Gov. Gavin Newsom Signs Several Privacy Bills

Four bills of interest dealing with privacy issues were enacted during the 2020 Legislative Session, including AB 1281 by Assemblyman Ed Chau (D-Arcadia), which extends two exemptions in the California Consumer Privacy Act (CCPA); AB 499 by Assemblyman Chad Mayes (I-Yucca Valley), which prohibits state agencies from including an individual’s full social security number on mailed documents; SB 342 by Sen. Bob Hertzberg (D-Van Nuys), which makes it unlawful to engage in misleading advertising concerning domain and subdomain names; and, AB 713 by Assemblyman Kevin Mullin ( D-South San Francisco), which clarifies federal health information is exempt from the California Consumer Privacy Act.

Assembly Bills

AB 499 (Mayes)

AB 499 was signed into law by Governor Newsom on September 25 as Chapter 155. The bill amends Government Code Section 11019.7. It prohibits a state agency from sending any outgoing United States mail that contains an individual’s social security number unless the number is truncated to its last 4 digits or in specified circumstances.

The bill requires each state agency that mails an individual’s full or truncated part of a social security number to that individual to report to the Legislature, on or before September 1, 2021, regarding when and why it does so. The bill requires a state agency that, in its own estimation, is unable to comply with the restrictions on mailing social security numbers that have not been truncated to submit an annual corrective action plan to the Legislature until it is in compliance with the law. The bill makes the reports, action plans, and related correspondence confidential and prohibits their public disclosure.

AB 713 (Mullin)

AB 713 was signed into law by Governor Newsom on September 25 as Chapter 172. The bill amends Civil Code Section 1798.130 and adds Sections 1798.146 and 1798.148 to the Civil Code. It took effect immediately as an urgency statute when it was signed by the Governor. This bill excepts from the CCPA information that was deidentified in accordance with specified federal law, or was derived from medical information, protected health information, individually identifiable health information, or identifiable private information, consistent with specified federal policy.

The bill also excepts from the CCPA a business associate of a covered entity that is governed by federal privacy, security, and data breach notification rules if the business associate maintains, uses, and discloses patient information in accordance with specified requirements. The bill further excepts information that is collected for, used in, or disclosed in research.

This bill additionally prohibits a business or other person from reidentifying information that was deidentified, unless a specified exception is met. The bill requires, beginning January 1, 2021, a contract for the sale or license of deidentified information to include specified provisions relating to the prohibition of reidentification.

This bill requires a business that sells or discloses information that was deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business sells or discloses deidentified patient information derived from patient information and, if so, whether that information was deidentified pursuant to specified methods.

AB 1281 (Chau)

AB 1281 was signed into law by Governor Newsom on September 29 as Chapter 268. The bill amends Section 1798.145 of the Civil Code to extend by one year to January 1, 2022 two existing exemptions. The first exempts from the CCPA certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor.

The second exempts personal information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.

Senate Bill

SB 342 (Hertzberg)

SB 342 was signed into law by Governor Newsom on September 25 as Chapter 162. The bill amends Business and Professions Code Sections 17525 and 17526. It makes it unlawful for a person, with bad faith intent, to register, traffic in, or use a domain name or subdomain name that is identical or confusingly similar to either the personal name of another living person or deceased personality without regard to goods or services or the name of a specified entity for the purpose of selling or reselling goods, as defined.

Section 1 of the bill, which amends Section 17525, makes it unlawful for a person to use a domain or subdomain name that is identical or confusingly similar to personal names of those of sports teams, parks, entertainment venues, or specific events, etc. The bill creates a private right of action for violation of these provisions and provides that a remedy obtained for a violation of these provisions is cumulative with other available remedies.

Section 2 of the bill, which amends Section 17526, allows consideration of the intent of a person alleged to violate the law, including diverting consumers from the online location of an entity to a site accessible under the domain name that could harm the goodwill represented by that entity’s name either for commercial gain or with the intent to tarnish or disparage the entity by creating a likelihood of confusion as to the source, sponsorship, affiliation, or endorsement of the site.