The California legislature recently passed a series of privacy-related bills that await Governor Gavin Newsom’s signature. Governor Newsom has until September 30th to sign these bills into law. The legislature in Sacramento voted to extend the employee and business-to-business (“B2B”) exemptions from the definition of “Consumer” in the California Consumer Privacy Act (“CCPA”). The California legislature also took action on health privacy and genetic privacy. We will discuss the genetic privacy legislation in a separate post.
The “employee” exemption refers to data collected within the employment relationship, including job applicants, employees, owners, directors, officers, and contractors. This data is currently exempt from significant CCPA obligations. CCPA section 1798.100(b) still requires businesses to provide notice to these employees. The B2B exemption refers to data in business-to-business interactions, where the data subject is providing personal information on behalf of a business, and the communications or transactions solely in relation to providing or receiving a product or service to or from another business. Businesses must still provide B2B consumers the right to opt-out of the sale of their information.
AB 1281 extends the employee and B2B exemptions until January 1, 2022. This legislation only applies if the California Consumer Privacy Act (“CPRA”) ballot initiative does not pass during the state’s November 3rd general election. AB 1281 would take effect if the legislation is enacted and voters do not approve of CPRA. If, however, the CPRA is successful, the ballot initiative would also extend these particular exemptions until January 1, 2023. The introductory paragraphs of the CPRA explicitly state that “the privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” It is clear that legislators took a very practical position of not forcing businesses practicing in California to spend resources on policies and procedures to meet changed employee and B2B treatments given that passage of the CPRA would make those expenditures unnecessary. Now such businesses can simply focus on meeting their CCPA obligations for current consumers and address the CPRA changes if the initiative is approved by voters.
AB 713 would exempt certain health information from the CCPA. It clarified that information de-identified pursuant to the Privacy Rule of the Health Information Portability and Accountability Act (“HIPAA”) would be exempt from the CCPA. Like other categories of personal data subject to the CCPA, subsequently reidentified would no longer be eligible for the exemption.
AB-713 also would prohibit reidentification other than for certain purposes such as, operations, treatment, payment, public health activities, research, contractual requirement with the holder, or otherwise required by law. Also of significance, AB-713 would require applicable businesses to include contract provisions whenever there is a sale or license of de-identified information. Businesses would need to represent that the de-identified information in the transaction includes patient information. The contract must include an explicit prohibition on the receiving party from reidentifying the deidentified patient information. The receiving party, subject to applicable law, must also be prohibited from further disclosing the deidentified third parties unless contractually bound by equal or stricter confidentiality measures.
As election day approaches and the CPRA comes closer, California is focused on data privacy in many different ways that will likely affect and influence the rest of the country.