[co-author: Hilary Higgins]
In our third California Privacy Update, we proceed to carefully comply with potential privacy legislation updates in California. You can learn our most up-to-date replace right here.
California Looks to Expand Definition of “Data Brokers” and to Add Reporting Requirements
Earlier this month, California’s Senate’s Judiciary Committee voted, 9 to 1, to move S.B. 1059, which expands the definition of a “data broker” beneath the present data dealer legislation and will increase reporting necessities for data brokers which are required to register with the federal government. The invoice has been re-referred to the Senate Appropriations Committee, the place it awaits assessment.
California at the moment defines a data dealer as a enterprise that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The new invoice revises this definition to additionally embrace companies that “share” private details about California residents to 3rd events with whom a enterprise doesn’t have a direct relationship. In so doing, the invoice updates the data dealer legislation to match the California Privacy Rights Act (“CPRA”).
California’s proposal additionally creates new disclosure necessities for data brokers and notes that data brokers ought to register with the California Privacy Protection Agency, as a substitute of with the California Attorney General. Under the invoice, a data dealer must present data on whether or not it has been breached—together with particulars of such breach—and whether or not it collects data on minors. Data brokers would additionally want to offer directions to customers on the way to train their privacy rights, akin to the fitting to delete, the fitting to appropriate private data, and the fitting to opt-out. The proposal additionally doubles the fines for failing to register beneath the legislation, from $100 to $200 per day.
Since S.B. 1059 directs the California Privacy Protection Agency to undertake laws to additional the data dealer provisions, extra necessities will doubtless be added sooner or later if the invoice turns into legislation.
California Proposal Would Create Employee Data Rights
The California Workplace Technology Accountability Act (AB-1651) goals to impose necessities on employers, and their distributors, concerning using worker data. The proposal grants employees sure data rights, together with the fitting to entry and proper their data. Employers that management the gathering of employee data can be required to tell employees, at or earlier than the purpose of assortment, of how the employer plans to gather and use employee data. For instance, employers must inform employees concerning the classes of data to be collected, whether or not and the way the data will probably be utilized in employment-related selections, whether or not the data will probably be deidentified or used on the particular person or mixture degree, whether or not the knowledge will probably be disclosed to distributors or third events, amongst different notification necessities. The invoice additionally imposes restrictions on how employers can acquire, retailer, analyze, or interpret employee data, and mandates that employers ought to keep data safety protections. Additionally, the proposal outlines necessities for using data related to digital monitoring, and Automatic Decision Systems. The invoice has been re-referred to the Assembly’s Committee on Privacy and Consumer Protection.
If handed into legislation, the privacy obligations created by AB 1651 for employers can be along with these required beneath the CPRA, as soon as the CPRA’s exemption for worker data expires on January 1. There are at the moment proposals within the California legislature to develop the worker (and B2B) exemption beneath the legislation, however it’s unclear if these will move earlier than January 1.
California Privacy Protection Agency Continues to Hold Pre-Rulemaking Sessions
As we had beforehand written about, the California Privacy Protection Agency is holding informational classes on the CPRA to gear up for formal rulemaking. We anticipate formal (and closing) guidelines by this fall, which signifies that companies is not going to have a lot time to implement the precise necessities of the legislation earlier than its efficient date of January 1, 2023. We will proceed to trace updates on this entrance.