California Lawmakers Propose “Your Data, Your Way” Package of Privacy Legislation

Marti Stein

Assembly Bill 288 – Social Media Privacy:

In order to provide consumers with additional control over their data, Assembly Bill 288 requires social networking services (i.e., online platforms where users may send and receive electronic content and communicate with others) to provide users who are closing their account a couple of options. First, the consumer may request that the company delete all of the user’s personally identifiable information from their records and databases. Second, the user may also prohibit the company from sharing and selling their information with a third party after they have closed their account.  User requests would need to be processed with a commercially reasonable time.  The bill would provide a private right of action for violation of its provisions. 

Assembly Bill 384 – Digital Health Feedback Systems Privacy:

In an attempt to bridge the gap between new medical technology and privacy law, Assembly Bill 384 aims to expand the definition of “medical information” in California’s Confidentiality of Medical Information Act (CMIA) to include individually identifiable information generated from a patient’s digital health feedback system. In November 2017, the FDA approved the first digital health feedback system, which is an ingestible sensor embedded into a pill that tracks when a patient takes his or her medication. This law seeks to categorize this data as medical information and require the medical devices’ developers and operators to use reasonable security features to protect the patient’s information.

Assembly Bill 950 – Consumer Privacy Protection:

Assembly Bill 950 aims to strengthen consumers’ knowledge of the value of their information by imposing a new obligation on businesses. Currently, before a business may use or share a consumer’s information for direct marketing purposes, they must disclose and obtain the individual’s consent. Under this new legislation, the company must disclose the average monetary value of their consumers’ data as part of their privacy policy under a section entitled “The Value of Your Data.”  If the company receives a verifiable request from a consumer, they must inform him or her the amount they received for selling their information.  The bill also established a Consumer Data Privacy Commission, which would provide guidance to the Legislature on how to establish monetary value of consumer data. 

Assembly Bill 1035 – Disclosure of Data Breaches:

Under current law, a company must notify their users of any security breach in the most “expedient time possible.” This proposed legislation provides a more definitive timeframe and requires companies to disclose the breach within 72 hours of discovering it.

Assembly Bill 1202 – Data Brokers Privacy:

Under the California Consumer Protection Act (effective January 1, 2010), consumers will have the right to request from a business the following: information on what personal data that business is collecting from him or her, the business’s purpose for collecting or selling it, and which third parties the business has shared that information with. Assembly Bill 1202 would require data brokers, which are companies who collect and sell personal information from consumers they do not directly interact with, to provide consumers with an opt-out option for the selling of their data.  It would also require them to register with the Attorney General. The Attorney General’s office will make the registration information provided by data brokers available on its internet website.  Data brokers who fail to register would face an injunction and civil penalties by the Attorney General. 

Assembly Bill 1281 – Disclosing Facial Recognition Technology:

In an effort to better educate consumers, Assembly Bill 1281 would require all storefronts that use facial recognition technology in their security systems to clearly disclose the use of this software to consumers. The law would require businesses post physical signage at their entrance that informs customers they utilize facial recognition software. Businesses that violate the provisions would be liable for civil penalties under the CCPA. 

Assembly Bill 1395 – Smart Speaker Devices:

As smart speakers become increasingly more popular, California legislatures proposed the “Future of Eavesdropping Act,” or formally known as Assembly Bill 1395, which seeks to protect consumers from their virtual assistants storing and selling their personally identifiable information. Regardless of whether the user activated the device by saying the “wake” command, this proposed legislation prohibits smart speaker manufacturers from saving, storing, or sharing any user’s verbal commands made to the device and overheard conversations unless the consumer requests in writing that their recordings be stored.