Feb. 17 marked the deadline for California legislators to introduce bills for the current legislative session. Among more than 2700 bills introduced by state senators and assembly members, 10Â proposed amendments to the California Consumer Privacy Act and the Information Practices Act of 1977, which imposes purpose limitations, consent requirements and other privacy protections over personal data held by the government. Other bills address topics like updating the Confidentiality of Medical Information Act, platform liability and student data privacy. While a significant majority of data privacy-related bills were introduced by elected representatives from the Democratic Party, Assemblymen Joe Patterson, Jim Patterson and Tri Ta offered a few bills from across the aisle.
Below is a summary of notable bill proposals from the most recent California legislative session. Although historically many of these bills die in committee and never pass, they provide insight into how elected California officials think about privacy issues and trends privacy professionals may see in other states. The CCPA-/CPRA-Related Legislation Tracker in the IAPP Resource Center provides a comprehensive look at these bills and others not detailed below.
California looks to fortify reproductive health data privacy
State houses continue to respond to the Supreme Courtâ€™s overturning of Roe v. Wade, and California is no exception. Assembly Bill 254 proposes an amendment to the CMIA that would broaden the definition of medical information to include data from reproductive or sexual health mobile apps and websites, and bring businesses that collect and manage this data into the scope of the act. Relatedly, businesses that process personal information related to services for contraception, pregnancy care and abortions, including consumer web searches for such services, would be brought within scope of the CCPA under proposed AB 1194.
These California bills reflect similar partisan efforts in other states to protect womenâ€™s reproductive health data. A Virginia bill that shields menstrual data stored in mobile apps from search warrants easily passed out of the Democrat-led Senate but was later stopped in a GOP-led House subcommittee vote. Comparatively, California passed a similar billÂ prohibiting companies from complying with data requests in out-of-state warrants for procedures deemed legal in California. The Washington state My Health, My Data Act appears to have a better chance at success than Virginiaâ€™s bill, with its proposed protections of consumer health data and special focus on reproductive or sexual health data.
Operational changes would support the attorney general and data brokers
Although the majority of substantive updates and clarifications to the CCPA this year will come via Californiaâ€™s regulatory rulemaking process, a few bills still aim to codify small operational updates to the comprehensive privacy bill. AB 1546 would clarify that the attorney general may commence an enforcement action under the CCPA up to five years after cause of action accrued. This is a significant departure from the existing general law, which imposes a one-year statute of limitations for statutory enforcement actions. Democratic legislators also signaled their commitment to consumer protection with the introduction of AB 947, which originally would have added consumer rights to the list of qualifications considered for the California Privacy Protection Agencyâ€™s governing five-member board. On March 6, the Committee on Privacy and Consumer Protection amended the bill to instead expand the definition of sensitive personal information to include a consumerâ€™s citizenship or immigration status.
Data brokers and other privacy pros operating in California should also take note of AB 362, which would extend the annual deadline for data brokers to register with the attorney general from Jan. 31 to Feb. 15.
Platform liability and student privacy â€¦ sometimes in the same billÂ
The wave of introduced legislation also addressed some platform liability and student privacy issues through several proposed bills. The hotly contested SB 287 would impose penalties on social media platforms using algorithms and other designs they know could promote the sale of fentanyl, illegal guns or other self-harming behaviors to minors. Advocates from both industry and civil protections groups are already weighing in on the bill. The â€œknowing actionsâ€� of social media platforms were also addressed in AB 1394, which targets the use of platforms for commercial sexual exploitation and would require platforms to comply with requests from minor victims to remove content relating to their exploitation.
The proposed Let Parents Choose Protection Act would require social media platforms to enable third-party software providers to manage a â€œchildâ€™s online interactions, content, and account settings,â€� if given permission by a parent, guardian or user of at least 13 years old. Although the act is less stringent than Utahâ€™s recently enacted Social Media Regulation Act â€” which requires platforms to allow parents or guardians access to minorsâ€™ account information, including messages, and prohibit all advertising to underage users â€”Â the California bill flows in the same recent wave of youth privacy regulation. AB 801, another youth privacy bill introduced this session, would mandate operators like online service providers to honor deletion requests for studentsâ€™ covered information.
A potpourri of privacy for other sectorsÂ
There are a few bills focused on context and use cases that may be important for privacy pros. Representatives took aim at the public sector through AB 1034 and AB 302. The former states the legislatureâ€™s intent to regulate the use of biometric surveillance by law enforcement. The latter requires the Department of Technology to inventory its high-risk, automated decision-making systems and submit a report to the legislature by Jan. 1, 2025. Finally, the EUâ€™s calls for greater regulation of connected car data practices were reflected in SB 296, a bill introduced in the California Senate that would impose restrictions on the retention, use and sale of images and video recordings captured by in-vehicle cameras.
In addition to the potential for legislative amendments, the CCPA continues to evolve through the CPPA rulemaking process. The first set of proposed regulations, currently under review by the California Office of Administrative Law, is expected to take effect in April. The next set of regulations on the topics of Cybersecurity Audits, Risk Assessments and Automated Decision-making invite written public comments until March 27.Â Legislators have until Sept. 14 to pass each bill described above. Until then, privacy pros should keep a close eye on the evolution of the U.S. policy conversation as California and other states continue to serve as testing grounds for new privacy ideas.