On September 26, 2025, California Governor Gavin Newsom signed Assembly Bill 45 (AB 45) into law, strengthening privacy safeguards around personal information collected in healthcare-related settings. This bill, which amends the Confidentiality of Medical Information Act, takes effect on January 1, 2026.
What Does Assembly Bill 45 Entail?
AB 45 explicitly prohibits the collection, use, disclosure, sale, sharing, or retention of personal information from an individual at a family planning center or within a precise geolocation of a family planning center. A family planning center, as clarified in the law, is a clinic or center that provides reproductive health care services. In addition, the law defines “precise geolocation” as a geographical area that falls within a 1,850-foot radius. Therefore, any data derived from this area will be deemed unlawful unless a statutory exception applies.
The exceptions to this prohibition are strictly limited to instances when collection or use is necessary to perform the services or provide the goods requested by the natural person and as otherwise provided by law, including as provided in a collective bargaining agreement.
Entities Exempted from Coverage
AB 45 does not apply to certain entities already governed by existing health privacy frameworks, such as health care providers or health care service plans, or other contractors/business associates, such as those subject to the Health Insurance Portability and Accountability Act (HIPAA).
2. Geofencing Restrictions on Healthcare Facilities
AB 45 also makes it unlawful for any person, directly or through a third party, to sell, share, or geofence entities that provide in-person health care services for any of the following four sensitive purposes:
- Identifying or tracking a person seeking, receiving, or providing health care services.
- Collecting personal information from a person seeking, receiving, or providing health care services.
- Sending notifications related to a person's personal information or health care services.
- Sending advertisements related to a person's personal information or health care services.
Definition of Geofencing
Geofencing is defined as any technology that enables spatial or location detection to establish a virtual boundary around, and detect an individual's presence within, a precise geolocation.
However, the law allows for certain exemptions, as an in-person health care facility is not prevented from geofencing its own location when deemed necessary to provide healthcare services. Moreover, reproductive health care providers are also exempted as they may still use geofencing technology for the purposes of protecting the security of patients, staff, or property.
3. Protection of Personal Records
AB 45 also protects sensitive personal information by prohibiting the disclosure of personally identifiable research records related to individuals seeking or obtaining health care services, especially when such records are obtained via subpoenas or requests from other states that would undermine an individual's rights under the California Reproductive Privacy Act.
4. Private Right to Action
AB 45 establishes a limited private right to action, allowing aggrieved persons to sue for damages up to three times the actual damages and any other expenses, costs, or reasonable attorneys’ fees.
5. Penalty for Non-Compliance
The law will be enforced by the California Attorney General, and all violations may result in injunctive relief and a civil penalty of $25,000 per violation. The penalties shall fund the California Reproductive Justice and Freedom Fund.
What Does AB 45 Mean for Organizations?
AB 45 targets the growing commercial practice of leveraging precise location data to infer sensitive personal information, particularly involving an individual's health-related decisions, and using it for marketing purposes.
Companies operating in California or processing the data of California residents must review their data collection practices, ahead of the law’s effective date, to ensure compliance with the new requirements on geolocation tracking and data sharing. Additionally, an exercise should be conducted to identify and record the precise geolocations of all family planning centers and in-person health care facilities in California to ensure compliance.
