California Eyes Groundbreaking Privacy and Cybersecurity Legislation
In California, home to Silicon Valley, Biotech Beach, drones and some of the nation’s strongest laws protecting personal and consumer privacy, legislators are grappling with how to balance popular innovations in technology against growing privacy concerns. California has always proactively addressed technology and related concerns, often in advance of other U.S. states, and is notorious for setting precedents at the state level. Given the threat of cybersecurity risks and the importance of data protection in our economy and personal lives, other states will likely pursue similar measures in the near future. For now, eyes are on California as it addresses these concerns. Companies in the technology sector, and California residents, would be remiss to ignore the activities taking place in Sacramento.
Since the new legislature reconvened in January, the halls of the California State Capitol have been abuzz with discussions about privacy protection from drones, smart phones, on-board vehicle computers and television sets. While the details of some bills are forthcoming, the increased focus on privacy is undeniable and bipartisan.
In December, Assembly Speaker Toni Atkins (D-San Diego) created the new standing Committee on Privacy and Consumer Protection and appointed Assemblymember Mike Gatto (D‑Glendale) as chairman. The committee maintains jurisdiction over issues pertaining to online privacy and cybersecurity, such as the security of medical, financial, educational, and personal data and information. Chairman Gatto has teamed up with Sen. Ted Gaines (R‑Roseville) to introduce a bipartisan package of bills dubbed the California Privacy & Consumer Protection Act (the “Act”). The Act includes measure AB 1116, prohibiting the sale of so-called “smart televisions” with voice recognition technology capable of recording or transmitting audio recordings to the manufacturer or a third party, except for the specific voice commands necessary to operate the voice recognition technology, or recordings of search terms made while the technology is enabled. The California attorney general or any California district attorney would be authorized to enforce the measure’s provisions with penalties of up to $2,500 per television per violation.
The Act also seeks to protect driver-data privacy by prohibiting the California Air Resources Board and other public agencies from gathering information from any on-board vehicle diagnostic system required for the state’s smog-prevention program, such as a vehicle’s location or driving speed (SB 206).
Other measures expected to be introduced as part of the package include a bill stipulating that law enforcement body camera footage taken inside private homes where there is no arrest cannot be considered public data or be subject to the California Public Records Act. Also under consideration is establishing a “reasonably prudent” minimum standard for the encryption of personal information.
According to Gaines, the measures aim to address challenges facing Californians in “a data economy.” “Our lives are 100-percent online now, from baby pictures to Social Security numbers, [personal identification] numbers and medical records—all targets for potential abuse,” Gaines told a press conference. “Our privacy is under assault from a million directions, and we need to build a fortress to protect that data.”
The Act is not the only proposal making waves in California. The use of geolocation data from mobile applications is the subject of SB 576, introduced by Sen. Mark Leno (D-San Francisco). The measure would require operators of mobile applications to inform consumers when, how and why their geolocation information will be collected, used and shared upon installation of the application. The bill would also require the operator of a mobile application to obtain consent from the mobile device owner before collecting or using geolocation information and to obtain separate consent before disclosing that information. The measure has already drawn opposition from at least one major industry trade association.
Leno is also the author of SB 178, the California Electronic Communications Privacy Act, which requires law enforcement to obtain a search warrant before accessing a person’s digital information, including PIN numbers, passwords, text messages, geolocation information, social media content, photos, financial and medical records, and contacts, except in cases of emergency as defined under the bill.
Privacy issues raised by the increasing popularity of unmanned aerial vehicles, or drones, are also on the minds of legislators, as evident at a February 17 California Senate Judiciary Committee hearing titled, “Drones: Is California Law Ready? The Potential, the Perils, and the Impact to Our Privacy Rights.” Committee Chair Hannah Beth Jackson (D-Santa Barbara) has introduced legislation (SB 142) aimed at protecting individual privacy by prohibiting the unauthorized use of drones over private property without permission. The measure clarifies that long-standing California law on private property and trespassing and resulting damages applies to the operation of unmanned aerial vehicles.
“Drones have a lot of potentially useful and extremely innovative uses. But invading our privacy and property without permission shouldn’t be among them,” said Jackson in a statement.
In addition, Gaines has introduced legislation (SB 271) that would prohibit the use of drones over school grounds, unless there is a public safety emergency.
Several measures introduced would place tight limits on the use of drones by government agencies. AB 37 by Assemblymember Nora Campos (D-San Jose) and AB 56 by Assemblymember Bill Quirk (D-Hayward) would enact stricter definitions of the circumstances under which state or local agencies may use or contract for the use of drones. The measures require affected agencies to provide the public with reasonable notice in advance of the use of drones. They would classify some images, data and footage as public records, subject to disclosure under California’s Public Records Act, and would require the destruction of images, footage or data obtained through a drone within one year. Further, the measures prohibit a person or public entity from equipping or arming a drone with a weapon or any harmful device that can be carried by or launched from a drone.
SB 262 by Sen. Cathleen Galgiani (D-Stockton) would grant defined law enforcement agencies specific authorization to use an unmanned aircraft system if the use of the drone system complies with protections against unreasonable searches guaranteed by the U.S. Constitution and the California Constitution, federal law applicable to the use of drones and state law applicable to a law enforcement agency’s use of surveillance technology.
With legislative hearings beginning in earnest this month, trade associations and manufacturers impacted by these bills would be wise to get engaged early in the process. Although California is home to many technology companies, which employ thousands of people, the technology sector has often ignored Sacramento politics, sometimes at its own peril. This year, smart technology companies, among other companies, are sure to be paying close attention to the California Legislature.
If you have any questions concerning this alert, please contact:
David S. Turetsky
Michael E. Drobac