Now that the house of origin deadline has passed, and we are basically at the mid-point in the California Legislative Session, we can take a look at pending legislation with particular attention to the bills that will continue along the legislative process in the second house. The focus of this article is on privacy legislation. The following are the major privacy bills of particular interest to the California business community:
AB 25 (Chau) – CCPA consumer definition
This bill would exclude from the definition of “consumer” a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely for purposes compatible with the context of that person’s role as a job applicant, employee, contractor, or agent of the business.
Status: Pending in Senate policy committee
AB 288 (Cunningham) – Social network services
This bill would require a social networking service to provide users that close their accounts the option to have the user’s personally identifiable information permanently removed from the company’s database and records and to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to specified exceptions. The bill would authorize specified relief for a consumer for a violation of these provisions.
Status: Held in Assembly policy committee
AB 384 (Chau) – Digital health feedback systems
This bill would expand the definition of “medical information” for purposes of the act to include any information in the possession of, or derived from, a digital health feedback system, which the bill would define. The bill would also require a manufacturer or operator that sells or offers to sell a device or software application that may be used with a digital health feedback system to a consumer in California to equip the device or software application, and the system, with reasonable security features that meet certain requirements, including that the measures be appropriate to the nature of the device, software application, or system.
Status: Pending in Senate policy committee
AB 523 (Irwin) – Customer right of privacy
This bill would apply written consent requirements for releasing information to noncommercial rather than residential subscribers. The bill would expand the information to which the restrictions on release apply, to include geolocation information and other customer proprietary network information. The bill would permit a telephone corporation to share customer proprietary network information of a mobile telephony services subscriber with its agents and affiliates that provide communications-related services for the purpose of marketing communications-related services to that subscriber if the telephone corporation obtains the written consent of the subscriber or if the telephone corporation does not receive an objection pursuant to a specified federal opt-out approval mechanism.
Status: Pending in Senate policy committee
AB 846 (Burke) – Customer loyalty programs
This bill would prohibit the CCPA from being construed to prohibit a business from offering a different price, rate, level, or quality of goods or services to a consumer if the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program or the offering is for a specific good or service whose functionality is directly related to the collection, use, or sale of the consumer’s data. The bill would prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs that are unjust, unreasonable, coercive, or usurious in nature.
Status: Pending in Senate policy committee
AB 873 (Irwin) – CCPA deidentified information
This bill would revise the definition of “deidentified” to instead mean information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information and takes reasonable technical and administrative measures designed to ensure that the data is deidentified, publicly commits to maintain and use the data in a deidentified form, and contractually prohibits recipients of the data from trying to reidentify it. This bill would revise this language to delete the reference to information that is not maintained in “a manner that would be considered personal information.” The bill would instead refer to information that is not maintained as personal information.
Status: Pending in Senate policy committee
AB 874 (Irwin) – CCPA publicly available information
This bill would redefine “publicly available” to mean information that is lawfully made available from federal, state, or local records. The bill would delete the language specifying the conditions in which that information is not “publicly available.” The bill would, instead, provide that “personal information” does not include deidentified or aggregate consumer information.
Status: Pending in Senate policy committee
AB 981 (Daly) – Insurance privacy protection
This bill would eliminate a consumer’s right to request a business to delete or not sell the consumer’s personal information under the California Consumer Privacy Act of 2018 if it is necessary to retain or share the consumer’s personal information to complete an insurance transaction requested by the consumer. The bill would also require an insurance institution or agent to provide a clear and conspicuous notice that accurately reflects its privacy policies and practices, as specified.
Status: Pending in Senate policy committee
AB 1035 (Mayes) – CCPA computerized data
This bill would require a person or business that owns or licenses computerized data that includes personal information to disclose a breach of the security of the system in the most expedient time possible and without unreasonable delay, but in no case more than 45 days, following discovery or notification of the breach, subject to the legitimate needs of law enforcement.
Status: Pending in Senate policy committee
AB 1130 (Levine) – Data breaches
This bill would revise the definition of personal information to add specified unique biometric data and tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions.
Status: Pending in Senate policy committee
AB 1138 (Gallagher) – Social media
This bill, on and after July 1, 2021, would prohibit a person or business that conducts business in California, and that operates a social media website or application from allowing a person under 13 years of age to create an account with the website or application unless the website or application obtains the consent of the person’s parent or guardian before creating the account using a method that includes reasonable measures to ensure that the person giving their consent is the parent or legal guardian of the person under 13 years of age.
Status: Pending in Senate policy committee
AB 1146 (Berman) – CCPA vehicle info exemption
This bill would except from the right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall.
