Two bills have been signed by California Governor Gavin Newsom that impact the California Consumer Privacy Act (CCPA). The bills have added new exceptions to the right to opt-out of the sale of personal information and the definition of personal information in the California Civil Code has now been updated.
The CCPA was passed in 2018 and gave California residents new rights over the personal information held by certain businesses. One of those rights – the right to opt-out – allows residents to instruct a business not to sell their personal information to third parties. The California Privacy Rights Act (CPRA), which was passed in 2020, authorized the California legislature to amend the CCPA.
New Exemption Added to CCPA Right to Opt-Out
Assembly Bill (AB) 335 was passed by the legislature and has now been signed into law. The bill adds a new exemption to the right to opt-out of the CCPA. The new exemption applies to “vessel information” and “ownership information” retained or shared between a vessel dealer and the vessel’s manufacturer, when the information is shared for effectuating or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall.
Vessel information refers to the hull identification number, model, year, month, and year of production, and information describing all attached parts and accessories such as inboard engines, outboard engines, and inflatable personal flotation devices. “Ownership information” refers to the name(s) of registered owner(s) and the contact information for the owner(s).
Genetic Information Added to Definition of Personal Information
Assembly Bill (AB) 825 has updated the definition of personal information in the California Civil Code to include genetic data. Genetic data includes any data that results from the analysis of a biological sample of an individual, and any data obtained from a different source that would allow equivalent information to be obtained, and concerns genetic material.
Genetic material is a broad term covering DNA, RNA, chromosomes, genes, alleles, genomes, alterations or modifications to DNA or RNA, SNPs, and uninterpreted data obtained from an analysis of a biological sample from another source, and any information that can be extrapolated, derived or inferred therefrom.
Genetic Information Privacy Act Signed into Law
Governor Newsom also recently signed the Genetic Information Privacy Act (GIPA) into law. GIPA covers genetic testing companies, which are defined as companies that sell, market, interpret, or offer direct-to-consumer genetic testing products or services, and companies that analyze, collect, or maintain genetic data. GIPA requires companies to have transparent data collection practices, inform individuals in easy-to-understand language about how their genetic data will be used, and obtain express consent from individuals prior to using or disclosing their genetic data. GIPA also requires the companies to implement security measures to protect genetic data from unauthorized use.
GIPA gives individuals the right to revoke their consent at any time. If consent is revoked, biological samples and data must be destroyed within 30 days. GIPA will take effect on January 1, 2022, after which civil penalties can be imposed for noncompliance.
California is now one of several states to have introduced privacy legislation covering genetic data collected, analyzed, or stored by private companies, which are exempt from federal laws such as HIPAA. The laws specifically target the increasing number of companies that offer direct-to-consumer genetic tests, such as Ancestry and 23andMe.