Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November.
In addition, the Committee will consider two contact tracing measures, AB 660 (Levin) and AB 1782 (Chau). Both bills could impact private employer and business contact tracing efforts:
- AB 660 would prohibit use or disclosure of data collected for purposes of contact tracing for any other purposes. It generally would require deletion of such data within 60 days.
- AB 1782 would require businesses that offer “technology-assisted contact tracing” to satisfy certain requirements, including providing individuals with the opportunity to revoke consent to collection of their personal information and rights to access, correct, and delete personal information. It also requires covered businesses to provide consumers certain disclosures, except where research or other exceptions apply, to delete personal information within 60 days from the time of collection, to maintain security safeguards, and to make available public reporting of the number of individuals whose information has been collected, amongst other content.
Finally, we also are watching SB 980, which passed out of the Senate on June 25, 2020 and is now under consideration by the Assembly. SB 980 was scheduled for hearing before the Assembly’s Privacy and Consumer Protection Committee on July 28, although that hearing was postponed. If enacted, the bill would impose certain additional privacy obligations on direct-to-consumer genetic testing companies that go beyond the CCPA, including requiring:
- Express consent for collection, use, and disclosure of genetic data, with separate express consent for each of the following: (1) use of the genetic data for specific purposes; (2) storage of biological samples after initial testing is completed; (3) each use of genetic data or a biological sample after the initial testing request is fulfilled; (4) each disclosure of genetic data or a biological sample to a third party other than a service provider or certain research institutions; and (5) marketing based on genetic data or, with a limited exception for certain first-party marketing, the fact that a consumer used a genetic testing product. Consumers also must be able to revoke their consent, including to storage of the consumer’s biological sample.
- Notice of the sharing of de-identified genetic or phenotypic information for research purposes.
- Compliance with consumer access and deletion requests for genetic data (with only a limited exception to deletion rights as compared to the broad exceptions under the CCPA).
- Compliance with consumer requests to destroy samples collected from them.
- Non-discrimination protections.
Similar bills in California (also titled the California Genetic Information Privacy Act) failed to make their way through the California Senate in 2012 (SB 1267) and 2014 (SB 222).