2021 California Legislative Session Privacy Recap

CA Assembly Bill 13 (AB 13)

Author

Assemblymember Ed Chau (D, 49^th District)

The Bill

AB 13 would require the Department of Technology to offer guidelines and require impact assessments when the state uses high-risk algorithmic decision systems.

Full Bill Text

The Outcome

Failed to pass both houses. Must pass CA Assembly by January 31, 2022 or die.

Our Analysis

With the increasing use of automated decision-making systems by state agencies posing a risk of discriminatory impact, we supported AB 13 as a first step to building trust in the public sector use of these systems and an attempt to thwart automated bias that harms the health and wealth of communities of color and low-income Californians.

CA Assembly Bill 814 (AB 814)

Author

Assemblymember Marc Levine (D, 10^th District)

The Bill

AB 814 would extend privacy protections to information collected for COVID-19 contact tracing.

Full Bill Text

The Outcome

Failed to pass both houses. Must pass CA Assembly by January 31, 2022 or die.

Our Analysis

The COVID-19 global pandemic led to the creation of contact tracing programs to enable state agencies and individuals to better understand the spread of the virus—however there are concerns that information collected for those purposes may be used or sold in the private sector. 

We supported AB 814 as necessary to protect the personal information of Californians whose information may be collected for contact tracing, and to help encourage Californians to participate in these programs. The success of contact tracing programs depends on voluntary use by people that trust that their information is secure and used only for public health purposes. A failure to pass AB 814 would be a blow to both.

CA Assembly Bill 825 (AB 825)

Author

Assemblymember Marc Levine (D, 49^th District)

The Bill

AB 825 requires businesses to notify people when a data breach exposes their genetic information.

Full Bill Text

The Outcome

Signed into law on October 5, 2021.

Our Analysis

Data breach notification requirements must define what personal information is covered when a data breach occurs. As the scope of consumer technology expands, so must the scope of that definition.

We supported AB 825 to ensure that genetic information collected by direct-to-consumer testing kits has the same data breach notification requirements as any other personal information. 

CA Assembly Bill 1252 (AB 1252)

Author

Assemblymember Ed Chau (D, 49^th District)

The Bill

AB 1252 would have broadened the definition of personal health record information under the Confidentiality of Medical Information Act to include personal information collected by consumer-directed health and fitness wearables, apps and services.

Full Bill Text

The Outcome

Failed to pass both houses. Moved to the inactive file at the request of the author.

Our Analysis

Massive amounts of personal information about health and fitness are collected by apps, services and products that fall outside current legal protections.

We supported AB 1252’s expansion to the Confidentiality of Medical Information Act, which would have extended much needed protections to health information collected by apps and products that consumers download or use under their own volition and not under the direction of a healthcare provider—an issue we’ve championed as far back as 2013.

CA Assembly Bill 1436 (AB 1436)

Author

Assemblymember Ed Chau (D, 49^th District)

The Bill

AB 1436 would extend the protections of the Confidentiality of Medical Information Act to health information collected outside the traditional care setting and by patients themselves.

Full Bill Text

The Outcome

Failed to pass both houses. Must pass CA Assembly by January 31, 2022 or die.

Our Analysis

We supported AB 1436—a gut-and-amended to carry the substance of AB 1252—to extend existing health privacy protections to innovative medical technology not contemplated when current laws were put in place and bring current regulation into line with the reality of how Californians integrate consumer technology into their health care. 

CA Senate Bill 41 (SB 41)

Author

Senator Tom Umberg (D, 34^th District) 

The Bill

SB 41 established the Genetic Information Privacy Act which

• places some restrictions on how direct-to-consumer genetic testing companies can operate
• empowers consumers of those companies with certain rights of access and deletion
• prohibits those companies from disclosing a consumer’s personal information, except under certain circumstances

Full Bill Text

The Outcome

Signed into law on October 6, 2021.

Our Analysis

Direct-to-consumer genetic testing kit companies (e.g. 23AndMe and Ancestry.com) providing at-home DNA testing kits get detailed information about their customers' genetic backgrounds—information that can be incredibly revealing for the individuals purchasing the services and their relatives.

We supported SB 41 to build upon the legal foundation of the California Consumer Privacy Act and ensure that additional protections are in place for genetic information collected by at-home genetic testing kits.

CA Senate Bill 210 (SB 210)

Author

Senator Scott Wiener (D, 11^th District)

The Bill

SB 210 would have introduced privacy protections into the Automated License Plate Recognition systems used by the California Highway Patrol—requiring license plate information to be deleted after 24 hours unless that license plate already appeared on a hot list to be targeted.

Full Bill Text

The Outcome

Died in committee.

Our Analysis

Current law permits the Department of the California Highway Patrol and law enforcement agencies to collect, maintain and share license plate data captured by license plate reader technology for 60 days. However, license plate data also reveals precise geolocation information over time—especially sensitive information that could be harmful to an individual, if exposed through a data breach.

We generally support data minimization requirements for both the private and public sectors as a whole, and therefore supported SB 210.

