Privacy legislation with broad consequences for the business community at large was stopped for the year in the Senate thanks to the opposition of the California Chamber of Commerce and coalitions of industry and employer groups.
AB 13 (Chau; D-Monterey Park), dealing with automated decisions systems for procurement, will be a two year bill. Held on the Senate Appropriations Committee Suspense File last week without comment were AB 814 (Levine; D-San Rafael), posing limits on contact tracing; and AB 1436 (Chau; D-Monterey Park), placing restrictions on personal health devices.
All three bills ultimately would have harmed the consumers the proposals aimed to protect and the businesses seeking to comply with the law. The bills are eligible to be considered again at the beginning of 2022.
AB 13 Flaws
In opposing AB 13, the CalChamber and coalition pointed out that the July 15 version not only discouraged participation in the state procurement process but also was based on a fundamentally broken definition of automated decision system (ADS).
The definition would have made it difficult for any state agency or contactor to predict with certainty whether a software fell inside or outside the scope of AB 13.
The newly established California Privacy Protection Agency (CPPA) is required by the California Privacy Rights Act of 2020 to issue regulations about businesses’ use of automated decision making technology.
The law mandates that regulations include profiling and “businesses’ response to access requests to include meaningful information about the logic involved in those decision making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
The Legislature should not disrupt the new CPPA’s ability to develop regulations by enacting a potentially harmful definition of ADS into law, the CalChamber and coalition stated.
AB 814 Slows Contact Tracing
AB 814 would have created overbroad restrictions slowing the use of contact tracing and preventing customary uses of noncontact tracing information. It also included a private right of action with attorney fees, thereby creating a strong deterrent to use information to help with contact tracing efforts.
Problems with AB 814 identified by the CalChamber-led coalition included:
• Its sweeping definition of “data” overregulated and needlessly prevented businesses from keeping any record that they even conducted contact training.
• The bill would have restricted use and retention of all data collected, received or prepared for contact tracing, but failed to recognize that the restriction included data that was not collected solely or even primarily for contact tracing.
• Unnecessary use of the private right of action to enforce compliance would have discouraged any use of contact tracing, one of the state’s most effective tools to stop the spread of COVID-19.
AB 1436 Conflicts with Current Protections
AB 1436 would have subjected businesses to liability under a law enacted when most medical records were paper-based; required a signed authorization form as a prerequisite to allowing commonplace fitness and health devices and applications to function normally; and competed with the new California Privacy Rights Act of 2020, which has not yet taken effect.
The California Consumer Protection Act of 2018 and the California Privacy Rights Act of 2020 already govern health information. Yet AB 1436 removed health information from current protections under California privacy law and relegated it to the California Confidentiality of Medical Information Act (CMIA), an outdated statute.
The signed authorization form that AB 1436 would have required affects products and services ranging from fitness wearables and glucose monitors for people with diabetes, and even websites and products designed to collect and transmit information that helps individuals manage their own physical and mental health information.
AB 1436’s attempts to segregate the code sections under which consumer privacy is governed would have been costly for the state, leading to increased staff needed at the state Department of Justice for anticipated increases in enforcement actions against alleged violators.
In the end, consumers would have been hurt by AB 1436 as its requirements forced businesses offering the covered products and services to spend additional resources on protecting themselves from penalties under the CMIA. Many businesses would have been unable to afford the increased compliance costs.
As businesses stopped offering the covered products and services, there would have been a negative impact on the availability of these health information tools and an increase in prices.