Governor Gavin Newsom recently signed Assembly Bill (“AB”) 713 which amends the California Consumer Privacy Act (“CCPA”). See text of AB 713 here. The CCPA has now been amended at least eight times and businesses should expect continued changes in the coming years.
AB 713 makes several amendments to the CCPA the most important of which focus on deidentified and reidentified information. This is the first time that any privacy statute has specifically regulated this type of date. In same circumstances, deidentified data can now be transferred, sold or shared without being subject to the CCPA. Further, AB 713 bans the common practice of reidentifying data after the data has been acquired. For example, AB 713 now exempts health care data from the application of the CCPA if
(i) that data is protected by various federal statutes and policies like the Health Insurance Portability and Accountability Act and the federal Health Information Technology for Economic and Clinical Health Act and
(ii) if that data has been deidentified
Deidentifying data and information is a process of removing or segregating data sets to de-link personally identifiable data (like a person’s name or social security number) from generic data (like a person’s age and their most recent medical test results). As noted, AB 713 now specifically exempts medical data that has been deidentified from having to comply with the CCPA. In general, businesses are deidentifying data as a method of complying with and avoiding privacy laws and as one method of protecting data from cyberattacks. Indeed, mostly, there are no statutory or regulatory restrictrictions on storing, sharing, transferring and/or selling deidentified data. Further, deidentified data is less dangerous in the event of a cyber-attack or hack, because, even if the data is stolen, there is minimal financial and legal risk because the data does not identify specific consumers. As a result, deidentified data can be stored with weaker cybersecurity systems and protocols.
From a privacy perspective, the problem is that the data is very easily reidentified. All that is needed is a simple “linking code” in the various data sets. Imagine, for example, two data sets in a spreadsheet format. One spreadsheet contains the personally identifiable information and the other contains all of the generic data from the person’s doctor’s visits, test results, etc. Now imagine that both data sets have a column with a unique “linking code” — let’s say “123YZ.” That unique linking code allows the data sets to be recombined. This is a particular concern for medical and health information.
AB 713 attempts to rectify this problem. As noted, AB 173 prohibits businesses and others from reidentifying data that they have acquired (unless the reidentification is done pursuant to specific exceptions). Further, beginning in 2021, businesses who sell, share or transfer deidentified data must enter into contracts that prohibit the data-recipient from reidentifying the data. AB 713 takes effect immediately.
In the coming months and years, deidentification and reidentification are going to be subject to much debate and litigation. A new legal battleground has been opened up.
If you have legal questions about consumer privacy, data security or other legal issues related to internet law, contact the trusted internet lawyers at Revision Legal at 231-714-0100.