California Privacy Legislation Update: AB 2089, 984, 2677, and 2269
By: Kewa Jiang
As the year comes to an end, it is time to examine which California privacy legislation was signed into law and which failed to pass. Below is an overview of some of the legislation and their key provisions.
AB 2089: Mental Health App Data Privacy: Passed
The bill was introduced by Assembly Member Rebecca Bauer-Kahan to address the gap in protection of mental health data collected by smartphone apps. Generally, smartphone app providers are not considered a covered entity under the Health Insurance Portability Accountability Act (HIPAA). Thus, app providers are not required to comply with HIPAA regulation on handling and protecting health data. Meanwhile, consumer use of mental health data has dramatically increased in the past year, which generates huge volumes of data that may be vulnerable to exploitation or abuse. Assembly Member Bauer-Kahan states, “Seeking mental healthcare is difficult enough. It’s unacceptable that we allow people’s privacy to be violated as a result of care.”
- Legislation amends the California Confidential Medical Information Act (CMIA) by extending the definition of “medical information to include mental health application information.”
- Mental health application information is defined as “information related to a consumer’s inferred or diagnosed mental health or substance use disorder.”
- Covered entities would include “any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information…”
AB 984: Digital License Plates: Passed
(Note: please see our previously published article for more in-depth analysis)
Assembly Member Lori Wilson introduced AB 984, which authorizes the use of digital license plates in California. The bill is part of ongoing efforts to modernize the Department of Motor Vehicles (DMV) and follows a 2015 pilot program in California of digital license plates. Now all California drivers can opt for digital license plates in 2023 after the DMV “evaluate[s] the use of alternatives to stickers, tabs, license plates, and registration cards.”
However, some privacy advocates remain concerned about potential violation of employees’ privacy when employers switch over to digital license plates. Digital license plates may enable employers to track, surveil, or otherwise monitor employees using employer-issued vehicles.
- The bill would generally prohibit an alternative device from being equipped with GPS or other vehicle location tracking capability, but would allow tracking technology to be installed on alternative devices used by specified vehicles, including fleet and commercial vehicles.
- The bill would generally prohibit an employer from using an alternative device equipped with tracking technology to monitor employees, except the bill would allow an employer to use an alternative device to locate, track, watch, listen to, or otherwise surveil an employee during work hours if strictly necessary for the performance of the employee’s duties.
- For purposes of this section, “monitor” includes, but is not limited to, locating, tracking, watching, listening to, or otherwise surveilling the employee.
AB 2677: Amendment to the Information Practices Act of 1977: Passed
Assembly Member Jesse Gabriel proposed to amend the Information Practices Act of 1977 (IPA). The IPA was enacted to protect consumer data collected by state and local government agencies and limit the use of consumer data to the purpose of collection. IPA exempts certain government agencies, such as local agencies and the California legislature. However, the proposed amendment would expand the application of IPA to all local agencies, expand the definition of personal information, and expand liability to include negligent violation of IPA.
Governor Newsom vetoed the bill due to its potential financial impact on the state’s budget. The governor states that California is “facing lower-than-expected revenues over the first few months of this fiscal year, it is important to remain disciplined when it comes to spending.”
AB 2269: Digital Financial Assets Law: Failed
Assembly Member Timothy Grayson introduced AB 2269 to regulate “digital financial assets,” such as cryptocurrencies, and to require such companies to be licensed with California’s Department of Financial Protection and Innovation (DFPI). The bill would allow enforcement actions against companies that fail to register with the DFPI. Assembly Member Grayson acknowledged the excitement around cryptocurrency and similar digital financial assets but recognizes that consumers are vulnerable without additional regulations or protections. AB 2269 was aimed to “provide consumers basic but necessary protections and will promote a healthy cryptocurrency market by making it safer for everyone.”
On September 23, 2022, however, Governor Newsom vetoed the bill. While acknowledging the need to protect consumers, the governor stated “[i]t is premature to lock a licensing structure in statute without considering both this work and forthcoming federal actions.”
Since September 2022, the cryptocurrency market has undergone volatile changes. FTX, a cryptocurrency exchange platform, recently filed for Chapter 11 bankruptcy and millions of customers fear the money they invested is now missing. Along with attempts to untangle the financial knot left behind by FTX, consumers and the Security Exchange Commission are considering the liability of celebrities that endorse cryptocurrencies. Given the current climate around cryptocurrency, California legislators may be eyeing another attempt at regulating the digital financial asset industry and protecting consumers.