Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

CR supports, if it is amended, CA AB 2089 (Mental health information privacy)

Consumer Reports supports, if it is amended, AB 2089 (Privacy: mental health information). We are strong proponents of public policy that bolsters consumers’ privacy and their individual right to choose who accesses their data and for what purposes. It is within this framework that we support the goals of this legislation, because it could extend existing health privacy protections to innovative medical technology not contemplated when current laws were put in place.

In California, patient privacy is protected by the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, combined, these two laws only protect sensitive health information that is generated by healthcare providers, insurers and health plans, pharmaceutical companies, healthcare clearinghouses and businesses organized for the purpose of maintaining medical information. The information created by new health technologies, such as mental health apps, do not fall cleanly into this rubric.

Drafters of these laws did not anticipate future technology that would facilitate personal health information being generated by technology outside the traditional care setting and by the patients themselves. That future, however, is here and our state laws must keep pace. Although the California Consumer Privacy Act (CCPA) would apply to mental health app data, the law does not protect consumer data to the same extent as the medical privacy laws, creating an uneven privacy plane between health information collected by new health technology versus data created by providers and insurers and plans themselves. For example, whereas the CCPA permits data sharing but requires access, deletion, and limits on the sale of data to third parties upon request, the CMIA and HIPAA prohibit most cases of sharing at all.

Meaningful protections over this data are warranted, especially because mental health apps collect sensitive information that can create damaging, irreversible impacts if shared with third parties, including social stigmatization and additional barriers to future opportunities. These apps can collect data with respect to anxiety disorders, depression, bipolar disorders, eating disorders, and post-traumatic stress disorders. People with mental health disabilities face disproportionately high rates of poverty and discrimination in housing and employment.

While we applaud the author for proposing the bill, we recommend several changes to the bill in print, consistent with its privacy intent. For example, we recommend defining key terms such as “share” and “consent,” and clarifying that consumers cannot be charged for exercising their privacy preferences. Thank you for your consideration, and for your work to protect consumer privacy. We look forward to working with you to ensure the strongest possible protections for consumer data.

For the full letter, please see the attached PDF.