The first half of the California 2017–2018 legislative session is drawing to a close, which means that the roster of privacy and data security bills likely to make it into law this year is becoming clearer. Any bill introduced this year had to be passed by its house of origin by June 20, and must then be passed by the other house no later than September 15, 2017, or the process is required to start over again next year. The following bills made it over the first hurdle and are awaiting action by the second house.
Broadband and consumer privacy: In March 2017, Congress reversed Obama era regulation that imposed limits on the right of internet service providers (ISPs) to gather, use and sell personal data they obtain in the course of providing ISP services. Since then, many state legislatures have rushed to fill the breach, including California. AB 375 would prohibit ISPs from using, disclosing or selling customer personal information absent affirmative opt-in consent. The bill would not prohibit use and analysis of aggregate data, and contains the usual exceptions for laws enforcement uses or subpoenas. AB 375 passed the Assembly on May 11 and is awaiting assignment to the appropriate Senate committee for further action.
Law enforcement surveillance: SB 21 would require law enforcement agencies to develop policies about how they use surveillance technology and disclose those policies in open meetings. It passed the Senate on May 21 and now is awaiting action in the Assembly.
State sharing of immigration data with the federal government: Two pending privacy bills are best understood as part of the California pushback against the Trump administration’s immigration policies. SB 31 would bar state agencies from providing federal authorities with information on religious affiliation obtained in the course of their administrative functions, while SB 244 would require that state agencies like DMV, educational institutions and medical services providers use personal information in that they gather, especially information on immigration status, only for their normal regulatory or administrative purposes and not share such information with the federal government. SB 31 passed the Senate on April 3 and SB 244 on June 1, 2017. Both are now awaiting action in the Assembly.
Naked people: Existing law makes it a misdemeanor to use a concealed device to make a video recording of a naked person or someone in a state of “partial undress,” or to record images “through or under” clothing. SB 784 would allow imposition of a $1000 fine on top of existing penalties for a violation of that provision, and include the cost incurred by the victim in removing such images from the internet in calculating the amount of restitution due to the victim. The bill passed the Senate on June 1, 2017, and is awaiting action in the Assembly.
Internet of Things: Finally, one bill that did not make it over the hurdle this year is SB 327. That bill would have attempted to regulate collection of personal data by devices in the “Internet of Things.” The so-called “teddy bears and toasters” act would require consumer devices that can both collect personal data and connect to the internet to have point of sale warnings as well as real-time disclosure whenever the device is transmitting personal data. The bill has been withdrawn from further consideration in 2017 but is likely to be brought up for reconsideration in the second half of the current session, in 2018.