On Wednesday, October 6, 2021, California Governor Gavin Newsom signed a series of privacy bills into law, including Assembly Bill 694 (Privacy and Consumer Protection: Omnibus Bill). Assembly Bill 694 advances several technical amendments to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
How Assembly Bill 694 Changes The CCPA
While the changes to the CCPA & CPRA contained in AB 694 are considered relatively non-controversial—clarifications on a few specific issues have delivered another significant step forward in the evolution of privacy legislation in the United States. Among critical developments in the new law is an amendment to California Civil Code § 1798.140, which introduces key definitions related to the recognition and enforcement of privacy rules, the most notable of which removes uncertainty and provides practical guidance around the concept of consent.
Per the amendment provided by AB 694, “consent” in the context of the CPRA/CCPA means:
The definition provided in AB 694 is the most concrete guidance surrounding matters of consent since the CCPA was signed into law in 2018. It gives businesses a more explicit standard and method(s) to collect personal information from consumers. Importantly, as defined in AB 694, the consent language strikingly mirrors the definition provided in the GDPR.
With this emerging standard in mind, businesses should now be considering the potential legal implications of their existing mechanisms for consent, with a particularly keen eye toward whether they achieve “freely given, specific, informed, and unambiguous” indications, as advised by the new definition.
California Privacy Protection Agency Timeline Clarified
Another amendment in AB 694 worth highlighting clarifies the timing of the California Privacy Protection Agency’s (CPPA) ability to devise new rules. Initially, the CPRA stated that rule-making authority would become effective either July 1, 2021 or six months after the Agency provides notice to the Attorney General that it is prepared to begin rule-making, whichever is earlier. Confusingly, however, another section in the same draft stated it would be effective at the later date of the two. AB 694 removes this discrepancy by clarifying that it will be six months after the California Privacy Protection Agency provides notice to the Attorney General.
Genetic Information Privacy Act Updates Definition of PII
AB 694 was signed alongside a series of bills related to privacy, including AB 825, which encompasses the Genetic Information Privacy Act (GIPA). This significant development integrates “genetic data” into the broader realm of “personal information.” The GIPA is a welcome addition to privacy legislation in the U.S., as it is the first attempt to protect the millions who have voluntarily entrusted genetic data. The protection includes DNA samples sent to Ancestry services which have become increasingly prevalent and have recently been the subject of high-profile data breaches.
So far, 2021 has been a notable year for the advancement of more comprehensive laws surrounding privacy in the United States. As lawmakers continue to introduce rules and amendments to existing legislation, businesses should be on the lookout for new developments and thoroughly evaluate their policies & practices to ensure ongoing compliance.