New California Bill Targets Family Data Harvesting

- The bill, officially named the Whistleblower Protection and Privacy Act, was introduced by Assemblywoman Pilar Schiavo in partnership with the California Privacy Protection Agency to create a framework for protecting and rewarding insiders who report illegal data collection or misuse. This new legislation specifically aims to protect sensitive data like medical diagnoses, private locations, and information related to children's academic performance. - This bill builds on an already robust set of California privacy laws, including the California Consumer Privacy Act (CCPA), which requires opt-in consent for the sale of data from consumers under 16, and the Confidentiality of Medical Information Act (CMIA), which has been expanded by other recent laws to cover mental and reproductive health apps. - The legislation arrives in the wake of significant privacy-related legal actions against consumer health apps. For instance, the fertility tracking app Flo and Google reached a combined $56 million settlement to resolve a class-action lawsuit alleging the app shared users' health data with third parties without consent. California residents in that case are set to receive twice the pro rata share of other claimants. - Similarly, the weight-loss app Noom has faced class-action lawsuits in California alleging the use of embedded "wiretaps" to secretly record user interactions, including the input of personal health information, without adequate consent. - For developers, the distinction between regulations like HIPAA and consumer privacy laws is critical. Most direct-to-consumer wellness apps are not governed by HIPAA, but they do fall under the jurisdiction of the Federal Trade Commission's Health Breach Notification Rule and state laws like the CCPA and CMIA. An app may become subject to HIPAA if it operates as a "business associate" for a covered entity, such as an employer's health plan. - Wearable device integrations require careful navigation of platform-specific privacy rules. Apple's HealthKit, for example, has a strict policy prohibiting the sale of user data to advertisers or data brokers and forbids using the data for marketing purposes. All data access requires explicit, granular user consent. - The bill's focus on children's data aligns with existing CCPA provisions, which mandate that businesses obtain affirmative consent from a parent or guardian before selling the personal information of a child under 13. For children between 13 and 16, the teen must provide their own opt-in consent for the sale of their data. - This legislative activity is part of a broader trend in California to give consumers more control over their data. The California Delete Act, for example, will create a centralized mechanism for consumers to request that all registered data brokers delete their personal information.