CA Senate Bill 746 (SB 746)

Author

Senator Nancy Skinner (D, 9^th District)

The Bill

SB 746 would have expanded the California Consumer Privacy Act (CCPA) to permit consumers to request that a business disclose to them whether it uses personal information collected about them for a political purpose.

Full Bill Text

The Outcome

Died in committee.

Our Analysis

We generally support additional transparency and disclosure requirements under the California Consumer Privacy Act, and therefore supported SB 746.

CA Assembly Bill 335 (AB 335)

Author

Assemblymember Tasha Boerner Horvath (D, 76^th District)

The Bill

AB 335 adds an exemption to the deletion requirements of the California Consumer Privacy Act. It allows a business that sells boats to refuse to delete a consumer’s personal information when maintaining that information is necessary for the business to let them know about a product recall.

Full Bill Text

The Outcome

Signed into law on October 8, 2021.

Our Analysis

The California Privacy Rights Act (CPRA) updated the California Consumer Privacy Act (CCPA) to require that any future amendments strengthen, not weaken, consumer privacy.

We opposed AB 335 because it violates the CPRA’s requirement that privacy legislation strengthen current law. It does nothing but add an exemption to the CCPA and makes no attempt to justify itself under the amendment requirements of the CPRA.

CA Assembly Bill 751 (AB 751)

Author

Assemblymember Jacqui Irwin (D, 44^th District) 

The Bill

AB 751 authorizes a state agency to use biometrics (i.e. facial surveillance technology, iris recognition, wrist or neck vein identification, voice or gait recognition) as mechanisms to verify a consumer’s identity for the purposes of accessing vital records with the State Registrar’s office. 

Full Bill Text

The Outcome

Signed into law on October 7, 2021. 

Our Analysis

The State Registrar currently allows Californians to access vital records online—doing so requires the verification of that individual’s identity.

We opposed AB 751 and remain concerned that it will undermine Californians’ privacy and potentially permit discriminatory technologies to be used in the State Registrar’s office. Face surveillance systems are well-documented to be inaccurate and biased against various protected classes including

• race
• gender
• age
• disability status

CA Assembly Bill 917 (AB 917)

Author

Assemblymember Richard Bloom (D, 50^th District)

The Bill

AB 917 expands the City and County of San Francisco and the Alameda-Contra Transit District's authorization to use on-vehicle cameras to enforce parking violations only in certain designated locations—allowing public transit authorities to use video image monitoring to enforce parking violations at any transit-only lane and at transit stops.

Full Bill Text

The Outcome

Signed into law on October 8, 2021.

Our Analysis

We opposed AB 917 and encouraged the legislature to consider alternative methods of improving transportation efficiency as increased surveillance of Californians bring risks of information misuse and inadvertent exposure.

CA Assembly Bill 984 (AB 984)

Author

Assemblymember Luz Rivas (D, 39^th District)

The Bill

AB 984 would expand and make permanent the program authorizing digital license plates and vehicle registration cards. 

Full Bill Text

The Outcome

Failed to pass both houses. Must pass CA Assembly by January 31, 2022 or die.

Our Analysis

We opposed AB 984 because the use of digital license plate and digital vehicle registration card programs raise privacy, policing and equity concerns that should be addressed prior to making them permanent. Since electronic devices can gather extremely sensitive information such as location data, we also argued that the bill should put clear limitations on the information the vendor may collect and under what circumstances.

CA Senate Bill 623 (SB 623)

Author

Assemblymember Josh Newman (D, 29^th District)

The Bill

SB 623 would have rolled back protections of CA Senate Bill 1268 by altering the type of consent required for a transportation agency to share personal information for marketing purposes. Additionally, SB 623 would have impacted impact ongoing litigation by declaring the substantive rolling back of privacy protections.

Full Bill Text

The Outcome

Failed to pass Senate.

Our Analysis

In 2010, the California Legislature enacted CA Senate Bill 1268—establishing privacy standards that transportation agencies need to follow when, for instance, collecting information about consumers at toll roads. Despite this, millions of California drivers’ privacy rights have been violated by these agencies—resulting in ongoing and pending litigation.

We opposed AB 623 because it sought to both retroactively and prospectively roll back privacy protections to eliminate the liability of toll agencies in various ongoing lawsuits.

CA Senate Bill 744 (SB 744)

Author

Senator Steve Glazer (D, 7^th District)

The Bill

SB 744 would create a program requiring health care providers across the state to notify the State Department of Public Health when an individual tests positive for COVID-19 and require the additional collection and reporting of household, workplace and travel information for the patient. This program would then facilitate the transfer of the patient information to a bona fide research institution of higher education for public health research purposes. 

Full Bill Text

The Outcome

Failed to pass both houses. Must pass CA Assembly by January 31, 2022 or die.

Our Analysis

Due to the ongoing COVID-19 pandemic, the State Department of Public Health wanted to create a program to provide expedited release of individualized health care data to researchers during a declared public health emergency.

We opposed SB 744 due to its requirement to share individualized records of health information with the Department of Public Health. Despite its good intentions, SB 744 lacked necessary protections on the sensitive personal information collected by health care providers and risked undermining privacy protections of California patients.