Amended
IN
Senate
June 11, 2020 |
Amended
IN
Senate
January 23, 2020 |
Amended
IN
Senate
January 06, 2020 |
Amended
IN
Assembly
March 28, 2019 |
Introduced by Assembly Member Mullin |
February 19, 2019 |
This bill would additionally except personal information that is collected for, or used in, biomedical research subject to institutional review board standards and the ethics and privacy laws of an identified federal policy, specified clinical practice guidelines, or human subject protection requirements of the United States Food and Drug Administration (FDA). The bill would further except personal information of certain types that is collected for, or used in, research, as
defined, and, as specified, personal information collected by a business for purposes of product registration and tracking regulated by the FDA, specified public health activities, or quality, safety, or effectiveness compliance regulated by the FDA. The bill would define terms for these purposes.
This
(a)The obligations imposed on businesses by this title shall not restrict a business’ ability to:
(1)Comply with federal, state, or local laws.
(2)Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3)Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4)Exercise
or defend legal claims.
(5)Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6)Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting
that personal information when the consumer and stored personal information is outside of California.
(b)The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c)(1)This title shall not apply, except as provided in clause (iii) of subparagraph (G), to any of the following:
(A)Medical information governed by the Confidentiality of Medical Information Act
(Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009
(Public Law 111-5).
(B)Information that meets all of the following conditions:
(i)It is deidentified in accordance with the requirements for deidentification set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations.
(ii)It is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.
(iii)A business or its business associates, as described in subparagraph (D), does not attempt to reidentify the information nor do they
actually reidentify the information.
(C)A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A).
(D)A business associate of a covered entity governed by the privacy, security, and data
breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses patient information only in accordance with the legal requirements of the privacy, security, and breach notification rules applicable to protected health information as described in subparagraph (A).
(E)Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also
known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.
(F)(i)Personal information that is collected for, or used in, biomedical research subject to institutional review board standards and the ethics and privacy requirements of the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.
(ii)Personal information that is collected for or used in research, subject to all applicable ethics and privacy
laws, if the information is either individually identifiable health information, as defined in Section 160.103 of Title 45 of the Code of Federal Regulations or medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
(iii)As used in this subparagraph, “research” has the meaning provided by Section 164.501 of Title 45 of the Code of Federal Regulations.
(G)Personal information collected by a business that meets all of the following conditions:
(i)The business uses the information only for the following purposes:
(I)Product registration and tracking consistent with
applicable United States Food and Drug Administration regulations and guidance.
(II)Public health activities and purposes as described in Section 164.512 of Title 45 of the Code of Federal Regulations.
(III)Activities related to quality, safety, or effectiveness regulated by the United States Food and Drug Administration.
(ii)The information is subject to all confidentiality and privacy provisions applicable under federal or state law other than this section and is not sold or used except as provided in clause (i).
(iii)This subparagraph shall not apply to Sections 1798.110, 1798.115, 1798.130, and 1798.150.
(2)For purposes of this
subdivision:
(A)“Medical information” and “provider of health care” have the same meaning as in Section 56.05, and “business associate,” “covered entity,” “health information,” and “protected health information” have the same meaning as in Section 160.103 of Title 45 of the Code of Federal Regulations.
(B)“Patient information” means all of the following:
(i)“Individually identifiable health information” as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.
(ii)“Identifiable private information” as defined in Section 46.102 of Title 45 of the Code of Federal Regulations.
(iii)“Medical information” as defined in subparagraph (A).
(d)(1)This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.
(2)Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.
(3)This subdivision shall not apply to Section 1798.150.
(e)This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial
Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
(f)This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
(g)(1)Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a
vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
(2)For purposes of this subdivision:
(A)“Vehicle information” means the vehicle information number, make, model, year, and odometer reading.
(B)“Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.
(h)(1)This title shall not apply to any of the following:
(A)Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
(B)Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of,
director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.
(C)Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.
(2)For purposes of this subdivision:
(A)“Contractor” means a natural person who provides any service
to a business pursuant to a written contract.
(B)“Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C)“Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.
(D)“Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive
officer, president, secretary, or treasurer.
(E)“Owner” means a natural person who meets one of the following:
(i)Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii)Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii)Has the power to exercise a controlling influence over the management of a company.
(3)This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.
(4)This subdivision shall become inoperative on January 1, 2021.
(i)Notwithstanding a business’ obligations to respond to and honor consumer rights requests pursuant to this title:
(1)A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2)If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and
at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3)If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.
(j)A business that discloses personal information to a service provider shall not be
liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
(k)This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not
maintained in a manner that would be considered personal information.
(l)The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.
(m)The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
(n)(1)The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a
written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.
(2)For purposes of this subdivision:
(A)“Contractor” means a natural person who provides any service to a business pursuant to a written contract.
(B)“Director” means a
natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.
(C)“Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.
(D)“Owner” means a natural person who meets one of the following:
(i)Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
(ii)Has control in any
manner over the election of a majority of the directors or of individuals exercising similar functions.
(iii)Has the power to exercise a controlling influence over the management of a company.
(3)This subdivision shall become inoperative on January 1, 2021.