Status: Pending in Senate policy committee
AB 1190 (Irwin) – Unmanned aircraft
This bill would, among other things, prohibit a state or local agency from adopting any law or regulation that bans the operation of an unmanned aircraft system. The bill would also authorize a local agency to adopt regulations to enforce FAA regulations regarding the operation of unmanned aircraft systems and would authorize local agencies to regulate the operation of unmanned aircraft and unmanned aircraft systems within their jurisdictions.
Status: Pending in Senate policy committee
AB 1202 (Chau) – Data brokers
This bill would require data brokers to register with, and provide certain information to, the Attorney General. The bill would define a data broker as a business that knowingly collects and sells to 3rd parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.
Status: Pending in Senate policy committee
AB 1281 (Chau) – Facial recognition technology
This bill, commencing on July 1, 2020, would require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. The bill, commencing on July 1, 2020, would make a business that violates these provisions liable for specified civil penalties.
Status: Pending in Senate policy committee
AB 1355 (Chau) – Personal information
This bill would exclude consumer information that is deidentified or aggregate consumer information from the definition of personal information. This bill would prohibit a business from discriminating against the consumer for exercising any of the consumer’s rights under the CCPA, except if the differential treatment is reasonably related to value provided to the business by the consumer’s data.
Status: Pending in Senate policy committee
AB 1395 (Cunningham) – Connected devices
This bill would include other connected devices with a voice recognition feature in those provisions, thereby prohibiting a person or entity from providing the operation of a voice recognition feature within the state without prominently informing the user during the initial setup or installation of the other connected device with a voice recognition feature.
Status: Pending in Senate policy committee
AB 1416 (Cooley) – Consumer personal information
This bill would specify that the CCPA does not restrict a business’s ability comply with any rules or regulations adopted pursuant to and in furtherance of state or federal laws. The bill would establish an exception to the CCPA for a business that provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met. The bill would repeal the above provisions on January 1, 2024.
Status: Pending in Senate policy committee
AB 1564 (Berman) – Consumer requests for disclosure
This bill would require a business, in a form that is reasonably accessible to consumers, to make available to consumers a toll-free telephone number or an email address and amailing address for submitting requests for information required to be disclosed. The bill would require that a business that operates exclusively online only be required to provide an email address for submitting requests for information required to be disclosed.
Status: Pending in Senate policy committee
AB 1665 (Chau) – Child protection
This bill would prohibit a person or business that conducts business in California, that operates an internet website or application that requires opt-in consent before selling a minor’s personal information, to obtain consent to sell the minor’s personal information in a manner that is separate from the social media internet website or application’s general terms and conditions.
Status: Pending in Senate policy committee
AB 1760 (Wicks) – CCPA
This bill would revise and recast the California Consumer Privacy Act of 2018. Among other things, the bill would prohibit a business from sharing a consumer’s personal information unless the consumer has authorized that sharing and would prescribe various business requirements in connection with this new “right to opt-in consent.” The bill would generally prohibit any discrimination against a consumer based on the exercise of the right to opt-in or other rights, including charging different prices for goods or services.
Status: Held in Assembly policy committee
AB 1790 (Wicks) – Marketplace sellers
This bill would require a marketplace to ensure that their terms and conditions regarding commercial relationships with marketplace sellers meet specified requirements, including that the terms and conditions are drafted in plain and intelligible language. The bill would define “marketplace seller” for these purposes as a person residing in the state who has an agreement with a marketplace and makes retail sales of services or tangible personal property through a marketplace owned, operated, or controlled by that marketplace.
Status: Pending in Senate policy committee
SB 299 (Jackson) – Connected devices
This bill would prohibit an operator of an internet website, online service, online application, or mobile application directed to minors, or an operator of an internet website, online service, online application, or mobile application that has actual knowledge that a minor is using its internet website, online service, online application, or mobile application, from using the personal information of a minor to direct content to the minor, or a group of individuals who are similar to the minor, based upon the minor’s actual or perceived race, ethnicity, religion, physical or mental disability, medical condition, gender identity, gender expression, sexual orientation, sex, or socioeconomic background, or any other factor used as a proxy for identifying any of those characteristics.
Status: Held in Senate policy committee
SB 561 (Jackson) – New private right of action enforcement
This bill would expand a consumer’s rights to bring a civil action for damages to apply to other violations under the CCPA. This bill would instead specify that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the CCPA. This bill would delete the 30-day period in which to cure after receiving notice of an alleged violation.
Status: Held in Senate fiscal committee
The Legislature is scheduled to adjourn on September 13, and Governor Gavin Newsom will have 30 days to act on measures sent to him by that date. We’ll check back after final actions take place on these and other measures.