Today's Law As Amended

Bill PDF |Add To My Favorites | Version:

AB-713 California Consumer Privacy Act of 2018.(2019-2020)

Text

Votes

History

Bill Analysis

Today's Law As Amended

Compare Versions

Status

Comments To Author

Add To My Favorites

As Amends the Law Today

As Amends the Law on Sep 29, 2020

SECTION 1.
Section 1798.130 of the Civil Code is amended to read:

1798.130.

~~Notice, Disclosure, Correction, and Deletion Requirements~~

(a) In order to comply with Sections 1798.100, 1798.105, ~~1798.106,~~ 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1) (A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, ~~or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively,~~ including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and ~~1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.~~ 1798.115.

(B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and ~~1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.~~ 1798.115.

(2) ~~(A)~~ Disclose and deliver the required information to a consumer free of ~~charge, correct inaccurate personal information, or delete a consumer’s personal information, based on the consumer’s request,~~ charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the ~~business’s~~ business’ duty to disclose and deliver the ~~information, to correct inaccurate personal information, or to delete personal~~ information within 45 days of receipt of the consumer’s request. The time period to provide the required ~~information, to correct inaccurate personal information, or to delete personal~~ information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure ~~of the required information~~ shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer ~~request provided that if the consumer, has~~ request. If the consumer maintains an account with the business, the business may require the consumer to ~~use that account to submit a verifiable consumer request.~~ submit the request through that account.

(B) The disclosure of the required information shall cover the 12-month period preceding the business’ receipt of the verifiable consumer request provided that, upon the adoption of a regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer’s right to request required information beyond the 12-month period, and a business’s obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to keep personal information for any length of time.

(3) (A) A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer’s authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business’ response to a verifiable consumer request, including, but not limited to, by providing to the business the consumer’s personal information in the service provider or contractor’s possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100, taking into account the nature of the processing.

~~(B)~~ (3) For purposes of subdivision (b) of Section 1798.110:

~~(i)~~ (A) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

~~(ii)~~ (B) Identify by category or categories the personal information collected about the consumer ~~for the applicable period of time~~ in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected; the categories of sources from which the consumer’s personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer’s personal information; and the categories of third parties to whom the business discloses the consumer’s personal information. collected.

(iii) Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer’s request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. Personal information is not considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer’s personal information from one business to another in the context of switching services.

(4) For purposes of subdivision (b) of Section 1798.115:

(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(B) Identify by category or categories the personal information of the consumer that the business sold ~~or shared during the applicable period of time~~ in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold ~~or shared during the applicable period of time~~ in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information ~~sold or shared.~~ sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose ~~during the applicable period of time~~ in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of ~~persons~~ third parties to whom the consumer’s personal information was disclosed for a business purpose ~~during the applicable period of time~~ in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet ~~website,~~ website and update that information at least once every 12 months:

(A) A description of a consumer’s rights pursuant to Sections 1798.100, 1798.105, ~~1798.106,~~ 1798.110, 1798.115, and 1798.125 and ~~two~~ one or more designated methods for submitting ~~requests, except as provided in subparagraph (A) of paragraph (1) of subdivision (a).~~ requests.

~~(B) For purposes of subdivision (c) of Section 1798.110:~~

~~(i)~~ (B) A For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

~~(ii) The categories of sources from which consumers’ personal information is collected.~~

~~(iii) The business or commercial purpose for collecting, selling, or sharing consumers’ personal information.~~

~~(iv) The categories of third parties to whom the business discloses consumers’ personal information.~~

(i) A list of the categories of personal information it has sold ~~or shared~~ about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information ~~sold~~ sold, or ~~shared, or~~ if the business has not sold ~~or shared~~ consumers’ personal information in the preceding 12 months, the business shall ~~prominently~~ disclose that ~~fact in its privacy policy.~~ fact.

