Tuesday’s meeting of the California state Assembly Committee on Privacy and Consumer Protection will see lawmakers led by Assemblymember Jesse Gabriel, the committee chair, consider no fewer than nine pieces of proposed legislation with some degree of intersection with or impact to IT, cybersecurity, privacy or process. Among the bills being considered during the 1:30 p.m. hearing:
- Assembly Bill 302, from Assemblymember Christopher M. Ward, D-San Diego, would require the California Department of Technology, by Sept. 1, 2024, to do a “comprehensive inventory of all high-risk automated decision systems, as defined, that have been proposed for use, development, or procurement by, or are being used, developed, or procured by, state agencies.” The bill would mandate that inventory includes a description of, “among other things, the categories of data and personal information the automated decision system uses to make its decisions.” And by Jan. 1, 2025, CDT would also have to submit a report on the inventory to the Legislature. The inventory would have to include any decisions the automated system “can make or support” and the intended benefits of that use; the results of any research on the “efficacy and relative benefits” of the use of that system; the categories of data and personal information used by the system in its decisions; and the measures in place to mitigate risk including “cybersecurity risk and the risk of inaccurate, unfairly discriminatory, or biased decisions” by the system. AB 302 would define an automated decision system as the “computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation,” and which is used to “assist or replace human discretionary decision-making and materially impacts natural persons. A high-risk automated decision system would be defined as a system that is used to “assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.”
- AB 749, from Assemblymember Jacqui Irwin, D-Thousand Oaks, would require state agencies by Jan. 1, 2025, to put in place “specified actions” around “data, hardware, software, internal systems, and essential third-party software, including multifactor authentication for access to all systems and data” owned, managed, maintained or utilized by or on behalf of the agency. State agencies would also have to “implement a Zero Trust architecture ... and prioritize” using solutions that either comply with, are authorized by or align to “federal guidelines, programs, and frameworks.” The chief of the Office of Information Security within CDT would, by Jan. 1, 2024, have to “develop uniform technology policies, standards, and procedures” to be used by all state agencies, around “Zero Trust architecture and architecture, including multifactor authentication” on all systems in the State Administrative and Statewide Information Management manuals. The chief would have to update requirements on existing annual reporting activities to collect information on the progress agencies are making on boosting internal system defenses; and it would authorize the chief to update the annual reporting activities on state agencies’ progress toward “specified goals.”
- AB 386, from Assemblymember Stephanie Nguyen, D-Elk Grove, would modify the California Right to Financial Privacy Act which, generally, “provides for the confidentiality of, and restricts access to, the financial records of people who” do business with or use the services of “financial institutions or for whom a financial institution has acted as a fiduciary.” Specifically, it would expand from 30 days to 90 days before or after the date an “alleged illegal act” occurred, during which period banks, credit unions, or savings associations can provide a statement of information on a customer account to law enforcement — provided they certify a “crime report has been filed.”
- AB 522, from Assemblymember Ash Kalra, D-San Jose, would update the Electronic Communications Privacy Act’s provisions on the extent to which a state department can obtain “electronic communication information from a service provider.” It would authorize a department to “use an administrative subpoena to obtain electronic communication information from a service provider” if conditions are met, including that the department has already served the customer notice of the administrative subpoena and included a copy. The bill would make service providers copy “any electronic communication information” in the subpoena’s scope and keep it until “information is disclosed ... or the subpoena is quashed or modified” and the provider would have to keep a record of any such disclosures for five years.
- AB 801, from Assemblymember Joe Patterson, R-Rocklin, would update existing law, including the Early Learning Personal Information Protection and the Student Online Personal Information Protection acts on student personal identifiable information. It would require the operator of Internet websites, online services, online applications or mobile applications to “delete a preschool, prekindergarten, or K–12 student’s covered information” if the student or their parent or legal guardian requests it be deleted, or if the student no longer attends the school or district. It would authorize that operator to “require documentation” that the student no longer attends.
