Last week, the California legislature passed two bills, which would amend the California Consumer Privacy Act (CCPA): AB-1281 and AB-713. Both bill passed both houses of the legislature without opposition, but still need to be approved by California governor Gavin Newsom. As discussed in more detail below, AB-1281 extends the employment and business-to-business exemptions to the CCPA for an additional year until January 1, 2022. AB713 creates new exemptions for deidentified health information otherwise subject to regulation under the Health Information Portability and Accountability Act (HIPAA). A redline version of CCPA text showing the impact of the amendments can be found here.
- AB-1281 Extends the Employment and Business-to-Business Exemptions for an Additional Year. On August 30, 2020, the legislature passed Assembly Bill 1281, modifying section 1798.145 of the CCPA. In the event that the California Consumer Privacy Rights Act (CPRA) does not get voted into law on the November 2020 ballot, AB 1281 will extend the sunset provisions for the CCPA's exemptions for employment and business-tobusiness related information from January 1, 2021 to January 1, 2022. This means that if the CPRA does not come into law on January 1, 2021, the existing employment and business-to-business exemptions under the CCPA will continue through 2021.
- AB-713 Creates Exemptions for Deidentified Health Information. On September 1, 2020, the legislature passed assembly bill 713, amending section 1798.130 and adding sections 1798.146 and 1798.148 to the CCPA. The bill was declared as urgent and is to take immediate effect once signed by the Governor. AB-713 exempts certain health information from the CCPA, namely, information that is deidentified under HIPAA and information used for research under HIPAA. Even though deidentified health information is generally exempted from the CCPA, businesses still must disclose whether they sell or disclose that health information and, if so, what methodology they use to deidentify the information.
The bill also would require businesses that sell or license deidentified health information to include certain statements within their contracts, including a statement that the purchaser or licensee both will not try to reidentify the information and will not further disclose the deidentified health information to a third party unless that third party is also so contractually bound.