California Gov. Gavin Newsom (D) has signed AB 947 and AB 1194 into law, making key changes to definitions under the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”). These changes will go into effect on January 1, 2024.

Under the CCPA, the definition of “sensitive personal information” includes, among other things, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. AB 947 amends the definition of “sensitive personal information” to add a consumer’s citizenship or immigration status.

Further, under the CCPA, consumers have the right to request businesses to delete personal information about the consumers, unless doing so would restrict the businesses’ ability to comply with federal, state, or local laws or to comply with a court order, subpoena, or government agency request for emergency access. AB 1194 clarifies that a business is required to comply with the privacy rights under the CCPA if a consumer’s personal information contains information related to reproductive health, including contraception, pregnancy, or abortion services. In relation to the government emergency access request exemption, AB 1194 further amends the text of the law to state that a consumer accessing, procuring, or searching for reproductive health services does not constitute a natural person at risk or danger of death or serious physical injury.

To address these updates, businesses should consider reviewing and possibly revising CCPA policies and disclosures, including:

  1. Updating notices and privacy disclosures: Consider revising consumer and employee privacy disclosures to recognize the additional data points that are now considered sensitive personal information.

  2. Revising data subject right processes: Consider updating the data subject rights policy and training to clarify the emergency access request exemption, and the categories of sensitive personal information that is subject to these requests.

  3. Reviewing data classifications: Review the data classification policy and/or data map to recognize the newly included data categories that are considered sensitive personal information under the CCPA.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address evolving developments. Please contact us at cyber@constangy.com if you would like additional information about how the CCPA affects your business, or help updating your CCPA program.

For a printer-friendly copy, click here.

Back to Page