The last day for California Governor Gavin Newsom to sign or veto bills passed by the legislature was 14 Oct., concluding the busiest year for California lawmakers since 2007. Of the more than 2,600 bills introduced this session, approximately 1,000 were sent to Newsom's desk. After the dust settled, the governor signed nine privacy bills, including two California Consumer Privacy Act amendments. Other pertinent bills addressed topics like child sexual abuse material, data brokers, digital health data and abortion services.

These bills fit in context of greater trends nationally and portend future trends to watch in the 2024 session. The California Privacy Legislation Tracker in the IAPP Resource Center provides a comprehensive look at these bills in addition to others not adopted or detailed below.

Data brokers in the spotlight

The Delete Act, or Senate Bill 362, was signed into law 10 Oct. California lawmakers acted upon concerns over the processing of commercial data, many of which are described and criticized at length in the Federal Trade Commission's 2014 report on the industry. California, along with Oregon, Vermont and Texas, already imposed registration requirements on data brokers, but it amended its data broker law to require the California Privacy Protection Agency to create a "one stop shop" deletion mechanism through which consumers can request that all registered data brokers delete their personal information.

The U.S. Congress has also targeted the data broker industry. Both Section 206 of the American Data Privacy and Protection Act and the Data Elimination and Limiting Extensive Tracking and Exchange Act, if passed, would prescribe a similar deletion mechanism and impose similar requirements to those found in California's new law.

Reproductive health data protections predominate

Digital health data remains salient in post-Dobbs America, and California is no exception. With Assembly Bill 254, lawmakers amended the Confidentiality of Medical Information Act to extend the definition of medical information to include "information about a consumer's reproductive or sexual health collected by a reproductive or sexual health digital service."

Likewise, AB 1194, approved by the governor on 8 Oct., requires businesses to comply with the obligations imposed by the California Privacy Rights Act for all consumer personal information "related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services."

As noted following the proposal of these bills, California has followed a national trend towards enhanced protection for consumer health data. Washington state's expansive My Health My Data Act passed in April and filled many of the health data protection gaps not covered by the Health Insurance Portability and Accountability Act. Nevada followed suit with SB 370, modeled after Washington’s MHMDA. In June, Connecticut similarly revised its comprehensive consumer privacy law with Public Act No. 23-56, which introduced a new definition of consumer health data with additional restrictions and obligations.

At the federal level,  HR 3420 and S 1656, or the My Body, My Data Act of 2023, were introduced "to protect the privacy of personal reproductive or sexual health information," with intentions akin to the aforementioned state bills, but these bills are unlikely to pass out of committee.

The platform regulation battle rages on

Lawmakers introduced several bills to address online safety and platform liability but ultimately were only able to come to consensus on AB 1394, taking social media platforms to task over "knowingly facilitating, aiding, or abetting commercial sexual exploitation" of children. The legislation carries hefty fines for violations and requires social media companies to create reporting systems and conduct regular risk assessments and reports on how platforms are addressing child sexual exploitation and abuse. Onlookers opined that AB 1394 may be challenged by Section 230 of the Communications Decency Act, the First and Fourth Amendments, or other reporting laws.

Focus on online safety follows a multiyear trend toward platform accountability that has included several federal proposals and, in California, 2022's Age-Appropriate Design Code, which imposed heightened compliance requirements on companies offering online services "likely to be accessed by children." The AADC, itself modeled after a U.K. bill of the same moniker, was enjoined by a federal judge over concerns about First Amendment violations. California Attorney General Rob Bonta appealed this injunction. Prior to its 1 Jan. 2025 implementation date, AB 1394 will likely face similar legal challenges considering vocal opposition from industry advocacy groups Netchoice and TechNet.

Additional privacy bills

Several other bills pertinent to privacy professionals were signed into law in 2023.

Citizenship and immigration status. AB 947 expands the CCPA's definition of sensitive personal information to include personal information that reveals a consumer's citizenship or immigration status.

State agencies' automated decision systems. AB 302 requires the Department of Technology to inventory all high-risk automated decision systems used by state agencies. This law continues California's ongoing regulatory concern surrounding automated decision-making most recently seen in the CPPA's anticipated rulemaking process.

In-vehicle cameras. SB 296 imposes restrictions and prohibitions on the retention, use and sale of images or video recordings collected from in-vehicle cameras. This law follows heightened regulatory scrutiny over privacy practices of connected vehicles.

A look ahead to 2024

As Congress turns much of its attention to artificial intelligence, California, too, will surely see a spate of bills introduced intended to mitigate potential harms posed by AI. The fevered AI discourse may fail to produce federal legislation, akin to how privacy legislation stalled despite some federal lawmakers expressing sentiments otherwise, leaving states to fill the gaps. Indeed, some states have begun to do so, most notably Connecticut. Perhaps none is better positioned to regulate AI than California, with its proximity to major industry players and the CPPA ready at the helm to regulate.  

While litigation over the AADC continues, lawmakers will continue to home in on children's online safety, a banner issue for several assembly members. Other legislative subjects that may find their way into the conversation include content moderation, connected smart devices, including a continued focus on connected vehicles, and, of course, further tweaks to the CCPA.

The legislature will likely pick up in 2024 where it left off in 2023 with its blistering pace of activity. While 2024 will be the second year of this current session, and thus will see fewer bills introduced than in 2023, California lawmakers will undoubtedly continue to innovate in privacy, AI, tech and beyond.