California: Legislature passes bills amending CCPA and creating genetic information act
The California State Legislature ('the Legislature') passed, on 31 August 2020 and 1 September 2020, a series of bills that would amend the California Consumer Privacy Act of 2018 ('CCPA') and also create provisions on the use of genetic privacy information.
In particular, the list of bills includes Assembly Bill ('AB') 1281 which extends until 1 January 2022 the exemptions for employee information and business to business transactions under the CCPA, AB 713 on deidentified health information and Senate Bill ('SB') 980 on the Genetic Privacy Information Act.
The general exemption from the application of the CCPA for certain employee information as well as information reflecting a written or verbal communication or a transaction between a business and a natural person who is acting as an employee is extended by AB 1281 until 1 January 2022. In particular, AB 1281 continues to exempt information collected by a business about a natural person in the course of such person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor. In addition, it provides an exemption for information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding a product or service. Please note that AB 1281 would only become operative if the ballot initiative for the California Privacy Rights Act is not approved by voters at the November 2020 general election.
AB 713 seeks to exempt certain health information from the CCPA and would add the following to the list of exempted personal information:
- information that is deidentified in accordance with the requirements for deidentification under the Privacy Rule of the Health Information Portability and Accountability Act of 1996 ('HIPAA') and is derived from patient information. However, deidentified information that meets these criteria and is subsequently reidentified would no longer be eligible for the exemption, and would be subject to applicable federal and state data privacy and security laws; and
- information that is collected, used, or disclosed in research, as defined in the HIPAA Privacy Rule, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of HIPAA, the Federal Policy for the Protection of Human Subjects, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.
In addition, AB-713 would prohibit reidentification, or any attempts to reidentify deidentified health information, except for certain purposes, including treatment, payment of health care operations conducted by a covered entity or business associate, public health activities, research, pursuant to a contract where the lawful holder of the deidentified information expressly engages a person or entity to attempt to reidentify the deidentified, or where otherwise required by law.
Finally, AB-713 would require businesses where one of the parties is a person residing or doing business in California, to include, from 1 January 2021, certain provisions within any contract for the sale or license of deidentified information:
- a statement that the deidentified information being sold or licensed includes deidentified patient information;
- a statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited; and
- a requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
SB 980 requires direct-to-consumer genetic testing companies that collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or provided directly by a consumer, to provide a consumer with certain information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer's express consent for collection, use, or disclosure of the consumer's genetic data. Furthermore, SB 980 requires from a direct-to-consumer genetic testing company to honour a consumer's revocation of consent in accordance with certain procedures and to destroy a consumer's biological sample within 30 days of revocation of consent.
More specifically, SB 980 provides that a direct-to-consumer genetic testing company, or any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a consumer, must:
- give clear and complete information regarding its policies and procedures for the collection, use, maintenance, and disclosure of genetic data by making available to a consumer the following:
- a plain summary of its privacy practices providing information about the company's collection, use, maintenance, and disclosure, as applicable, of genetic data;
- a prominent and easily accessible privacy notice that includes, at a minimum, complete information about data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation;
- a notice that the consumer's deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes; and
- obtain a consumer's express consent for collection, use, and disclosure of genetic data, including, at a minimum, separate and express consent for each of the following:
- the use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.
- the storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled;
- each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses;
- each transfer or disclosure of the consumer's genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed;
- the marketing or facilitation of marketing to a consumer based on the consumer's genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received or used a genetic testing product or service.
All bills will need to be signed by 30 September 2020 by the California Governor, Gavin Newsom, before they become law.
Nikolaos Papageorgiou Lead Privacy Analyst