In brief
On October 8, 2023, California Governor Gavin Newsom signed two bills into law amending the California Consumer Privacy Act (CCPA). AB 947 classifies citizenship and immigration status as “sensitive personal information” subject to special protections under the CCPA, while AB 1194 strengthens reproductive privacy rights. Both bills carried the unanimous endorsement of the California Privacy Protection Agency. Details for each bill are described below followed by actionable guidance businesses can take to prepare now before these laws go into effect on January 1, 2024.
AB 947 – California Consumer Privacy Act of 2018: Sensitive Personal Information Definition Expands.
AB 947 expands the definition of “sensitive personal information” to include “citizenship” and “immigration status.” Current types of sensitive personal information categories under the CCPA include “religious beliefs” and “racial or ethnic origin.” This change to include citizenship and immigration status goes beyond EU’s General Data Protection Regulation which does not include such categories within its definition of sensitive personal data, but follows a trend in the United States. For example, both citizenship and immigration status are categories of sensitive data under the already operative omnibus privacy laws in Connecticut and Virginia.
In California, citizenship and immigration status will now be included as categories of personal information that receive additional protections under the CCPA. Since January 1, 2023, businesses have had to disclose their use of sensitive personal information and offer Californians opt-out rights concerning the use of their sensitive personal information, unless they keep such use within one or more of the broad exceptions recognized by the CCPA. Businesses remain free to use sensitive personal information without inferring characteristics, which should cover most legitimate use cases for citizenship and immigration status. Businesses that do infer characteristics based on citizenship and immigration status of a California resident would have to carefully analyze restrictions, compliance requirements, and risks under existing civil rights and anti-discrimination laws. Also, businesses were already allowed under the CCPA to use sensitive personal information as necessary to comply with applicable law (e.g., to confirm rights to work or process visa applications) and perform “services or provide the goods reasonably expected by an average consumer who requests those goods or services,” certain services that are specifically recognized under the CCPA’s business purpose definition, and as authorized by regulations. Where businesses process the contents of a consumer’s mail, email or text messages, the information does not qualify as “sensitive personal information” if the business is the intended recipient of the communication. Also, publicly available information does not qualify as “personal information” or “sensitive personal information” under the CCPA and the California Privacy Rights Act (CPRA) significantly broadened the definition of “publicly available.”
Given the expanded definition, businesses need to revisit their determination if they can remain within the confines of exemptions under the CCPA with respect to the use of sensitive personal information, which most businesses should be able to. If they cannot, they have to offer opt-out rights and refrain from discrimination, as they do with “selling” and “sharing” of personal information. They have to post a link on every web and mobile page, “Limit the Use of My Sensitive Personal Information,” or a combined link, “Do Not Sell or Share My Personal Information. Limit the Use of My Sensitive Personal Information.” In lieu of placing separate or combined links that specify opt-out rights regarding selling, sharing, and use and disclosure of sensitive personal information, businesses should also be able to post an “Alternative Opt-out Link” according §7015 of the CCPA regulations, entitled “Your Privacy Choices,” or, “Your California Privacy Choices.” The CCPA regulations are final, even though a California Superior Court enjoined their enforcement until March 29, 2024 in California Chamber Of Commerce vs. California Privacy Protection Agency (June 30, 2023) 34-2023-80004106-CU-WM-GDS (J. Arguelles order). Most companies should be able to avoid having to grant specific opt-out rights by proactively limiting the use of data that falls under the definition of “sensitive personal information.” Therefore, businesses that post the required opt-out links will stand out more and may be subject to risks similar to those that trigger opt-out requirements for “selling” or “sharing.” On the other hand, some companies may conclude that a combined link text (“Do Not Sell or Share My Personal Information. Limit the Use of My Sensitive Personal Information.”) or an Alternative Opt-out Link may raise fewer red flags than the shorter link “Do Not Sell My Personal Information” previously required by the CCPA. Consumers may have more positive reactions to the terms “share,” “limit the use of,” and “choices” than to “sell.” Also, the sheer length of text on a combined link may detract from its warning function. Consumers may perceive a combined link or an Alternative Opt-out Link more as a thoughtful privacy-by-design measure than a warning that they are dealing with a business that will sell their personal information if they do not affirmatively opt out. Nevertheless, it is not advisable to offer opt-out rights “just in case,” because businesses will have to process and report opt-out requests and answer questions on the use of sensitive personal information on request from data subjects and authorities.
AB 1194 – California Privacy Rights Act of 2020: Exemptions: Abortion Services.
AB 1194 carves out reproductive health data from the CCPA’s exemptions that currently allow businesses to cooperate with law enforcement and government agencies by providing personal information that is requested pursuant to official investigations. These exemptions will no longer apply to personal information related to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.” This does not limit the duty of businesses to preserve or retain evidence in an ongoing civil proceeding or when required by law. The amendments also provide that consumers who seek reproductive healthcare are not to be deemed “at risk or danger of death or serious physical injury” for purposes of a provision permitting businesses to comply with “emergency access requests” to personal information by government agencies.
These amendments to the CCPA were prompted by heightened concerns regarding government access to records of individuals seeking reproductive healthcare following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization (2022). The California Privacy Protection Agency noted that “this bill is in alignment with California’s commitment to strengthen reproductive privacy protections.” In 2022, the California legislature had already reacted with a number of measures, including amendments to the California Penal Code according to which companies in California are prohibited from providing records, information, or assistance under a warrant, subpoena, or other legal process issued by another state that relates to an investigation into, or enforcement of laws creating liability for an abortion that is lawful under California law. Also, healthcare providers, insurance companies and other businesses are prohibited from disclosing information based on another state’s laws that interfere with a person’s right to choose or obtain an abortion. See, Cal. Penal Code §§ 629.51, 629.52, 638.50, 638.52, 1269b, 1524, 1524.2, 1551, 1546.5 13778.2. Cal. Civ. Code § 56.108; Cal. Civ. Proc. Code §§ 2029.200, 2029.300, 2029.350; Cal. Health & Safety Code 123466; Cal. Ins. Code § 791.29; Cal. Penal Code § 3408.
Takeaways
Although these amendments are not effective until January 1, 2024, businesses should act now to refresh their data maps and data classifications to identify where they may collect personal information related to citizenship, immigration status and reproductive health. Businesses that collect reproductive health data or other information, incl. location data, that could imply reproductive health information should also update any processes related to complying with requests from law enforcement or government agencies to reflect the new law. More broadly, companies should confirm they are in compliance with CCPA requirements that were added by the CPRA to become effective on January 1, 2023.
