Data privacy is proving to be an ongoing concern for lawmakers, even in states that already have comprehensive privacy laws. This is the case in California, where Governor Newsom recently signed into law two amendments to the California Consumer Privacy Act (CCPA).

The amendments are relatively minor—adding additional protections for personal information related to reproductive healthcare as well as citizenship and immigration status— but they could still affect some CCPA-compliant businesses.

These changes will go into effect on January 1, 2024.

Citizenship and Immigration Status

California Assembly Bill 947 makes a straightforward change to the CCPA: It adds “citizenship or immigration status” to the definition of “sensitive personal information.” Here is the full updated list of categories of data that are considered sensitive personal information under the CCPA:

• Social security, driver’s license, state identification card, or passport number
• Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• Precise geolocation
• Racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
• Contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication
• Genetic data
• The processing of biometric information for the purpose of uniquely identifying a consumer
• Personal information collected and analyzed concerning a consumer’s health
• Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation

Unlike other state privacy laws, the CCPA does not require prior opt-in consent to process sensitive personal information. It does, however, give consumers the right to limit the use and disclosure of that information.

The right to limit generally applies where a business uses sensitive personal information for purposes beyond what is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. Businesses that process consumers’ citizenship or immigration status should evaluate whether they need to offer a way to limit the use and disclosure of this data.

Reproductive Health Data

Somewhat less straightforward is the amendment related to reproductive health data.

Section 1798.145(a) of the CCPA states (among other things) that the law does not restrict a business’s ability to:

• Comply with federal, state, or local laws or comply with a court order or subpoena to provide information
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. This includes temporarily retaining data as directed by law enforcement authorities while they seek a court order
• Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law
• Cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury

The amendments in California Assembly Bill 1194 affect these exemptions in two ways:

1. Clarifying that a consumer accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including abortion services, is not a “natural person being at risk or danger of death or serious physical injury.” Thus, the provision related to emergency access to personal information does not apply in the context of procuring an abortion
2. Stating that none of the exemptions of 1798.145(a) apply if the consumer’s personal information contains information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including abortion services.

The intent here is clear. Lawmakers are concerned that authorities in states with anti-abortion laws could gain access to personal information collected in states such as California that allow abortion and use it as evidence in criminal or civil proceedings. Of course, protected health information under HIPAA is already exempted from the CCPA, but non-protected personal information such as geolocation data may still reveal that someone sought access to such services.

The amendments definitely do provide extra protection for this type of personal information, especially with regard to emergency access requests and hold requests from law enforcement to prevent deletion of data. However, the real-world effects of this are unclear for a couple of reasons.

First, it potentially puts businesses in a position of having to choose which laws to comply with. For example, if a business receives a subpoena for information that reveals a person’s access to abortion services and the person subsequently requests deletion of that data, then complying with one law will likely mean violating another.

Second, the CCPA only protects the personal information of California residents. If the situation that lawmakers are trying to address is when someone travels to California for the specific purpose of having an abortion, that person is not likely to be considered a California resident. They are therefore not a “consumer” under the CCPA, and the law does not apply to them.

There are also outstanding legal questions as to the jurisdiction of states to punish anyone for an abortion performed in another state, further complicating the issue.

‍