California Privacy Law Update:  The CCPA and CPRA Amended (Yet Again) and New Protection for Genetic Information

Consumer privacy continues to be an ever evolving and active area of law and California is still leading the way. 

New Amendments to the CCPA and the CPRA

Earlier this month Governor Gavin Newsom signed bills into law that amend the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Assembly Bill (AB) 694 is an omnibus bill that amends the CPRA with technical changes to California Civil Code sections on definitions and exemptions while also clarifying the timing for CPRA rulemaking by the California Privacy Protection Agency.  As a refresher, the CCPA grants consumers various rights, including the right to request that a business that has collected personal information about the consumer disclose the categories of personal information it has collected about that consumer and to delete such personal information.  The CPRA, approved by voters as a ballot proposition in November 2020, supplements and expands the CCPA, and established the California Privacy Protection Agency (CPPA or the “Agency”), which is vested with full power and authority to enforce the CCPA (including the additional requirements added by the CPRA).  AB 694 makes changes to definitions and exemptions in the CCPA, to mostly technically amend or add certain terms, including for “advertising and marketing,” “consent,” “contractor,” and “household,” and adds genetic information to the definition of personal information.  It also incorporates AB 335, a niche amendment which applies an exemption to vessel ownership information, and adds genetic information to the definition of personal information. 

AB 694 also clarifies the timing of the Agency’s rulemaking authority and remedies.  As amended by AB 694, the Agency will assume responsibility for rulemaking on and after the later of July 1, 2021, or within six months of the Agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities.  This rulemaking authority includes the charge to adopt, amend, and rescind regulations to carry out the purposes and provisions of the CCPA, including regulations specifying recordkeeping requirements for businesses to ensure compliance with the CCPA.  The regulations will form the basis of the Agency’s enforcement power.  Practically, AB 694 clarifies that the Agency’s authority is tied to six months after it provides notice to the Attorney General of proposed rulemaking.  This is generally expected to occur in early 2022.  The Agency is currently required to submit final regulations by July 1, 2022, before the CPRA takes effect.

Protection for Genetic Information

AB 825, signed into law by the Governor, expands data breach accountability.  AB 825 amends the definition of personal information in California’s data breach notification law (California Civil Code §§ 1798.29, 1798.81.5, 1798.82) to include genetic data. “Genetic data” is defined as any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material.  Genetic material, by definition, includes, but is not limited to, DNA, RNA, genes, and chromosomes.  The definition specifically refers to “data” instead of “information,” which leaves room to include unprocessed and changing format values, and then adds all information derived therefrom.  Moreover, as the CCPA’s private right of action includes all personal information included in Section 1798.81.5, AB 825 also thereby explicitly expands the private right of action under the CCPA to include genetic data. 

Additionally, Governor Newsom signed Senate Bill 41 establishing the new Genetic Information Privacy Act (“GIPA”).  The GIPA applies to direct-to-consumer genetic testing companies, which the GIPA defines as a company that (1) sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers; (2) analyzes genetic data obtained from a consumer (with the exception of analysis done for medical treatment); or (3) collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer. 

The GIPA requires direct-to-consumer genetic testing companies to:

  • Provide a consumer with information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data and to obtain express consent from the consumer for all such procedures.
  • Honor a consumer’s withdrawal of consent and destroy a consumer’s biological sample within 30 days of the consumer’s revocation of consent.
  • Implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures to enable a consumer to access and delete their genetic data (with some exceptions).

The GIPA does not reduce the application of requirements of any other state or privacy laws, and if a conflict were to exist, companies are required to follow the provisions of whatever law provides the greatest protection to consumers.  The GIPA also imposes civil penalties for violations—up to $1,000 plus court costs for a negligent violation, and up to $10,000 plus costs for an intentional violation.  Moreover, each violation of GIPA is a separate and actionable violation, and there is no cure period for violations.  Enforcement of the law will be by the Attorney General, or local government counsel or prosecutors.  The GIPA does not have a direct private right of action, but, as discussed above, private plaintiffs could pursue a private right of action under the CCPA’s new revisions, as well as under California’s Unfair Competition Law (California Business & Professional Code §§ 17200, et seq.). The GIPA was filed with the Secretary of State on October 6, 2021 and both it and AB 825 become effective on January 1, 2022.

Conclusion 

The legal landscape of data privacy has only grown more complex with the recent passage of these bills.  If you have any privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions or compliance questions.  If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in California privacy law and are ready to step in and defend you.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.   

    © 2020 Atkinson, Andelson, Loya, Ruud & Romo

Subscribe

Other AALRR Blogs

Recent Posts

Popular Categories

Contributors

Archives

Back to Page

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Privacy Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.