Privacy Legislation Enacted in 2018

The California Legislature considers many bills on privacy issues each year. This page summarizes some of the recently enacted bills. To get more information on the bills, go to http://leginfo.legislature.ca.gov.

Unless otherwise noted, laws go into effect January 1, 2019.

AB 324 (Kiley) Crimes: Disorderly Conduct
Existing law provides that a person who uses a camera or similar device to photograph, film, or otherwise record an identifiable person under or through their clothing, for the purpose of viewing their body or undergarments for the purpose of sexual gratification, or to record an identifiable person who is in a state of full or partial undress in an area in which they have a reasonable expectation of privacy, without their consent, is guilty of disorderly conduct, a misdemeanor. This bill would define the term “identifiable” for the purpose of these provisions to mean capable of identification, or capable of being recognized, as specified. Penal Code § 647 (amended)

AB 331 (Eggman) County Recorders: Veterans’ Records
This law requires a county recorder, upon request by a military veteran or authorized person for recordation of a military discharge document, including the DD214 (which includes Social Security number), to record the document and maintain the document in a nonpublic index. The law also requires the index of a recorded veteran’s service form DD214, if recorded after a certain date, to be moved to a nonpublic index at the request of the military veteran or a person authorized to receive a certified copy. The law permits only the military veteran or the person authorized to receive a certified copy of a record under existing law to receive a copy of the recorded document contained in the nonpublic index. Government Code § 27337(amended)

AB 375 (Chau) California Consumer Privacy Act of 2018
This law grants Californians several rights over their personal information collected or maintained by businesses that meet certain thresholds. The rights include the right to know what personal information a business holds about a consumer and whether the business sells or discloses personal information to third parties; the right to have personal information deleted by a business; the right to opt out of the sale of personal information by a business; and a private right of action for data breaches, subject to specified requirements. Businesses are required to inform consumers of these rights and are prohibited from discriminating against consumers for exercising them. The law also requires the Attorney General to adopt regulations to further its purposes. This law will go into effect on January 1, 2020. Civil Code §§ 1798.100–1798.198

AB 748 (Ting) Disclosure of Video and Audio Recordings
This law allows video or audio recordings held by agencies to be exempted from disclosure under the California Public Records Act if disclosure would violate the reasonable expectation of privacy of a subject in the recording in a manner that clearly outweighs the public interest in disclosure. This law will go into effect on July 1, 2019. Government Code § 7927.5 (amended)

AB 1751 (Low) Controlled Substances: CURES Database
This law requires the Department of Justice (DOJ), no later than July 1, 2020, to adopt regulations regarding the access and use of the information within the Controlled Substance Utilization Review and Evaluation System (CURES) by consulting with stakeholders, and addressing certain processes, purposes, and conditions in the regulations. The law authorizes the DOJ, once final regulations have been issued, to enter into agreements to share prescription records between CURES and the state's prescription drug monitoring program (PDMP) and other databases across state lines, with a requirement that other states meet California's patient privacy and data security standards. Civil Code § 1798.24 (amended) Health and Safety Code § 11165 (amended)

AB 1859 (Chau) Reasonable Security Measures for Consumer Credit Reporting Agencies
This law requires consumer credit reporting agencies that own, license, or maintain the personal information of California residents, or a third party that maintains this information on behalf of a consumer credit reporting agency, to take reasonable measures to protect that data, including by implementing software updates available to address security vulnerabilities. Civil Code § 1798.81.6

AB 2322 (Daly) DMV Records Confidentiality
This law provides that the confidentiality of home address information in DMV records of certain public officials including judges is extended to retired judges and court commissioners. Violation of these provisions with respect to a judge or court commissioner, or the spouses or children of these persons, is a felony. Vehicle Code § 1808.4

AB 2511 (Chau) Protection of Personal Information Used to Verify Age
This law requires businesses to take reasonable steps to verify the age of consumers for specified products. The law prohibits businesses from using, retaining, or disclosing the information provided for verification of age for any other purpose other than to comply with federal, state, or local law. It will go into effect on January 1, 2020. Civil Code § 1798.99.1

