Sept. 13 was the Legislature’s last day to pass bills, which Gov. Gavin Newsom now has until Oct. 13 to sign. That includes updates to the California Consumer Privacy Act (CCPA), approved last year but refined during this past session; and other cybersecurity bills. In an interview with Techwire, Assemblymember Jacqui Irwin, D-Thousand Oaks, discussed the Legislature’s “tweaks” to the CCPA, her own accomplishments in technology and what happens next year. Among the takeaways:
• Assembly Bill 874, which updates the 2018 CCPA, cleared the statehouse Sept. 12 and is poised for a signature. It would redefine personal information as information that “identifies, relates to, describes, [or] is reasonably capable of being associated with” a person or household; and would define “publicly available” as information “lawfully made available” from state, federal or local records. The bill would also specify that “personal information” does not include de-identified or aggregate consumer information. Key issues, said Irwin, who introduced the bill this session, were ensuring the CCPA still covers publicly available information, and including Obama-era definitions of personally identifiable information — originally part of AB 873 — and “de-identified,” both of which should make implementation clearer.
“I think we worked very hard to make sure that people understood that some of the language in there could have unintended consequences of not being pro-privacy, and I think these two issues addressed those,” Irwin said.
• AB 1043 and 1044, which she also introduced, dealt with cybersecurity and were signed into law by Newsom in July. AB 1043 gives political campaigns more firepower on cybersecurity — clarifying state law to let them use campaign funds “to bolster cybersecurity protection for personal devices and accounts,” according to a news release. It follows a similar Federal Elections Commission advisory opinion in December. AB 1044 beefs up requirements for those applying to access voter data, including campaigns, journalists and academics — requiring them to complete a free course on data security.
• AB 1242 was another story. After an Assembly hearing on cybersecurity last month, prompted by the July 16 release of a high-risk audit by the State Auditor’s Office that found numerous weaknesses in more than 30 state-level entities, Irwin said she found the auditor’s recommendations in line with her own bill — which then stalled in the state Assembly Committee on Appropriations. She and Assemblymember Ed Chau, D-Monterey Park, her co-chair of the Assembly Select Committee on Cybersecurity, contemplated trying to move the bill forward.
The lawmakers decided against “a jailbreak out of Appropriations,” but Irwin said conversations with other legislators as well as with the California Secretary of State’s Office and the Office of the Attorney General revealed a degree of interest — so the matter will likely return next year.
• The CCPA, which will affect nearly all businesses in the state in some way, could well come up in 2020 too, as legislators watch its effects after it becomes law Jan. 1.
“Again, we need to make sure that the CCPA is as workable as possible," Irwin said. "Big companies have the resources to comply. We just want to make sure the mom-and-pop’s or the coffee shops are also able to comply.”
