California’s Governor Gavin Newsom recently signed into law two bills to amend the California Consumer Privacy Act (“CCPA”). He also vetoed two other consumer privacy bills based on concerns about potential conflicts with existing state and federal law. Collectively, these four bills represented the most significant privacy legislation that came out of the California Legislature’s 2019-20 term, which came to a close on September 30th.
Only one of the two new CCPA amendments, AB713, includes substantive changes to the law. It streamlines the CCPA’s health information exception and imposes new obligations on CCPA businesses and others that handle deidentified patient information.
The other CCPA amendment, AB1281, simply extends the CCPA’s employee and B2B exemptions to January 1, 2022 if voters fail to pass Proposition 24 (CPRA or CCPA 2.0) in November. Those exemptions are currently set to expire on December 31st of this year.
Newsom also vetoed two consumer privacy bills despite expressing support for the goals of each. SB980 would have expanded consumer rights with respect to genetic information collected by direct-to-consumer genetic testing companies. Newsom’s veto was motivated by concerns that the law could have “unintended consequences” for the operation of the state’s communicable disease reporting requirements, including those applicable to COVID-19. The other bill, AB1138, would have imposed additional parental consent requirements on social media network operators. Newsom vetoed it to avoid potentially overlapping state and federal compliance obligations, citing parallels between the bill and federal regulations under the Children’s Online Privacy Protection Act (“COPPA”).
Here we outline the significant features of each of the new CCPA amendments.
AB713 – CCPA Health Information Amendment
The amendments also require that contracts for the sale or licensing of deidentified patient health information include new disclosures and reuse restrictions. However, this provision does not go into effect until January 1, 2021.
Expansion of CCPA Exemptions for Health and Research Information
Business associates of covered entities governed by HIPAA are now subject to a wholesale CCPA exemption to the extent the business associate “maintains, uses, and discloses patient information” in the same manner as medical information protected by the California Medical Information Act or protected health information under HIPAA. Cal. Civ. Code § 1798.146(a)(3). This change harmonizes the CCPA with HIPAA’s privacy and security rules, ensuring that business associates are not subject to both privacy regimes, at least with regard to PHI. Previously, the CCPA exemption was limited to only PHI collected by business associates.
Additionally, the CCPA’s health information research exemption has been expanded to include all types of research conducted in accordance with the Federal Policy for the Protection of Human Subjects (the Common Rule). Cal. Civ. Code § 1798.146(a)(5). Previously, the exemption was limited to “information collected as part of a clinical trial subject to the [Common Rule].” 1798.145(c)(C) (before AB713 amendment)..
Personal health information that is deidentified pursuant to HIPAA rules that is “derived from patient information that was originally collected, created, transmitted or maintained by an entity regulated by [HIPAA, CMIA, or the Common Rule]” is now also exempt. Cal. Civ. Code § 1798.146(a)(4)(A). Previously, the CCPA did not provide separate deidentification rules for health data. Rather, the law defined “personal information” as “not includ[ing] consumer information that is deidentified” (sec. 1798.140(o)(3)) and separately defined “deidentified” to mean data that met the law’s five-part definition of the term. Cal. Civ. Code § 1798.140(h). Concerns were raised that patient information deidentified under HIPAA might not meet CCPA deidentification standards, and thus potentially subject the HIPAA-deidentified information to the CCPA. The amendment removed this ambiguity, allowing businesses to solely rely upon HIPAA deidentification standards.
Reidentification of Personal Health Information Restricted For All – Not Just CCPA Businesses
The CCPA now includes a first-in-the-nation ban on the reidentification of personal health information, subject to limited exceptions. Businesses and “other persons” may now only reidentify personal health information (a) for treatment, payment or health care operations conducted by a covered entity or business associate acting on the written direction of a covered entity; (2) for public health purposes such as reporting and informing affected individuals about communicable disease exposure, communicating adverse events or other problems with FDA-regulated products, investigating workplace injuries or conducting workplace-related medical surveillance; (3) for research purposes; (4) to facilitate the testing, analysis, or validation of deidentification methods; or (5) if otherwise required by law. Cal. Civ. Code § 1798.148(a).
