The California legislature recently passed several privacy-related bills, including Assembly Bill 713 (AB 713) and Senate Bill 980 (SB 980). AB 713 amends the California Consumer Privacy Act (CCPA) to exempt specific health information from the CCPA. SB 980, or the Genetic Information Privacy Act (the “Act”), creates data privacy and security compliance obligations for “direct-to-consumer genetic testing companies.”

CCPA Health Information Amendments

AB 713 amends the CCPA to revise its exemption for information regulated under the Health Insurance Portability and Accountability Act (HIPAA) and California’s Confidentiality of Medical Information Act (CMIA).  Under the current version of the CCPA, patient information processed by healthcare providers and covered entities is exempt from the CCPA to the extent it is maintained pursuant to HIPAA or the CMIA.  AB 713 would expand this exemption to apply to patient information processed by healthcare providers, covered entities, and business associates of covered entities to the extent such information is maintained, used, and disclosed pursuant to HIPAA or the CMIA. AB 713 also expands the CCPA’s HIPAA exemption to explicitly apply to information that is (1) deidentified pursuant to HIPAA requirements; and (2) derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by HIPAA or the CMIA. However, once deidentified information is subsequently reidentified, the exemption no longer applies except in certain circumstances.

AB 713 also adds new requirements relating to deidentified information. If an entity subject to the CCPA sells or discloses deidentified patient information, it must revise its online privacy policy to disclose the fact that the entity sells or discloses deidentified patient information and to state whether the information has been deidentified pursuant to the HIPAA expert determination method or the HIPAA safe harbor method.

Additionally, entities subject to the CCPA that sell or license deidentified patient information must include specific contractual clauses in contracts for the sale of deidentified information, including:

  • A statement that the deidentified information being sold or disclosed includes deidentified patient information;
  • A prohibition on the reidentification or attempted reidentification of deidentified information by the purchaser or licensee of the information, barring special circumstances; and
  • A requirement that, unless otherwise required by law, the purchaser or licensee of the information will not further disclose the deidentified patient information to any third party unless the third party is bound by the same or stricter restrictions and conditions.

California Genetic Information Privacy Act

SB 980 seeks to regulate the collection, use, maintenance, and disclosure of California residents’ genetic information by placing obligations on “direct-to-consumer genetic testing companies” and on other companies that collect, use, maintain, or disclose California residents’ genetic data that is collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a California consumer.  Under the Act, a “direct-to-consumer genetic testing company” is defined to include (1) entities that directly sell, market, or offer consumer-initiated genetic testing products (i.e., products that enable consumers to order and receive genetic testing results outside of the patient-physician relationship); and (2) entities that analyze consumers’ genetic information.

The Act requires a covered company to provide consumers with a summary of its privacy practices relating to genetic data; a prominent privacy notice that includes complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices; and a notice that a consumer’s deidentified genetic information may be shared with or disclosed to third parties for research purposes. Covered companies will also be required to:

  • Obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic information;
  • Provide processes for consumers to revoke their consent;
  • Develop procedures that enable consumers’ access to and ability to delete genetic information;
  • Implement and maintain reasonable security procedures and practices to protect consumer genetic data from unauthorized access, destruction, modification, or disclosure;
  • Not disclose consumer genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment; and
  • Not discriminate against consumers for exercising their rights.

Both AB 713 and SB 980 await Governor Gavin Newsom’s signature. If signed, AB 713 will take effect immediately as an urgency statute, while SB 980 will take effect on January 1, 2021.

For more articles and alerts on this or other significant data protection laws and developments, follow the Fey LLC LinkedIn page here.

Mary Colleen Fowler, a 2020 graduate of the University of Kansas School of Law, contributed to this post.  Ms. Fowler is a law clerk with Fey LLC.


Hannah Zimmerman, CIPT, is an associate attorney with Fey LLC.

Print Friendly, PDF & Email