At the beginning of the year, more than 65 bills were introduced that would have impacted California privacy law. As COVID-19—the defining event of this legislative session—spread, legislators were forced to dramatically pare back their bill packages in response to the pandemic’s serious impact on the state’s budget.
Bills Supported
CA Assembly Bill 660 (AB 660)
Author
Assemblymember Marc Levine (D, 10th District)
The Background
The need for COVID-19 contact tracing raised privacy concerns with respect to sharing and use of personal information.
The Bill
AB 660 would have prohibited the sharing of personal information collected for contact tracing except with a public health entity.
The Outcome
AB 660 died in the Senate Appropriations Committee in August.
Our Analysis
AB 660—aimed at protecting personal information during the COVID-19 pandemic—would have provided some protection for personal information collected for contact tracing purposes. It would have stopped, for example, a government contractor that collects personal data for contact tracing from then selling that information to a data aggregator.
CA Assembly Bill 1782 (AB 1782)
Author
Assemblymember Ed Chau (D, 49th District)
The Background
The need for COVID-19 contact tracing raised privacy concerns with respect to downline sharing and use of personal information.
The Bill
AB 1782 would have required contact tracing applications to obtain an individual’s opt-in consent before collecting, using, maintaining or disclosing their data. It also would have prohibited the association of contact tracing data with larger data sets, created a 60-day deadline to delete personal information after collection and provided a blanket ban on GPS tracking.
The Outcome
AB 1782 died in the Senate Appropriations Committee in August.
Our Analysis
AB 1782 would have provided privacy protections for people using contact tracing apps by requiring data minimization and prohibiting discrimination based on a person’s participation in a contact tracing program.
CA Assembly Bill 2788 (AB 2788)
Author
Assemblymember Todd Gloria (D, 78th District)
The Background
In recent years, government agencies (i.e. Immigration and Customs Enforcement) have issued internal administrative subpoenas to obtain smart meter data—most of these for residents of the border region in and near San Diego.
The Bill
AB 2788 prevents government agencies from accessing customer smart meter data without providing a court order issued by a judge.
The Outcome
AB 2788 was signed into law by Governor Newsom in September.
Our Analysis
AB 2788 will help protect Californians’ utility data—which can reveal a significant amount of personal information.
CA Assembly Bill 3119 (AB 3119)
Author
Assemblymember Buffy Wicks (D, 15th District)
The Background
The California Consumer Privacy Act (CCPA) requires people to take action to opt out of the sale of their information. Also, businesses have asserted that they are not subject to the CCPA when they are sharing information.
The Bill
AB 3119 would have clarified that a sale of information under the CCPA includes any information sharing for monetary or other valuable consideration. It would have changed the CCPA to protect privacy by default (opt-in) instead of requiring people to take steps to proactively exercise their rights (opt-out). It also would have required that businesses only collect information reasonably necessary to provide a service that a person has requested (subject to a few exceptions).
The Outcome
AB 3119 died in the Assembly Privacy and Consumer Protection Committee in May.
Our Analysis
AB 3119 would have significantly strengthened protections in the CCPA.
CA Senate Bill 980 (SB 980)
Author
Senator Tom Umberg (D, 34th District)
The Background
Direct-to-consumer genetic testing companies are largely unregulated with respect to the highly sensitive information they collect and process.
The Bill
SB 980 would have established the Genetic Information Privacy Act—requiring companies to provide more information to consumers about their policies regarding the collection, use and sharing of their genetic data. It would have prohibited any sharing of genetic information without the expressed consent of the individual and allowed them to revoke any consent (requiring the destruction of any genetic material) within 30 days of signing up. It also would have specified that consent to collection and sharing policies using coercive design (dark patterns) would not constitute consent.
The Outcome
SB 980 was vetoed by Governor Newsom in September (citing the risk of compromising laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments).
Our Analysis
SB 980 would have helped protect privacy for people using direct-to-consumer genetic testing products (e.g. 23andMe, HomeDNA) and their highly-sensitive genetic information.
Bills Opposed
CA Assembly Bill 2004 (AB 2004)
Author
Assemblymember Ian Calderon (D, 57th District)
The Background
The COVID-19 pandemic and existing medical privacy laws prompted a look into the use of alternate methods of sharing medical test results.
The Bill
AB 2004 would have created a working group to explore the use of blockchain technology for issuing electronic medical records in the context of COVID-19.
The Outcome
AB 2004 was vetoed by Governor Newsom in September.
Our Analysis
AB 2004 was a vague and poorly-drafted bill promoting blockchain technologies as tools for issuing electronic medical records in the context of COVID-19. There are underlying concerns even with the idea of verifiable health credentials being used to communicate COVID-19 (or any medical) test results. Privacy risks—along with civil liberties and equity issues—are inherent and could lay the groundwork for national IDs and/or immunity passports.
CA Senate Bill 664 (SB 664)
Author
Senator Ben Allen (D, 26th District)
The Background
In 2010, the legislature passed CA Senate Bill 1268 (SB 1268)— the Streets and Highway Code Chapter 8—which limited the sale or dissemination of personal data on motorists that government agencies in CA collect from electronic toll collection systems. SB 1268 required written consumer opt-in consent for the sharing of that data with third parties and established monetary damage awards for the violation of a motorist’s privacy.
The Bill
SB 664 would have applied retroactively to 2011—changing the written opt-in consent for data sharing to electronic consent. It also would have reduced damage caps for violations and immunized local transportation agencies facing lawsuits for violating the existing law.
The Outcome
SB 664 died before reaching a committee (COVID-19 forced a reduction in the number of legislative hearings).
Our Analysis
SB 664 would have retroactively revoked statutory protections—immunizing state and local transportation agencies from lawsuits for violating the Streets and Highway Code Chapter 8. With its change to the written opt-in consent, it would have allowed consent to be hidden in long terms of service that people typically do not read. It also would have created a dynamic where the penalties for selling personal information would be insignificant compared to the potential for profit.