, civil judgment for identity theft) that formerly required a police report.
  • AB 694, which adds technical and non-substantive changes to the California Privacy Rights Act. This clarifies that the California Privacy Protection Agency's authority begins six months after it notifies the AG that it is prepared for rulemaking.
  • AB 825, which expands California's existing data breach notification laws to include genetic data in the definition of "personal information." This indirectly broadens the CCPA's private right of action for some data breaches that use this definition.
  • AB 1391, which addresses the sale of data obtained unlawfully. This law:
    • prohibits selling data and selling access to data that was obtained pursuant to the commission of a crime;
    • makes buying data unlawful if the buyer has actual or constructive knowledge that the data was accessed or obtained through criminal activity; and
    • carves out exceptions including press reporting matters of public concern, whistleblowers, and obtaining data for specific security purposes.
  • AB 1184, which amends the Confidentiality of Medical Information Act and the Insurance Code to increase privacy protections for patients receiving sensitive healthcare services including mental health, reproductive health, and gender-affirming care. The law restricts certain disclosures even where the patient is not their health insurance's policyholder.

California also joins a minority of states in passing a new law protecting the privacy of genetic information.  SB 41, which creates the Genetic Information Privacy Act, requires direct-to-consumer genetic testing companies to:

  • clearly inform consumers how the company collects, uses, maintains, and discloses genetic data;
  • obtain express consent for use, collection, and disclosure of genetic data;
  • obtain separate express consent for specific activities including transfers to third parties, storage of biological samples, and marketing facilitated by genetic data;
  • implement mechanisms through which consumers may easily access and delete their account and genetic data;
  • destroy the consumer's sample and associated data within 30 days of consent revocation, unless the company is otherwise prohibited from doing so; and
  • maintain and implement reasonable security practices and procedures.

Notably, none of the new laws passed by California permit a new private right of action.  AB 825, however, adds genetic data to the definition of "personal information" under California Civil Code § 1798.81.5(d)(1)(A) and thus expands the CCPA private right of action for data breaches involving "personal information" under this law.

AB 1184 increases protections for certain medical information that is particularly sensitive (mental health, reproductive health, gender-affirming care).  The Confidentiality of Medical Information Act (CMIA) already has a private right of action for negligent release of medical information.  Thus, the private right of action is expanded to include violations of the heightened protections that result in negligent release of the sensitive info.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Ballard Spahr

Federal Regulation for Digital Assets Could Be Coming Soon

By Scott L. Diamond Ballard Spahr July 22 , 2022

Significant federal regulation may be coming soon for cryptocurrencies, blockchain, and non-fungible tokens (NFTs).

Closing the Gate: House Adopts ENABLERS Act Amendment to 2023 NDAA

By Peter D. Hardy Ballard Spahr July 21 , 2022

Amendment Focuses on Professional “Gatekeepers” – Lawyers, Accountants, Payment Processors, and Those Providing Corporate Formation and Trust Services

Pennsylvania Cuts Corporate Income Tax Rates, Makes Other Significant Tax Changes

By Wendi L. Kotzen Ballard Spahr July 19 , 2022

Pennsylvania’s budget season just ended and Act 53 of 2022 (Act 53), made many significant changes to the Commonwealth’s business and individual taxes.

More From Consumer Protection

Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA

By David A. Zetoony Greenberg Traurig August 02 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Ransomware: To Pay or Not to Pay? It Just Got More Complicated

By Scott Ferber McDermott Will & Emery July 25 , 2022

When an organization experiences a ransomware attack, it must address significant—and sometimes competing—challenges under pressing deadlines.

Oregon Finalizes Student Loan Servicer Regulations with July 1 Effective Date

By Lisa M. Lanham Ballard Spahr July 14 , 2022

On June 27, the Oregon Department of Consumer and Business Services’ (“Department”) Division of Financial Regulation (“Division”) finalized new regulations implementing Senate Bill 485, which requires companies to obtain a license from the Division in order to service student loans in Oregon, unless an exemption applies.

Featured Stories