Today, the California Senate Judiciary Committee will consider AB 1281, which would extend the California Consumer Privacy Act’s (CCPA) business-to-business and employment exemptions until January 1, 2022, in the event that the pending ballot initiative—which also would extend the exemptions—does not pass this November.

In addition, the Committee will consider two contact tracing measures, AB 660 (Levin) and AB 1782 (Chau).  Both bills could impact private employer and business contact tracing efforts:

  • AB 660 would prohibit use or disclosure of data collected for purposes of contact tracing for any other purposes. It generally would require deletion of such data within 60 days.
  • AB 1782 would require businesses that offer “technology-assisted contact tracing” to satisfy certain requirements, including providing individuals with the opportunity to revoke consent to collection of their personal information and rights to access, correct, and delete personal information. It also requires covered businesses to provide consumers certain disclosures, except where research or other exceptions apply, to delete personal information within 60 days from the time of collection, to maintain security safeguards, and to make available public reporting of the number of individuals whose information has been collected, amongst other content.

Finally, we also are watching SB 980, which passed out of the Senate on June 25, 2020 and is now under consideration by the Assembly.  SB 980 was scheduled for hearing before the Assembly’s Privacy and Consumer Protection Committee on July 28, although that hearing was postponed.  If enacted, the bill would impose certain additional privacy obligations on direct-to-consumer genetic testing companies that go beyond the CCPA, including requiring:

  • Express consent for collection, use, and disclosure of genetic data, with separate express consent for each of the following: (1) use of the genetic data for specific purposes; (2) storage of biological samples after initial testing is completed; (3) each use of genetic data or a biological sample after the initial testing request is fulfilled; (4) each disclosure of genetic data or a biological sample to a third party other than a service provider or certain research institutions; and (5) marketing based on genetic data or, with a limited exception for certain first-party marketing, the fact that a consumer used a genetic testing product. Consumers also must be able to revoke their consent, including to storage of the consumer’s biological sample.
  • Notice of the sharing of de-identified genetic or phenotypic information for research purposes.
  • Compliance with consumer access and deletion requests for genetic data (with only a limited exception to deletion rights as compared to the broad exceptions under the CCPA).
  • Compliance with consumer requests to destroy samples collected from them.
  • Non-discrimination protections.

Similar bills in California (also titled the California Genetic Information Privacy Act) failed to make their way through the California Senate in 2012 (SB 1267) and 2014 (SB 222).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.