(1) Existing law, the California Consumer Privacy Act of 2018 (CCPA) , grants a consumer various rights with regard to personal information relating to that consumer collected by a business, including the right to know the categories and the specific pieces of personal information that have been collected and to opt out of the sale of personal information. The act also grants a consumer the right to request a business to delete any personal information about the consumer collected by the business and requires a business to do so upon receipt of a verified request, except as specified. The act excepts certain categories of personal information and entities from its provisions, including medical information, as specified.
This bill would except from the CCPA information that was deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information, consistent with specified federal policy, as provided. The bill also would except from the CCPA a business associate of a covered entity, as defined, that is governed by federal privacy, security, and data breach notification rules if the business associate maintains, uses, and discloses patient information in accordance with specified requirements.
This bill would additionally except personal information that is collected for, or used in, biomedical research subject to institutional review board standards and the ethics and privacy laws of an identified federal policy, specified clinical practice guidelines, or human subject protection requirements of the United States Food and Drug Administration (FDA) . The bill would further except personal information of certain types that is collected for, or used in, research, as defined, and, as specified, personal information collected by a business for purposes of product registration and tracking regulated by the FDA, specified public health activities, or quality, safety, or effectiveness compliance regulated by the FDA. The bill would define terms for these purposes.
(2) The CCPA requires a business to make certain disclosures to consumers, in a specified form, in its online privacy policy, if the business has an online privacy policy, and in any California-specific description of consumers' privacy rights, or, if the business does not maintain an online privacy policy or policies, on its internet website, and to update that information at least once every 12 months.
This bill would require a business that sells or discloses information that was deidentified in accordance with specified federal law, was derived from protected health information, individually identifiable health information, or identifiable private information to also disclose whether the business discloses deidentified health information derived from personal information and if so, whether that information was deidentified pursuant to specified methods.
This bill would declare that it is to take effect immediately as an urgency statute.

Statutes affected:
AB713: 1798.130 CIV, 1798.145 CIV
02/19/19 - Introduced: 1798.130 CIV, 1798.145 CIV
03/28/19 - Amended Assembly: 1798.130 CIV, 1798.145 CIV
01/06/20 - Amended Senate: 1798.130 CIV, 1798.145 CIV
01/23/20 - Amended Senate: 1798.130 CIV, 1798.145 CIV