(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely ~~describes~~ describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(D) In the case of a business that sells or discloses deidentified patient information not subject to this title pursuant to clause (i) of subparagraph (A) of paragraph (4) of subdivision (a) of Section 1798.146, whether the business sells or discloses deidentified patient information derived from patient information and if so, whether that patient information was deidentified pursuant to one or more of the following:

(i) The deidentification methodology described in Section 164.514(b)(1) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA expert determination method.

(ii) The deidentification methodology described in Section 164.514(b)(2) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA safe harbor method.

(6) Ensure that all individuals responsible for handling consumer inquiries about the business’ privacy practices or the business’ compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, ~~1798.106,~~ 1798.110, 1798.115, and 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

(7) Use any personal information collected from the consumer in connection with the business’ verification of the consumer’s request solely for the purposes of ~~verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.~~ verification.

(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

(c) The categories of personal information required to be disclosed pursuant to Sections ~~1798.100, 1798.110,~~ 1798.110 and 1798.115 shall follow the ~~definitions~~ definition of personal information and sensitive personal information in Section 1798.140 by describing the categories of personal information using the specific terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section 1798.140 and by describing the categories of sensitive personal information using the specific terms set forth in paragraphs (1) to (9), inclusive, of subdivision (ae) of Section in Section 1798.140.

SEC. 2.
Section 1798.146 is added to the Civil Code, to read:

1798.146.
(a) This title shall not apply to any of the following:
(1) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5).
(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).
(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).
(4) (A) Information that meets both of the following conditions:
(i) It is deidentified in accordance with the requirements for deidentification set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations.
(ii) It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
(B) Information that met the requirements of subparagraph (A) but is subsequently reidentified shall no longer be eligible for the exemption in this paragraph, and shall be subject to applicable federal and state data privacy and security laws, including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, and this title.
(5) Information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.
(b) For purposes of this section, all of the following shall apply:
(1) “Business associate” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
(2) “Covered entity” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
(3) “Identifiable private information” has the same meaning as defined in Section 46.102 of Title 45 of the Code of Federal Regulations.
(4) “Individually identifiable health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
(5) “Medical information” has the same meaning as defined in Section 56.05.
(6) “Patient information” shall mean identifiable private information, protected health information, individually identifiable health information, or medical information.
(7) “Protected health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
(8) “Provider of health care” has the same meaning as defined in Section 56.05.

SEC. 3.
Section 1798.148 is added to the Civil Code, to read:

1798.148.
(a) A business or other person shall not reidentify, or attempt to reidentify, information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, except for one or more of the following purposes:
(1) Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity. For purposes of this paragraph, “treatment,” “payment,” “health care operations,” “covered entity,” and “business associate” have the same meaning as defined in Section 164.501 of Title 45 of the Code of Federal Regulations.
(2) Public health activities or purposes as described in Section 164.512 of Title 45 of the Code of Federal Regulations.
(3) Research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, that is conducted in accordance with Part 46 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
(4) Pursuant to a contract where the lawful holder of the deidentified information that met the requirements of paragraph (4) of subdivision (a) of Section 1798.146 expressly engages a person or entity to attempt to reidentify the deidentified information in order to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract.
(5) If otherwise required by law.
(b) In accordance with paragraph (4) of subdivision (a) of Section 1798.146, information reidentified pursuant this section shall be subject to applicable federal and state data privacy and security laws including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, and this title.
(c) Beginning January 1, 2021, any contract for the sale or license of deidentified information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, where one of the parties is a person residing or doing business in the state, shall include the following, or substantially similar, provisions:
(1) A statement that the deidentified information being sold or licensed includes deidentified patient information.
(2) A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to this section.
(3) A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.
(d) For purposes of this section, “reidentify” means the process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

SEC. 4.
This act is an urgency statute necessary for the immediate preservation of the public peace, health, or safety within the meaning of Article IV of the California Constitution and shall go into immediate effect. The facts constituting the necessity are:
The California Consumer Privacy Act of 2018 became operative on January 1, 2020, and will negatively impact certain health-related information and research. The provisions of this act would mitigate that harm as soon as possible by preserving access to information needed to conduct important health-related research that will benefit Californians.