With the promulgation of the California Consumer Privacy Act of 2018 (“CCPA”), California has continued its role in pushing bleeding edge privacy and data security legislation.  From the first data breach notification law back in 2003, to the first IoT data security law in 2018, it seems that California will continue to lead the US (and the world) in regulating this space. Lest you think the State is finished, we have been monitoring additional privacy and data security legislation percolating in California.  Some of the legislation relates to amending the CCPA, but there are also bills addressing new areas.  Below, we provide a brief overview of some of the pending legislation that would likely have the greatest business impacts. 

Data Brokers to Self-Identify

In an attempt to identify those businesses that sell information, Assembly Bill Number 1202 requires data brokers to register with, and provide certain information to, California’s Attorney General (“AG”).  In summary, this bill:

  • Defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a “direct relationship.” 
  • Requires data brokers to provide, at a minimum, their primary physical, email, and internet website addresses, as well as to pay a registration fee.
  • Imposes a $100 a day fine for data brokers that fail to register with the AG. 
  • Requires the AG to create a webpage that lists the information provided by all data brokers.

Bill 1202 creates a self-identification obligation for data brokers and creates an enforcement scheme to penalize non-compliance.  Bill 1202’s vague definition of “direct relationship” may subject the legislation to constitutional challenges.

Businesses to Disclose the Use of Facial Recognition Technology

Assembly Bill Number 1281 requires California businesses that use facial recognition technology to disclose that usage by placing a physical sign at the entrance of every location where the technology is used. 

Bill 1281 may create compliance issues for businesses that seek to protect their property through the use of facial recognition technology, but also do not want to dissuade consumers from visiting the property.  It may also affect business models that seek to use facial recognition to validate identity, secure physical spaces and allow for checkout-less shopping experiences.

Consent Requirement for Minors on Social Media Sites or Apps

If passed, Assembly Bill Number 1138 would prohibit a social media website or application from allowing a person under 16 years of age to create an account with the service unless it first obtains the consent of the individual’s parent or guardian prior to account creation.

Expansion of Personal Information Subject to Data Breach Notification

Assembly Bill Number 1130 modifies California’s data breach notification laws to include specified unique biometric data and government issued identification numbers as categories of personal information that, if acquired by an unauthorized person, trigger a notification obligation.

Specifically, Bill 1130 defines “biometric data” to include a fingerprint, retina, or iris image, or other unique physical or digital representations of biometric data. 

Substantive Amendments to the CCPA

Senate Bill Number 561 modifies the CCPA in several manners that would significantly impact businesses subject to the CCPA.  In particular, SB561 would:

  • Provide consumers with a private right of action if a business violates any CCPA consumer rights.  Presently, the CCPA only provides a private right of action for data breaches.  Violations of the privacy-related provisions currently are only enforceable by the California AG.  For example, an individual currently does not have a direct cause of action under the CCPA if a business fails to comply with consumers’ right to delete personal information. 
  • Eliminate businesses’ (and other third parties’) ability to seek the AG’s opinion on how to comply with the CCPA.  Rather, the AG would have the option — but no obligation — to provide general guidance.
  • Eliminates businesses’ 30-day grace period to cure an alleged CCPA violation brought by the AG.  The AG would be empowered to bring an enforcement action even when a business has “cured” the alleged violation.

Overall, SB561 would increase businesses’ exposure to private and public litigation under the CCPA.

Minor Modifications to the CCPA

As explored previously in cyber/data/privacy insights past posts, California’s rush to pass the CCPA led to several ambiguities in its final language.  Several proposed bills are intended to address a few of these issues:

  • Assembly Bill Number 1355 modifies the CCPA’s definition of “personal information” to specifically exclude information that is deidentified or aggregated.
  • Assembly Bill Number 1416 clarifies that the CCPA does not restrict a business’s ability to collect, use, retain, sell, authenticate, or disclose personal information in order to:  (1) comply with any rules or regulations; (2) exercise, defend or protect against legal claims; (3) protect against or prevent fraud or unauthorized transactions; (4) protect against or prevent security incidents or other malicious, deceptive, or illegal activity; or (5) investigate, report, or prosecute those responsible for protecting against fraud, unauthorized transactions, and preventing security incidents or other specified activities.
  • Assembly Bill Number 1564 amends the CCPA to require a business to make available either a toll-free telephone number or an email address for submitting consumer requests to exercise their rights.  Currently, the CCPA requires two or more contact methods, including a toll-free telephone number.  Further, for a business that maintains an internet website, Bill 1564 requires that business to implement a functionality for consumers to exercise their rights under the CCPA through the website.
  • Senate Bill Number 752 modifies the CCPA’s non-discrimination provision to: “A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by from the consumer’s data.” (Changed “by” to “from”.)  Notably, many believe that the proper amendment to this provision should be changing “provided to the consumer” to “provided to the business.”

While modifications to clarify CCPA ambiguities are a welcome development, it remains to be determined whether the legislation will take effect.


Businesses should continue to anticipate California legislative developments will affect their information practices.  The seemingly frantic pace at which California’s legislature proposes bills that affect data privacy will create opportunities and challenges.  We will continue to monitor the legislation and work with clients to address any new or changed privacy laws coming out of California.


Posted by Cooley