California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Data privacy is proving to be an ongoing concern for lawmakers, even in states that already have comprehensive privacy laws. This is the case in California, where Governor Newsom recently signed into law two amendments to the California Consumer Privacy Act (CCPA).
The amendments are relatively minor—adding additional protections for personal information related to reproductive healthcare as well as citizenship and immigration status— but they could still affect some CCPA-compliant businesses.
These changes will go into effect on January 1, 2024.
California Assembly Bill 947 makes a straightforward change to the CCPA: It adds “citizenship or immigration status” to the definition of “sensitive personal information.” Here is the full updated list of categories of data that are considered sensitive personal information under the CCPA:
Unlike other state privacy laws, the CCPA does not require prior opt-in consent to process sensitive personal information. It does, however, give consumers the right to limit the use and disclosure of that information.
The right to limit generally applies where a business uses sensitive personal information for purposes beyond what is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. Businesses that process consumers’ citizenship or immigration status should evaluate whether they need to offer a way to limit the use and disclosure of this data.
Somewhat less straightforward is the amendment related to reproductive health data.
Section 1798.145(a) of the CCPA states (among other things) that the law does not restrict a business’s ability to:
The amendments in California Assembly Bill 1194 affect these exemptions in two ways:
The intent here is clear. Lawmakers are concerned that authorities in states with anti-abortion laws could gain access to personal information collected in states such as California that allow abortion and use it as evidence in criminal or civil proceedings. Of course, protected health information under HIPAA is already exempted from the CCPA, but non-protected personal information such as geolocation data may still reveal that someone sought access to such services.
The amendments definitely do provide extra protection for this type of personal information, especially with regard to emergency access requests and hold requests from law enforcement to prevent deletion of data. However, the real-world effects of this are unclear for a couple of reasons.
First, it potentially puts businesses in a position of having to choose which laws to comply with. For example, if a business receives a subpoena for information that reveals a person’s access to abortion services and the person subsequently requests deletion of that data, then complying with one law will likely mean violating another.
Second, the CCPA only protects the personal information of California residents. If the situation that lawmakers are trying to address is when someone travels to California for the specific purpose of having an abortion, that person is not likely to be considered a California resident. They are therefore not a “consumer” under the CCPA, and the law does not apply to them.
There are also outstanding legal questions as to the jurisdiction of states to punish anyone for an abortion performed in another state, further complicating the issue.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.