AB 2620 (Ting) Rental Car Customer Information
This law allows rental car companies to use, access or obtain information relating to a renter’s use of a rental vehicle obtained using electronic surveillance technology when the vehicle has not been returned following 72 hours after the contracted return date or end of any extension. It requires the company to provide notice to the consumer. It also authorizes a company to send renters communications electronically, as specified. Civil Code §§ 1939.23 (amended), 1939.22

AB 2769 (Cooper) Use of Driver’s License or Identification Card Scans
This law prohibits a business that scans a driver’s license or identification card from using or maintaining the scanned information for any purposes other than prescribed verification or informational purposes under the law. This law will go into effect on January 1, 2020. Civil Code § 1798.90.1 (amended)

AB 2813 (Irwin) Cybersecurity Integration Center
This law establishes by statute the California Cybersecurity Integration Center (Cal-CSIC) within the Governor’s Office of Emergency Services, with representatives of specified state agencies and others. Cal-CSIC is required, among other things, to coordinate with the California State Threat Assessment System and the United States Department of Homeland Security, establish a cyber incident response team, and to share information in a manner that protects the privacy and civil liberties of individuals. Government Code § 8586.5

AB 3067 (Chau) Online Advertising to Minors
This law prohibits an operator of a website, online service, online application, or mobile application directed to minors, or an advertising service that is notified by an operator that the site, service, or application is directed to minors, from marketing or advertising any cannabis, cannabis product, cannabis business, or cannabis-related instrument or paraphernalia. It also prohibits an operator from knowingly using, disclosing, or compiling, the personal information of a minor for the purpose of marketing or advertising any such product. Business and Professions Code § 22580 (amended)

AB 3229 (Burke) Financial Privacy
This law adds the Department of Justice to the list of agencies that may receive financial records from a financial institution, provided that a crime report involving fraud has been filed. Government Code § 7480 (amended)

SB 244 (Lara) Disclosure of Personal Information
This law limits the collection and disclosure of information obtained by a local or state agency for purposes of issuing a local identification card, driver's license, or the administration of public services, as specified. Government Code § 53170, Vehicle Code §§ 12800.7 and 12801.9 (amended), Welfare and Institutions Code § 17852

SB 327 (Jackson) Connected Device Information Security Requirements
This law requires manufacturers of devices capable of connecting to the Internet to equip the devices with reasonable security features. The device security features must be appropriate to the nature and function of the device, appropriate to the information the device collects, and designed to prevent unauthorized access. This law will go into effect on January 1, 2020. Civil Code §§ 1798.91.04 –1798.91.06

SB 1036 (Wilk) Schools: Personal and Directory Information in Minutes of Meetings
This bill prohibits a local educational agency from including the directory information or the personal information of a student or a parent in the minutes of a meeting of its governing body. Education Code § 49073.2

SB 1121 (Dodd) Amendments to California Consumer Privacy Act of 2018
This law makes changes to the California Consumer Privacy Act of 2018. This law clarifies that consumers’ private right of action is limited to violations related to unauthorized access to or disclosure of personal information. This law specifies that it does not restrict the ability of businesses to comply with federal, state, or local law in a variety of industries, including banking and healthcare. This law modifies the requirement for businesses to disclose to consumers the consumers’ right to delete personal information, so that the disclosure must be in a form reasonably accessible to consumers. This law will go into effect on January 1, 2020. Civil Code §§ 1798.100–1798.198 (amended) and Civil Code § 1798.199

SB 1194 (Lara) Privacy: Lodging and Common Carriers
This law prohibits places of lodging, bus companies, movie theaters, sports arenas, and performance venues from disclosing the name or identifying information of guests, passengers, or audience members, except to California peace officers or in response to a court-issued subpoena, warrant, or order. Civil Code § 53.5

SB 1196 (Jackson) Removal of Personal Information Unlawfully Used in Business Entity Filings
This law allows a person who has learned that his or her personal identifying information has been used unlawfully in a business entity filing to petition a court to redact or label to show the data is impersonated and to order the removal of, or label, the personal identifying information from publicly accessible electronic indexes and databases. Civil Code §§ 1798.200–1798.202