As the deadline for policy committees in the California Legislature to report non-fiscal bills out of their respective Committees looms, this week saw a number of privacy-related bills heard in the Assembly Committee on Privacy and Consumer Protection. In addition, the appropriations committees are also facing deadlines in mid-May to hear hundreds of bills that would have a fiscal impact on the State.  All of this made for an interesting week in privacy in the California Legislature.  We previously reported on the hearing in the Senate Appropriations Committee regarding Senate Bill 561 on Monday.  https://www.severson.com/consumer-finance/ccpa-sb-561-placed-in-expected-legislative-limbo-after-hearing-in-senate-appropriations-committee/   The week continued with hearings in the Assembly Committee on Privacy and Consumer Protection (the “Privacy Committee”) on Tuesday, April 30, and the Assembly Appropriations Committee (the “Appropriations Committee”), on Wednesday, May 1.

Assembly Committee on Privacy and Consumer Protection

The Privacy committee heard four bills related to privacy in general on Wednesday. Of those bills, one bill would amend the California Consumer Privacy Act of 2018 (the “CCPA”).

Assembly Bill 1416, authored by Assemblyman Ken Cooley (D – Rancho Cordova), would make edits to the CCPA.  The author agreed at the hearing to accept the Privacy Committee’s suggested amendments to the bill.  The bill, as amended at the hearing, would specify that the CCPA’s opt-out provisions do not prohibit a business from using personal information to exercise or defend legal claims, or from sharing information with government agencies for purposes of carrying out a government program.  Assemblyman Cooley specified that his bill was intended to allow the sharing of information, for example, with law enforcement for the purposes of tracking down deadbeat parents and helping foster children to track down their parents.  The author also amended the bill at the hearing to add a four-year sunset for the edits made by the bill.  The bill received strong support from the California Chamber of Commerce and other businesses and business associations.  Opposition was registered from Californians for Consumer Privacy, the authors of the ballot initiative that became the CCPA, and other privacy advocates, including the ACLU and Privacy Rights Clearinghouse.  The bill was reported to the Assembly floor with a “do pass” recommendation by a vote of 8-0.

While not related to the CCPA, the Privacy Committee also heard Assembly Bill 1665 by Assemblyman and Committee Chair Ed Chau (D – Monterey Park), which would require any business in California to obtain opt-in parental consent in order to post a minor’s name, picture or information that could reasonably identify the minor on an internet website or application (if the company is paid by a third party to display that personal information about the minor).  The bill would also prohibit the business from denying the minor access to a social media internet website or application because the minor’s parent(s) did not provide consent.  No opposition was registered at the hearing.  The bill received a “do pass” recommendation by a vote of 10-0 with one abstention, and advances to the Assembly floor.

Assembly Bill 1395, Cunningham (R – San Luis Obispo), another privacy bill not related to the CCPA, would prohibit manufacturers of personal smart speakers (such as Amazon Alexa) from collecting and sharing audio data (for example, recording private conversations of persons in the vicinity of the personal smart speaker) collected without the affirmative, opt-in consent of the consumer.  There was some discussion with committee members suggesting that the bill needs to be amended to conform to the reality of how personal smart speakers work, and the author agreed, committing to work on the language of the bill (in particular, the definition of “stored”).  The bill was opposed by technology company advocates, such as the Internet Association and TechNet.  The bill was reported out of the Privacy Committee with a “do pass” recommendation by a vote of 8-0 with 2 abstentions and advances to the floor for a vote.

Finally, the Privacy Committee heard Assembly Bill 1035, authored by Assemblyman Chad Mayes (R – Yucca Valley).  AB 1035 would require businesses to notify consumers regarding data breaches no later than 45-days (amended from 3 days) after the date of the discovery of the breach.  (California’s existing data breach notification statute, California Civil Code Section 1798.29, requires notification “at the most expedient time possible,” but does not specify a deadline for notification.)  The bill would permit notification after the 45-day deadline if required to protect the integrity of a law enforcement investigation.  Consumer advocates opposed the bill, claiming that 45-days is too long for a notification deadline, and requesting a shorter time frame.  The bill was reported to the Assembly floor with a “do pass” recommendation by a vote of 7-0.

Appropriations Committee

The Appropriations Committee also heard three bills that would amend the CCPA. All three of these bills were on the consent calendar.  The consent calendar is a procedure in the Appropriations Committee whereby bills deemed by the chair (a Democrat) and vice-chair (a Republican) to be “noncontroversial” and with no significant fiscal impact on the State are voted on together.  The following bills on the consent calendar were passed unanimously:

  • Assembly Bill 25, written by Assemblyman Ed Chau (D – Monterey Park), a bill that would amend the CCPA’s definition of “consumer”, exempting from that definition persons whose personal information is collected in the course of the person acting as a job applicant, employee, contractor or agent of a business.
  • Assembly Bill 874, written by Assemblyman Jacqui Irwin (D – Thousand Oaks), which would amend the definition of “publicly available information” in the CCPA, removing the requirement that publicly available information only be used for purposes for which a government agency makes that information available. The bill would also fix a typographical error in the CCPA and provide that “personal information” does not include de-identified or aggregate consumer information. This is an absolutely necessary amendment to correct errors in the CCPA.
  • Assembly Bill 1355, written by Assemblyman Chau, which would amend the CCPA to correct a number of typographical errors in the Act’s provisions requiring businesses to disclose personal information about specific consumers to consumers in general. This is also a necessary amendment to correct errors in the CCPA. The bills passed on the consent calendar will all advance to a floor vote in the Assembly. Bills will need a majority in the 80-member chamber to advance to the Senate. With a number of legislative deadlines fast approaching, these next few weeks will see a flurry of activity in both houses of the California Legislature. Check these pages in order to stay up to date on the progress of these, and other, privacy-related bills winding their way through California’s legislative maze.

The bills passed on the consent calendar will all advance to a floor vote in the Assembly. Bills will need a majority in the 80-member chamber to advance to the Senate.  With a number of legislative deadlines fast approaching, these next few weeks will see a flurry of activity in both houses of the California Legislature. Check this ‘blog to stay up to date on the progress of these, and other, privacy-related bills winding their way through California’s legislative maze.