Multiple privacy bills were introduced in California on or just before February 18, 2022, the last day for bills to be introduced in the legislature’s current session.
The most noteworthy of the bills is a pair – both introduced by the same Assembly member – that would extend the California Privacy Rights Act’s (“CPRA”) exemptions relating to employee personal information and personal information obtained in a business-to-business context. Those exemptions are currently scheduled to sunset on January 1, 2023. AB 2871 would extend the exemptions permanently while AB 2891 proposes to extend those exemptions through January 1, 2026. Three other bills – SB 1388, SB 1454, and SB 1395 – would make minor, non-substantive changes to the CPRA.
Another bill, SB 1172 proposes to add Section 1798.101 to CPRA, which “would prohibit a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information except to the extent necessary to provide those proctoring services.” The bill would allow an impacted consumer to bring a civil action against the proctoring business for violating the privacy requirements. This private right of action contemplates liquidated damages of the greater of $1,000 per consumer per incident or actual damages, injunctive or declaratory relief, and/or reasonable attorney fees’ and costs, including expert witness fees.
Two of the proposed bills relate to children’s privacy. The first, AB 2486, would provide for the creation of the Office for the Protection of Children Online. The purpose of the office would be to ensure “that digital media available to children in this state are designed, provided, and accessed in a manner that duly protects the privacy, civil liberties, and mental and physical well-being of children, as prescribed.” The bill would make an appropriation of funds. The second, AB 2273, is the California Age-Appropriate Design Code Act. This “bill would require a business that creates goods, services, or product features likely to be accessed by children to comply with specified standards, including considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature, and providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product feature. The bill would prohibit a business that provides a good, service, or product feature likely to be accessed by children from taking proscribed action, such as collecting or using data it collects on consumers who are children.” The bill proposes a commencement date of July 1, 2024. It would also require the establishment of the “California Children’s Data Protection Taskforce to evaluate best practices for the implementation of these provisions, and to provide support to businesses, as specified.”
It remains to be seen whether any of these bills will move forward. According to the legislative calendar, May 27, 2022, is the last day for a bill to be passed in the chamber in which the bill was introduced, and August 31, 2022 is the last day for final legislative passage of a bill in the session.
Jim Shreve is the chair of Thompson Coburn's Cybersecurity group and has advised clients on cybersecurity and privacy issues for over 20 years. Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about data privacy litigation and regulatory risks. Libby Casale is an associate in Thompson Coburn’s Business Litigation group.