Notably, these restrictions on reidentification do not apply only to CCPA businesses; they govern “other person[s].” This means that all types of entities—including non-profits and for-profit entities that do not meet CCPA revenue thresholds—must comply with the CCPA’s new reidentification rules so long as they are generally subject to California law.
Businesses subject to CCPA that sell or disclose deidentified patient information must now disclose this fact in their privacy policies and also identify whether the patient information was deidentified pursuant to one or more of the HIPAA deidentification methodologies (expert determination method or safe harbor method). Cal. Civ. Code § 1798.130(a)(5)(D).
Contracts For Sale or License of Deidentified Information Require New Disclosures and Redisclosure Limitations
Contracts for the sale or licensing of deidentified patient information, where one of the parties is a person residing or doing business in California, must now include disclosures about the CCPA’s reidentification limits and contractually restrict the purchaser or licensee of the deidentified information from further disclosing the deidentified information to a third party unless the third party is contractually bound by “the same or stricter restrictions or conditions.” Cal. Civ. Code § 1798.148(c).
Amendments are Effective Immediately – Except New Contractual Requirements
Passed as an “urgency statute” under California law, all but one provision of AB713 went into effect on September 25, 2020. The only exception is the portion of the law that requires new contractual disclosures. That provision goes into effect on January 1, 2021. Cal. Civ. Code § 1798.148(c).
AB1281 – Extending Limited Exemptions in CCPA for Employee and B2B Personal Information
Governor Newsom also signed into law AB1281, which extends through December 31, 2021 the CCPA’s limited exemptions for employee and B2B personal information in the event California voters do not pass Proposition 24 (the Consumer Privacy Rights Act or “CPRA”) in November. If Proposition 24 passes, the CPRA will continue the exemptions through the end of 2022 and AB1281 will be moot.
These exemptions limit businesses’ obligation to comply with the full range of CCPA obligations with respect to employee, applicant and other certain business contacts. Both exemptions were added to the CCPA in late 2019 and contained a one-year sunset provision. The passage of AB1281 means businesses can continue their current practices with respect to employee and B2B personal information, at least through 2021. This is welcome news, especially if voters do not approve Proposition 24. While polling numbers suggest the initiative will pass, there is a growing chorus of No on 24 advocates including several major newspapers (e.g., San Francisco Chronicle, San Jose Mercury News) and California consumer groups (e.g., ACLU of CA, Consumer Federation, League of Women Voters, Center for Digital Democracy, EFF).
Looking ahead – Potential Impact of Proposition 24
Health Data Exemptions – AB713
If California voters approve Proposition 24 in November, AB713’s amendments to the CCPA will likely survive. Proposition 24 nullifies laws passed after January 1, 2020 that are in conflict with it, which are defined to mean laws that are not “consistent with and further the purpose and intent” of Proposition 24. Sec. 25(d). Because AB713’s enhanced privacy protections appear to be consistent with the “purpose and intent” of Proposition 24, it is likely they will not be adversely affected by passage of the initiative.
Employee and B2B Exemptions – AB1281
In the short term, Proposition 24 will benefit businesses by providing a temporary two-year extension of the employee and B2B exemptions through December 31, 2022. However, the initiative does not continue the exemptions beyond that date. It is possible that the exemptions could later be reinstated by amendment, but that could require the support of two-thirds of the California Legislature, the minimum required to amend initiative-created laws. While Proposition 24 creates an exception for the two-thirds rule and allows amendments based on a simple legislative majority, that exception applies only to amendments that “enhance privacy” and are “consistent with and further the purpose and intent” of Proposition 24. See Prop. 24, Sec. 25(a). Consumer advocates may argue that reinstating expired exemptions that limit data access rights is not “consistent with” nor does it “further the purpose or intent” of Proposition 24.