Notwithstanding a two-month-long pandemic shutdown, a wave of new legislation has flooded the halls of the California legislature, including four discreet privacy-related bills, each with different objectives and consequences. Upon the closing of the signature period, Gov. Newsom signed only two of the bills into law, vetoing the other two.
1. CCPA Amendment on Employee & B2B Data, Assembly Bill 1281 (AB-1281) – Signed Sept. 29, 2020.
As discussed in further detail in our GT Alert, AB-1281 extends the expiration date for the exemptions for “employee” information and business-to-business (B2B) transactions from Jan. 1, 2021, to Jan. 1, 2022. The extension provides businesses with relief from the uncertainty surrounding the characterization of employee data, while affording lawmakers additional time to determine whether workplace information and B2B transactions should be covered under the law. This extension hinges on the California Privacy Rights Act (CPRA) ballot initiative set to take place this November; should the CPRA be voted into law, AB-1281 will not go into effect because the CPRA will extend the expiration date for these exemptions to Jan. 1, 2023, the effective date of the CPRA.
2. CCPA Amendment on Medical Research, Assembly Bill 713 (AB-713) – Signed Sept. 26, 2020.
AB-713 amends the CCPA to address the concerns held by medical researchers and health care operations providers around patient privacy and medical research. Specifically, the amendments aim to harmonize the definitions of “deidentified information” in both the federal Health Insurance Portability and Accountability Act (HIPAA) and the CCPA. Additionally, the bill broadens the already-provided exemption for research data. Currently, the law exempts research data only if “clinical trial data”; the amendment’s definition includes a broader exemption of research data that may be outside of these clinical trials. The broadened exemption for research data may be particularly useful during the pandemic as scientists are rushing to develop COVID-19 vaccines for testing, study, and eventual distribution.
3. Genetic Privacy, Senate Bill 980 (SB-980) – Vetoed Sept. 25, 2020.
Gov. Newsom vetoed SB-980, which would have established the Genetic Information Privacy Act (GIPA). Under GIPA, direct-to-consumer genetic testing companies would have faced stricter requirements as to collection, use, disclosure, maintenance, sale, and deletion of genetic data prior to or at the point of data collection. This bill, which would have only applied to genetic data, would have imposed various notice and express consent requirements prior to the collection, use, and disclosure of any of this information. Upon vetoing the bill, Gov. Newsom noted that notwithstanding his support of GIPA’s primary goals to protect genetic data, “the broad language in this bill risks unintended consequences, as the ‘opt-in’ provisions of the bill could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments.”
4. Children’s Privacy. Assembly Bill 1138 (AB-1138) – Vetoed Sept. 29, 2020.
Lastly, relating to the California Online Privacy Protection Act (COPPA), Gov. Newsom vetoed a bill to require parental consent at the state level for children under 13 to create social media accounts. In his veto message, the governor acknowledged that COPPA, as federal law, already requires internet websites or online services to obtain verifiable parental consent prior to collecting any personal information from a child under 13, and recognized that states have the right to enforce this federal law. While the consent requirements are slightly nuanced, due to the likely “unnecessary confusion” that would result if passed, the governor withheld his signature on the bill.