Data Privacy Legislation in California Keeps Moving Forward
Bills that would regulate the sharing of genetic data and carve out coverage in the CCPA of some HIPAA data are close to being laws in California.
For many companies, the California Consumer Privacy Act - the state’s landmark data privacy bill that went into effect earlier this year – may already be in the rear-view mirror. Businesses no doubt spent time over the past few years clearing hurdles trying to incorporate privacy policies to allow consumers the ability to control how their data is handled and shared.
In reality though, data privacy in California is just starting to heat up as a handful of bills focused on regulating data continue to advance through the California State Assembly.
Under one piece of legislation, an amendment to the CCPA, California would have to observe federal privacy standards for patient healthcare data. A.B. 713 - introduced by Assemblyman Kevin Mullin got the votes it needed in the Senate and the Assembly on Monday. The bill still needs to be signed into law by California Governor Gavin Newsom.
The amendment would except data de-identified in accordance with Health Insurance Portability and Accountability Act (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI).
Currently the CCPA says that “personal information” “does not include consumer information that is de-identified or aggregate consumer information.”
Another bill making its way through California's government would require direct-to-consumer genetic testing companies to obtain consent from customers before sharing their data with a third party. Specifically, the companies would have to obtain a consumers' express consent before collecting, using and disclosing genetic data.
The bill, S.B. 980, has seen overwhelming approval in the Senate where it passed 39-0 on Monday and in the Assembly which passed it 69-0 last month.
Like A.B. 713, the fate of the bill, also known as the Genetic Information Privacy Act, rests in the hands of California’s Governor.
Both of the efforts come as Proposition 24, aka the California Privacy Rights Act or CPRA, looms over California's impending November Ballot. The initiative, which been dubbed CCPA 2.0 by many, would put further limits on how companies collect and use personal information, penalize organizations that compromise data belonging children, and make it harder to weaken privacy in the state. Prop. 24 would also create a regulatory agency to manage data privacy in the state, something that currently doesn't exist. The California Secretary of State Alex Padilla previously announced the CPRA had enough signatures to qualify for the ballot in June so it's inclusion shouldn't be a huge surprise.
Privacy advocacy groups like the Electronic Frontier Foundation called elements of Prop 24 "a partial step forward" and "half-steps" last month. The movement got some added momentum however earlier this week when Andrew Yang, the former tech entrepreneur turned presidential candidate, joined Prop. 24's advisory board.