California Enacts Genetic Information Privacy Law, CPRA and CMIA Amendments, and Other Privacy-Related Bills
New California laws will ban selling and buying illicitly obtained data, regulate the data practices of direct-to-consumer genetic testing companies, and amend the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Confidentiality of Medical Information Act (CMIA), and data breach notification laws.
The laws include:
SB 41, which establishes the Genetic Information Privacy Act (GIPA). The GIPA regulates direct-to-consumer genetic testing companies and includes requirements to:
implement and maintain reasonable security procedures and practices;
provide customers with clear and complete information about their collection, use, maintenance, and disclosure policies as they apply to genetic data;
develop procedures to allow consumers to easily access and delete their genetic data and their account;
obtain express consent for collection, use, and disclosure of a consumer's genetic data, including separate express consent for specified activities such as third-party data transfers and facilitating marketing based on the data; and
destroy a consumer's account, genetic data, and sample within 30 days of receiving a customer's revocation of consent to store it, unless retention is required to comply with other laws.
AB 825, which adds genetic data to the personal information definition used in California's data breach notification statutes. This change indirectly expands the California Consumer Privacy Act's (CCPA) private right of action for certain data breaches.
AB 694, which makes technical, non-substantive amendments to California Privacy Rights Act sections enacting California Civil Code Sections 1798.140, 1798.145, and 1798.199.40, including a clarification that the California Privacy Protection Agency's (CPPA) rulemaking authority begins six months after it notifies the Attorney General that it is ready to assume that responsibility.
AB 335, which provides an exemption to the CCPA's consumer right to opt-out of personal information sales for vessel or ownership information transferred between vessel owners and dealers for the purpose of effectuating or in anticipation of a vessel repair covered by warranty or a recall.
AB 430, which amends California's debt collection and identity theft laws to allow identity theft victims to substitute an FTC identity theft report whenever a police report would otherwise be required in certain contexts, including where the victim seeks a debt collections stoppage or a civil judgment for identity theft.
AB 1391, which addresses unlawfully obtained data. The new law:
prohibits selling data or access to data that has been obtained or accessed pursuant to criminal activity;
prohibits buying data or access to data that the purchaser knows or reasonably should know was obtained or accessed through criminal activity; and
contains exceptions for whistleblowers, press reporting on matters of public concern, exercising constitutional rights, and other legal activity undertaken for certain security purposes.
AB 1184, which amends the Confidentiality of Medical Information Act (CMIA) and the Insurance Code to better protect the privacy rights of people receiving sensitive health care services, including reproductive health care and gender-affirming care, by restricting certain disclosures even if the patient is not the primary policyholder for their health insurance.
The new laws will go into effect on January 1, 2022.