But a handful of legislation that cleared the Legislature or stalled, and was signed by Gov. Gavin Newsom or vetoed, could offer some clues for what legislators may introduce when their houses reconvene Jan. 6:
• A product of the 2018 Legislature, the California Consumer Privacy Act will finally take effect Jan. 1, after Assembly members and state senators devoted the 2019 session to refining the landmark bill. Assembly Bill 874 updated the 2018 CCPA. Among the highlights, it redefined personal information as information that “identifies, relates to, describes, [or] is reasonably capable of being associated with” a person or household. It also defined “publicly available” as information “lawfully made available” from state, federal or local records. AB 874 also specified that “personal information” should not include de-identified or aggregate consumer information.
Before Jan. 1, however, staffers at the Office of the Attorney General (OAG) must write the law that will underpin the CCPA. Those draft regulations were released in mid-October and are now in a public comment period that ends at 5 p.m. Dec. 6. The OAG will hold public hearings on the proposed law Dec. 2 in Sacramento, Dec. 3 in Los Angeles, Dec. 4 in San Francisco, and Dec. 5 in Fresno. Meanwhile, developer and activist Alastair Mactaggart, the original force behind CCPA, is mounting an initiative to create a data privacy bill of rights.
• Newsom has signed AB 1202, from Assemblymember Ed Chau, the Monterey Park Democrat who's the co-chair of the Assembly Select Committee on Cybersecurity. The bill, which also takes effect Jan. 1, defines a data broker as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship,” and requires data brokers to register with and provide information to the OAG. AB 1202 also requires the OAG to make those details available on its website – and makes those that don’t register potentially subject to injunctions and civil penalties and fees. The registration deadline is Jan. 31.
“As an industry, data brokers have existed in the shadows and have largely been able to operate outside of any meaningful regulation, and until recently, public scrutiny," Chau told Techwire in an email. "The intent of this bill is to provide accountability. It is targeted at businesses that have no direct relationship to the consumer and have historically had no reason to make the public aware of their existence.” The lawmaker, who's a member of the California Legislative Technology and Innovation Caucus, indicated the bill is “about educating consumers” and “trying to create a tool that will help individuals to exercise their rights under California law.”
• Assemblymember Jacqui Irwin, D-Thousand Oaks, introduced AB 874 but that wasn’t her only endeavor in the area of technology. Irwin introduced AB 1043, which clarifies state law to let campaigns use campaign funds “to bolster cybersecurity protection for personal devices and accounts. She also introduced AB 1044, which strengthens requirements for people who apply to access voter data, including campaign staffers, reporters and education types — mandating they complete a free course on data security. Newsom signed both into law in July.
However, it remains to be seen whether Irwin will reintroduce AB 1242, which would generally have required virtually every state office to submit actual and projected IT, telecommunications and cybersecurity costs to the California Department of Technology (CDT); and require them to comply with Office of Information Security policies and procedures. The bill stalled in the state Assembly Committee on Appropriations. Irwin and Chau decided against a “jailbreak” out of committee after the July 16 release of a risk audit by the State Auditor’s Office that found numerous weaknesses in more than 30 state-level entities, but the legislation could return in 2020.
• Bakersfield Democrat Assemblymember Rudy Salas also had mixed results in tech legislation -- but it's not yet clear what he has planned for 2020. His own AB 971 cleared the statehouse and has been signed by the governor. It would require state agencies that contract for IT services to do post-evaluations on contracts totaling $500,000 or more, Salas's office said in a news release. His AB 594, which would have authorized CDT Director Amy Tong to designate a CDT position to look at uses of artificial intelligence in state government – and adopt guidelines for its use in state government by 2021 – also cleared the statehouse, but drew a Newsom veto.
CDT is “currently responsible for evaluating and leveraging new technologies” including AI and providing enterprise-wide solutions for “digital service delivery,” Newsom said in his veto message, adding: “The newly established Future of Work Commission is broadly examining the impact of artificial intelligence on work and our economy.” Salas told Techwire via email that he believes there’s more work to be done in technology and privacy legislation.
“As emerging technologies evolve and become more intertwined with our daily lives and with how people interact with government, I think there is more and more interest and attention paid to how we can create appropriate guardrails and streamlining, to make sure that technology is working to improve government and improve the lives of people. This is an area that I will continue to focus on in the years ahead,” Salas said.
