The New California Privacy Laws

With the passage of the California Consumer Privacy Act (CCPA) in 2018, the Golden State established itself as a leader when it comes to state privacy laws. On January 1, the California Privacy Rights Act (CPRA) amendments to the CCPA went into effect, expanding consumer privacy rights and obligations for businesses. California continues to be a trailblazer on the privacy front, passing several new laws in the 2023 legislative session.

Here is a look at the new California privacy laws.

The Delete Act

Senate Bill 262, also known as the Delete Act, gives consumers more online privacy rights and places new obligations on data brokers. This law also tasks the California Privacy Protection Agency (CPPA) with developing a method for consumers to request all registered data brokers delete their personal data. This “one-stop shop” will be operational on January 1, 2024. The CCPA gives consumers data deletion rights, but they currently must make a request to each broker or business individually.

Requirements for the deletion mechanism developed by the CPPA include:

• Available online
• Free for consumers to use
• Provide consumers with an option to selectively exclude certain data brokers from deleting their personal data

Data brokers will have 45 days to honor deletion requests.

Reproductive Privacy

Assembly Bill 254 amended the Confidentiality of Medical Information Act (CMIA) to expand the definition of medical information to include data about a consumer’s reproductive or sexual health collected by a reproductive or sexual health digital service. The CMIA prohibits healthcare organizations from intentionally sharing, selling, using for marketing, or otherwise using any medical information for any purpose not necessary to provide healthcare services to a patient.

Assembly Bill 1194 expands the CPRA to cover personal information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.

Citizenship and Immigration Data

Assembly Bill 947 expands the CCPA’s definition of “sensitive personal information” to include a consumer’s citizenship or immigration status, This provides consumers the right to restrict how businesses process and share that information and provides additional transparency obligations on businesses.

Automated Decision Systems Inventory

Assembly Bill 302 requires the state’s Department of Technology to produce a comprehensive inventory of all high-risk automated decision systems that have been proposed for use or are being used by state agencies no later the September 1, 2024. The inventory must include a description of the categories of data and personal information the automated decision system uses to make its decisions. Beginning in 2025, the Department of Technology will provide annual reports on the inventory to specified committees of the Legislature.

The bill defines automated decision systems as “a computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural persons.”

High-risk automated decision systems are defined as “an automated decision system that is used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.”

In-vehicle Cameras

Senate Bill 296 prohibits any images or video from an in-vehicle camera from being used for any advertising purpose or being sold to or shared with any third party. The bill prohibits any recordings from an in-vehicle camera from being retained at any location other than the vehicle itself or being downloaded or retrieved by anyone other than the person who owns or leases the vehicle.

2024 Priorities

We assume 2024 will be as busy as 2023 from a legislative perspective. There are additional regulations being finalized by the CPPA as we write this blog. Further, AI continues to be a topic of conversation in the US and abroad. California is a leader in the data privacy space, and we assume we will see bills surrounding the regulation of AI, the protection of children’s personal information, and more.

CompliancePoint has a team of privacy experts that can help your organization comply with the new California privacy laws, GDPR, CCPA, CPRA, and all relevant state privacy laws. Contact us at connect@compliancepoint.com to learn more.