January 29, 2023

Volume XIII, Number 29


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

September’s End Brings Surprising Changes to California Privacy Law

Notwithstanding a two-month-long pandemic shutdown, a wave of new legislation has flooded the halls of the California legislature, including four discreet privacy-related bills, each with different objectives and consequences. Upon the closing of the signature period, Gov. Newsom signed only two of the bills into law, vetoing the other two.

1.  CCPA Amendment on Employee & B2B Data, Assembly Bill 1281 (AB-1281) – Signed Sept. 29, 2020.

As discussed in further detail in our GT Alert, AB-1281 extends the expiration date for the exemptions for “employee” information and business-to-business (B2B) transactions from Jan. 1, 2021, to Jan. 1, 2022. The extension provides businesses with relief from the uncertainty surrounding the characterization of employee data, while affording lawmakers additional time to determine whether workplace information and B2B transactions should be covered under the law. This extension hinges on the California Privacy Rights Act (CPRA) ballot initiative set to take place this November; should the CPRA be voted into law, AB-1281 will not go into effect because the CPRA will extend the expiration date for these exemptions to Jan. 1, 2023, the effective date of the CPRA.

2.  CCPA Amendment on Medical Research, Assembly Bill 713 (AB-713) – Signed Sept. 26, 2020.

AB-713 amends the CCPA to address the concerns held by medical researchers and health care operations providers around patient privacy and medical research. Specifically, the amendments aim to harmonize the definitions of “deidentified information” in both the federal Health Insurance Portability and Accountability Act (HIPAA) and the CCPA. Additionally, the bill broadens the already-provided exemption for research data. Currently, the law exempts research data only if “clinical trial data”; the amendment’s definition includes a broader exemption of research data that may be outside of these clinical trials. The broadened exemption for research data may be particularly useful during the pandemic as scientists are rushing to develop COVID-19 vaccines for testing, study, and eventual distribution.

3.  Genetic Privacy, Senate Bill 980 (SB-980) – Vetoed Sept. 25, 2020.

Gov. Newsom vetoed SB-980, which would have established the Genetic Information Privacy Act (GIPA). Under GIPA, direct-to-consumer genetic testing companies would have faced stricter requirements as to collection, use, disclosure, maintenance, sale, and deletion of genetic data prior to or at the point of data collection. This bill, which would have only applied to genetic data, would have imposed various notice and express consent requirements prior to the collection, use, and disclosure of any of this information. Upon vetoing the bill, Gov. Newsom noted that notwithstanding his support of GIPA’s primary goals to protect genetic data, “the broad language in this bill risks unintended consequences, as the ‘opt-in’ provisions of the bill could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments.”

4.  Children’s Privacy. Assembly Bill 1138 (AB-1138) – Vetoed Sept. 29, 2020.

Lastly, relating to the California Online Privacy Protection Act (COPPA), Gov. Newsom vetoed a bill to require parental consent at the state level for children under 13 to create social media accounts. In his veto message, the governor acknowledged that COPPA, as federal law, already requires internet websites or online services to obtain verifiable parental consent prior to collecting any personal information from a child under 13, and recognized that states have the right to enforce this federal law. While the consent requirements are slightly nuanced, due to the likely “unnecessary confusion” that would result if passed, the governor withheld his signature on the bill.

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 286

About this Author

Kate Black Shareholder GT Law Miami SF Data, Privacy & Cybersecurity Life Sciences & Medical Technology IP Technology Licensing & Transactions

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and...

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

Tyler Laurence Corporate Attorney Greenberg Traurig

Tyler J. Laurence is a member of the Corporate Practice in Greenberg Traurig's Miami office. He advises public and private companies on mergers and acquisitions, joint ventures, and corporate governance. Tyler also counsels clients on data privacy, information protection, and transactional IP matters.