California Privacy Update, Part III

California Privacy Update, Part III

Blog WilmerHale Privacy and Cybersecurity Law

In our third California Privacy Update, we continue to closely follow potential privacy law updates in California. You can read our most recent update here.

California Looks to Expand Definition of “Data Brokers” and to Add Reporting Requirements

Earlier this month, California’s Senate’s Judiciary Committee voted, nine to one, to pass S.B. 1059, which expands the definition of a “data broker” under the current data broker law and increases reporting requirements for data brokers that are required to register with the government. The bill has been re-referred to the Senate Appropriations Committee, where it awaits review.

California currently defines a data broker as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The new bill revises this definition to also include businesses that “share” personal information about California residents to third parties with whom a business does not have a direct relationship. In so doing, the bill updates the data broker law to match the California Privacy Rights Act (“CPRA”). 

California’s proposal also creates new disclosure requirements for data brokers and notes that data brokers should register with the California Privacy Protection Agency, instead of with the California Attorney General. Under the bill, a data broker would have to provide information on whether it has been breached—along with details of such breach—and whether it collects data on minors.  Data brokers would also need to provide instructions to consumers on how to exercise their privacy rights, such as the right to delete, the right to correct personal information, and the right to opt-out.  The proposal also doubles the fines for failing to register under the law, from $100 to $200 per day. 

Since S.B. 1059 directs the California Privacy Protection Agency to adopt regulations to further the data broker provisions, additional requirements will likely be added in the future if the bill becomes law. 

California Proposal Would Create Employee Data Rights

The California Workplace Technology Accountability Act (AB-1651) aims to impose requirements on employers, and their vendors, regarding the use of employee data. The proposal grants workers certain data rights, including the right to access and correct their data. Employers that control the collection of worker data would be required to inform workers, at or before the point of collection, of how the employer plans to collect and use worker data. For example, employers would have to inform workers about the categories of data to be collected, whether and how the data will be used in employment-related decisions, whether the data will be deidentified or used at the individual or aggregate level, whether the information will be disclosed to vendors or third parties, among other notification requirements. The bill also imposes restrictions on how employers can collect, store, analyze, or interpret worker data, and mandates that employers should maintain data security protections.  Additionally, the proposal outlines requirements for the use of data associated with electronic monitoring, and Automatic Decision Systems. The bill has been re-referred to the Assembly’s Committee on Privacy and Consumer Protection.

If passed into law, the privacy obligations created by AB 1651 for employers would be in addition to those required under the CPRA, once the CPRA’s exemption for employee data expires on January 1. There are currently proposals in the California legislature to expand the employee (and B2B) exemption under the law, but it is unclear if those will pass before January 1. 

California Privacy Protection Agency Continues to Hold Pre-Rulemaking Sessions

As we had previously written about, the California Privacy Protection Agency is holding informational sessions on the CPRA to gear up for formal rulemaking. We expect formal (and final) rules by this fall, which means that businesses will not have much time to implement the specific requirements of the law before its effective date of January 1, 2023. We will continue to track updates on this front.

More from this series