Tech Bills Would Refine CCPA, Examine Identity Verification

Three proposed pieces of technology legislation have so far survived an action-packed legislative session. Two would refine aspects of the California Consumer Privacy Act, while a third looks at the electronic verification of identity.

This story is limited to Techwire Insider members.
This story is limited to Techwire Insider members. Login below to read this story or learn about membership.
Several pieces of technology legislation have so far survived a punishing spring, as the novel coronavirus (COVID-19) pandemic delivered a projected $54.3 billion budget shortfall and truncated the legislative session, forcing lawmakers to focus on the proposed state budget even more than usual.

These include two proposed laws that would tweak the landmark California Consumer Privacy Act (CCPA), which took effect Jan. 1, and one that focuses on the verification of electronic identity. Among the takeaways:

Senate Bill 980, from state Sen. Tom Umberg, D-Santa Ana, would fine-tune the CCPA by creating the “Genetic Information Privacy Act,” which would prohibit “a direct-to-consumer genetic or illness testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.” It would also impose civil penalties for violations and require that “actions for relief pursuant” be prosecuted by a district attorney, county counsel, city attorney, or city prosecutor. An analysis by the California state Senate Appropriations Committee found “(un)known, potentially significant workload cost pressures to the courts” to hear alleged violations of the Genetic Information Privacy Act, adding that while superior courts aren’t funded “on a workload basis,” an increase could result in delayed services and impact the General Fund. Appropriations placed SB 980 in “suspense,” in acknowledgement of its financial impact if passed, and will consider it again Thursday.

Assembly Bill 713 from Assemblymember Kevin Mullin, D-San Mateo, would exempt from the CCPA information that has been deidentified per federal law, or derived from “medical information, protected health information, individually identifiable health information, or identifiable private information,” also consistent with federal policy. The bill would also except information collected or used in research, or disclosed in research; and information used and disclosed “only for public health activities and purposes.” The bill would generally bar a business or person “from reidentifying information that was deidentified” and,  starting Jan. 1, would require a contract for the sale or license of deidentified information to include a provision against its reidentification. As an urgency statute, it would take effect immediately if approved by the Legislature and signed by Gov. Gavin Newsom. Increased use of “health information technologies increases the potential for studies that aggregate data sets from multiple sources," Mullin's office said in a fact sheet on the bill, indicating it would “harmonize” the CCPA’s definition of deidentified data with the long-used standard in the Health Insurance Portability and Accountability Act (HIPAA), and avoid possible “widespread disruption to healthcare and biomedical research.” It has been sent to the state Senate Judiciary Committee, where it may be heard after the July 2-13 summer recess.

A.B. 2376, from Assemblymember Heath Flora, R-Ripon, would strengthen the electronic verification of identity by a department such as a state or local registrar or county recorder by deleting the Jan. 1 sunset data. This would enable the departments to continue supplying certified copies of birth, death, marriage or military service records to people who submit written, faxed or digitized image requests with a notarized statement. Current law lets an official accept “an electronic acknowledgment” by verifying an applicant’s identity with “a multilayered, remote identity proofing process” for electronic requests. This would let that continue indefinitely.

The bill has cleared the Assembly and is awaiting referral in the Senate. Shea Logan, Flora’s legislative director, told Techwire via email: “COVID-19 has certainly reduced the number of bills this year but we believe that AB 2376 has a strong chance of survival given the fact that it allows for and promotes remote access to vital records. In fact, even more counties are utilizing this because of COVID-19.”

A.B. 2301 from Assemblymember Marc Levine, D-San Rafael, would have revised the definition of personal information in current law to include genetic information – a resident’s or family’s genetic tests or “manifestation of disease or disorder in family members,” effectively securing it against a breach or hack. But due to the pandemic, Levine decided to defer further action on the bill until next year, a representative of his office told Techwire, noting the Assembly speaker asked all members to reduce the number of bills considered this year.

Theo Douglas is Assistant Managing Editor of Techwire.