California continues to be at the forefront of data protection in the United States. In February 2022, multiple privacy bills were introduced in the California legislature’s current session. The privacy bills seek to amend and enhance the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in regards to employee and business-to-business personal information exemptions and also personal information collected by proctors in an educational setting.

Extension to Employee and Business-to-Business Exemptions. Currently, the CPRA provides exemptions to employee personal information and the personal information that is collected in a business-to-business transaction. This exemption expires on January 1, 2023. Two bills were introduced to extend the exemptions. AB 2871 would extend the exemptions indefinitely by removing the sunset date altogether. AB 2891, however, would extend the exemptions to January 1, 2026.

Proctoring Services in an Educational Setting. With the increasing use of online learning, testing, and quizzing, SB 1172 was introduced to specifically cover proctoring services (i.e., an authorized individual that oversees test takers, their environment, and ensures the test taker’s identity is correct). This bill would add a new section to the CCPA/CPRA (Section 1798.101) and would “prohibit a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information except to the extent necessary to provide those proctoring services.” A consumer would be entitled to bring a civil action against the business for violating this section. Such relief can include up to $1,000 per consumer per incident or actual damages, whichever is greater, injunctive relief, and reasonable attorney’s fees.

Privacy of Children. Bill AB 2486 would create, in the CCPA, the Office for the Protection of Children Online. This Office would be established for “ensuring that digital media available to children in this state are designed, provided, and accessed in a manner that duly protects the privacy, civil liberties, and mental and physical well-being of children.”

Additionally, AB 2273 would require businesses that create goods, services, or product features likely to be accessed by children to comply with specified standards, including:

  • considering the best interests of children likely to access that good, service, or product feature when designing, developing, and providing that good, service, or product feature
  • providing privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that good, service, or product feature.

The business would be prohibited from collecting or using data it collects on consumers who are children. The bill would also require creating a task force to evaluate best practices for implementing the provisions and requirements set out in the bill.

The chamber has until May 27, 2022, to pass the bills during the current session. Stay tuned to Taft Privacy and Data Security Insights for more information on these bills and other state privacy updates.