Autumn Amendments to the CCPA
Most recently, Governor Gavin Newsom signed three bills which enact significant amendments to the CCPA. These amendments impact health care entities, employee and business-to-business (B2B) information as well as provide further clarification on terms included in the CCPA. Each amendment is summarized below.
AB 1281: Employee & B2B Rights
AB 1281 extends the moratorium on CCPA rights for employees and business-to-business communications to January 1, 2022, unless further extended by CCPA 2.0 in the upcoming election. This means that businesses covered by CCPA currently only need to provide California employees with notice about the categories of personal information collected and how the information will be used. Employees also still have a private right of action for data breaches if the employer fails to implement reasonable security measures. However, employers are not required to provide employees with the Right to Know and Right to Delete. See here for our earlier alert on the moratorium.
As noted above, the moratorium only takes effect if the California Privacy Rights Act of 2020 (CPRA, commonly known as CCPA 2.0) set forth in Proposition 24 is not approved by voters in November. If passed, CCPA 2.0 would extend employee rights even further to January 1, 2023.
AB 713: Patient Information
AB 713 provides a welcome relief to health care entities by exempting properly de-identified patient information from CCPA requirements while adding additional contractual requirements to the sale and safeguarding of such information.
AB 713 updates the CCPA’s definition of de-identified data and exempts certain patient information from CCPA requirements. Specifically, patient information is exempt from CCPA requirements when the data is (i) de-identified in accordance with federal law, and (ii) is derived from medical information, protected health information, individually identifiable health information, or identifiable private information, consistent with specified federal policy (i.e., the Health Insurance Portability and Accountability Act of 1996 (HIPAA)). It also explicitly extends the described CCPA exemptions to business associates, as defined by HIPAA.
Though it clarifies exemptions for patient information from the CCPA, AB 713 does establish additional new privacy protections for de-identified patient information. The amendment requires new contractual safeguards when de-identified patient information is sold, imposes notice requirements disclosing the sale of de-identified patient information, and bans the reidentification of de-identified patient information. The contractual safeguards must be in effect by January 1, 2021.
AB 713 also exempts information that is collected for, used in, or disclosed in research. This includes information used in clinical trials that are conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
SB 1371: CCPA Definition Clarification
SB 1371 proposes non-substantive revisions to the CCPA section containing defined terms (Cal. Civil Code §1798.140) and non-substantive revisions to the section discussing how the CCPA interacts with other legal obligations (§1798.145). For example, it replaces “shall” with “does” throughout Section 1798.145, and it corrects “business’s” to “business’” throughout Section 1798.140.
What does this mean for business?
These amendments are likely a welcome update to businesses given that it provides further flexibility in the health care context and more time to prepare employee and B2B portions of privacy programs. Many businesses will welcome the additional time to ensure that their internal procedures for handling data subject requests from consumers can also appropriately process CCPA requests from employees and personal information received in a B2B context.