3. Data & Technology
  5. United States: California strengthens privacy protections for specific data types concerning citizenship and reproductive healthcare

United States: California strengthens privacy protections for specific data types concerning citizenship and reproductive healthcare

17 Oct 2023    6 minute read
DT Featured Content

In brief

On October 8, 2023, California Governor Gavin Newsom signed two bills into law amending the California Consumer Privacy Act (CCPA). AB 947 classifies citizenship and immigration status as "sensitive personal information" subject to special protections under the CCPA, while AB 1194 strengthens reproductive privacy rights. Both bills carried the unanimous endorsement of the California Privacy Protection Agency. Details for each bill are described below followed by actionable guidance businesses can take to prepare now before these laws go into effect on January 1, 2024.

Contents

AB 947 - California Consumer Privacy Act of 2018: Sensitive Personal Information Definition Expands.

AB 947 expands the definition of "sensitive personal information" to include "citizenship" and "immigration status." Current types of sensitive personal information categories under the CCPA include "religious beliefs" and "racial or ethnic origin." This change to include citizenship and immigration status goes beyond EU's General Data Protection Regulation which does not include such categories within its definition of sensitive personal data, but follows a trend in the United States. For example, both citizenship and immigration status are categories of sensitive data under the already operative omnibus privacy laws in Connecticut and Virginia.

In California, citizenship and immigration status will now be included as categories of personal information that receive additional protections under the CCPA. Since January 1, 2023, businesses have had to disclose their use of sensitive personal information and offer Californians opt-out rights concerning the use of their sensitive personal information, unless they keep such use within one or more of the broad exceptions recognized by the CCPA. Businesses remain free to use sensitive personal information without inferring characteristics, which should cover most legitimate use cases for citizenship and immigration status. Businesses that do infer characteristics based on citizenship and immigration status of a California resident would have to carefully analyze restrictions, compliance requirements, and risks under existing civil rights and anti-discrimination laws. Also, businesses were already allowed under the CCPA to use sensitive personal information as necessary to comply with applicable law (e.g., to confirm rights to work or process visa applications) and perform "services or provide the goods reasonably expected by an average consumer who requests those goods or services," certain services that are specifically recognized under the CCPA's business purpose definition, and as authorized by regulations. Where businesses process the contents of a consumer's mail, email or text messages, the information does not qualify as "sensitive personal information" if the business is the intended recipient of the communication. Also, publicly available information does not qualify as "personal information" or "sensitive personal information" under the CCPA and the California Privacy Rights Act (CPRA) significantly broadened the definition of "publicly available."

Given the expanded definition, businesses need to revisit their determination if they can remain within the confines of exemptions under the CCPA with respect to the use of sensitive personal information, which most businesses should be able to. If they cannot, they have to offer opt-out rights and refrain from discrimination, as they do with "selling" and "sharing" of personal information. They have to post a link on every web and mobile page, "Limit the Use of My Sensitive Personal Information," or a combined link, "Do Not Sell or Share My Personal Information. Limit the Use of My Sensitive Personal Information." In lieu of placing separate or combined links that specify opt-out rights regarding selling, sharing, and use and disclosure of sensitive personal information, businesses should also be able to post an "Alternative Opt-out Link" according §7015 of the CCPA regulations, entitled "Your Privacy Choices," or, "Your California Privacy Choices." The CCPA regulations are final, even though a California Superior Court enjoined their enforcement until March 29, 2024 in California Chamber Of Commerce vs. California Privacy Protection Agency (June 30, 2023) 34-2023-80004106-CU-WM-GDS (J. Arguelles order). Most companies should be able to avoid having to grant specific opt-out rights by proactively limiting the use of data that falls under the definition of "sensitive personal information." Therefore, businesses that post the required opt-out links will stand out more and may be subject to risks similar to those that trigger opt-out requirements for "selling" or "sharing." On the other hand, some companies may conclude that a combined link text ("Do Not Sell or Share My Personal Information. Limit the Use of My Sensitive Personal Information.") or an Alternative Opt-out Link may raise fewer red flags than the shorter link "Do Not Sell My Personal Information" previously required by the CCPA. Consumers may have more positive reactions to the terms "share," "limit the use of," and "choices" than to "sell." Also, the sheer length of text on a combined link may detract from its warning function. Consumers may perceive a combined link or an Alternative Opt-out Link more as a thoughtful privacy-by-design measure than a warning that they are dealing with a business that will sell their personal information if they do not affirmatively opt out. Nevertheless, it is not advisable to offer opt-out rights "just in case," because businesses will have to process and report opt-out requests and answer questions on the use of sensitive personal information on request from data subjects and authorities.

AB 1194 - California Privacy Rights Act of 2020: Exemptions: Abortion Services.

AB 1194 carves out reproductive health data from the CCPA's exemptions that currently allow businesses to cooperate with law enforcement and government agencies by providing personal information that is requested pursuant to official investigations. These exemptions will no longer apply to personal information related to "accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services." This does not limit the duty of businesses to preserve or retain evidence in an ongoing civil proceeding or when required by law. The amendments also provide that consumers who seek reproductive healthcare are not to be deemed "at risk or danger of death or serious physical injury" for purposes of a provision permitting businesses to comply with "emergency access requests" to personal information by government agencies.

These amendments to the CCPA were prompted by heightened concerns regarding government access to records of individuals seeking reproductive healthcare following the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization (2022). The California Privacy Protection Agency noted that "this bill is in alignment with California's commitment to strengthen reproductive privacy protections." In 2022, the California legislature had already reacted with a number of measures, including amendments to the California Penal Code according to which companies in California are prohibited from providing records, information, or assistance under a warrant, subpoena, or other legal process issued by another state that relates to an investigation into, or enforcement of laws creating liability for an abortion that is lawful under California law. Also, healthcare providers, insurance companies and other businesses are prohibited from disclosing information based on another state's laws that interfere with a person's right to choose or obtain an abortion. See, Cal. Penal Code §§ 629.51, 629.52, 638.50, 638.52, 1269b, 1524, 1524.2, 1551, 1546.5 13778.2. Cal. Civ. Code § 56.108; Cal. Civ. Proc. Code §§ 2029.200, 2029.300, 2029.350; Cal. Health & Safety Code 123466; Cal. Ins. Code § 791.29; Cal. Penal Code § 3408.

Takeaways

Although these amendments are not effective until January 1, 2024, businesses should act now to refresh their data maps and data classifications to identify where they may collect personal information related to citizenship, immigration status and reproductive health. Businesses that collect reproductive health data or other information, incl. location data, that could imply reproductive health information should also update any processes related to complying with requests from law enforcement or government agencies to reflect the new law. More broadly, companies should confirm they are in compliance with CCPA requirements that were added by the CPRA to become effective on January 1, 2023.

Contact Information
Lothar Determann
Partner at BakerMcKenzie
Palo Alto
Read my Bio
lothar.determann@bakermckenzie.com
Justine Phillips
Partner at BakerMcKenzie
Los Angeles
Read my Bio
justine.phillips@bakermckenzie.com
Helena Engfeldt
Partner at BakerMcKenzie
San Francisco
Read my Bio
helena.engfeldt@bakermckenzie.com
Garrett Stallins
Associate at BakerMcKenzie
San Francisco
Read my Bio
garrett.stallins@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

HighQ
Copyright Baker McKenzie 2024 | Disclaimers | Supplemental Privacy Statement