The clock is ticking for California’s chief executive to put pen to paper on scores of proposed laws, including several of potential significance to technology vendors.
Gov. Gavin Newsom has until Sept. 30 — roughly two calendar weeks — to sign or veto legislation that lawmakers have passed out of the state Assembly and Senate. This year, bills targeting everything from cybersecurity to broadband to privacy have reached Newsom’s pen — or at least, his desk. One high-profile example recently received the coveted signature; here’s more on that new law and other IT-focused bills waiting in the wings:
The governor signed state Assembly Bill 2273 from Assemblymembers Buffy Wicks (D-Oakland) and Jordan Cunningham (R-San Luis Obispo). The bill creates the California Age-Appropriate Design Code Act which, the governor’s office said on Thursday, “requires online platforms to consider the best interest of child users and to default to privacy and safety settings that protect children’s mental and physical health and wellbeing.”
“As a father of four, I’m familiar with the real issues our children are experiencing online, and I’m thankful to Assemblymembers Wicks and Cunningham and the tech industry for pushing these protections and putting the wellbeing of our kids first,” Newsom said in a statement. The bill requires businesses with online services, products or features “likely to be accessed by children” to meet requirements including configuring default privacy settings to offer high privacy levels; to do a Data Protection Impact Assessment on online services, products or features provided that are likely to be accessed by children; and to submit those within five business days to the state attorney general. If the end user is a child, the bill prohibits those businesses generally from “taking proscribed action” with personal information collected unless there’s a compelling reason that it’s in the child’s best interest. It creates the California Children’s Data Protection Working Group to deliver a report to the Legislature on best practices for implementing these provisions, and authorizes the Attorney General to seek injunctive relief or civil penalties against violators.
Among the bills awaiting the governor’s signature:
State Senate Bill 717, from state Sen. Bill Dodd, D-Napa, would require the California Department of Technology (CDT) to do more oversight on broadband. By Jan. 1, 2024, it would require CDT to review and identify to legislative committees the “barriers to, and opportunities for, investment in, and efficient building of, broadband access points on private and government-owned structures and property, private and public lands and buildings, and public rights of way.” CDT would also have to review the barriers and opportunities around “access to mobile and fixed broadband Internet service infrastructure by low-income tribal, urban, and rural customers and underserved communities,” and recommend how those broadband deployments might be accomplished more swiftly.
SB 892, from Sen. Melissa Hurtado, D-Sanger, centers on cybersecurity preparedness in the food, agriculture, water and wastewater systems sectors. It would require the California Governor’s Office of Emergency Services (Cal OES) to “develop, propose and adopt optional reporting requirements” for food and agriculture industry entities and cooperatives, and “entities in the water and wastewater systems” if officials identify a “significant and verified cyber threat or active cyber attack.” Cal OES also would be required to provide a “strategic, multiyear outreach plan” to help these organizations boost cybersecurity. The bill prohibits “disclosure as a public record” of a report of cyber attack or threat that is submitted in accordance with the reporting requirements.
AB 2135, from Assemblymember Jacqui Irwin, D-Thousand Oaks, requires state agencies whose information security is not handled by the Office of Information Security to implement Federal Information Processing Standards and National Institute of Standards and Technology standards for information security and privacy. The agencies would also have to contract with the California Military Department or a “qualified responsible vendor” every two years for a “comprehensive, independent security assessment”; and certify annually that they meet those adopted standards.
AB 1711, from Assemblymember Kelly Seyarto, R-Murrieta, requires an agency, person or business that “owns or licenses” data with residents’ personal information to disclose security breaches once residents are notified; and requires the agency to put a notice on its website when the person or business that runs the system on behalf of it releases a similar security breach notification.