Privacy Legislation Enacted in 2016

The California Legislature considers many bills on privacy issues each year. This page summarizes some of the recently enacted bills. To get more information on the bills, go to

Unless otherwise noted, laws go into effect January 1, 2017.

AB 1580 (Gatto and Irwin) Security freezes for protected consumers, including minors
This law requires credit agencies to comply with requests from representatives of “protected consumers” – minors under 16 years of age, incapacitated individuals, and individuals in foster care – to place security freezes on the credit records of those individuals. Civil Code §§ 1785.11.9-1785.11.11

AB 1924 (Low) Electronic Communications Privacy Act (CalECPA): Pen registers and trap and trace devices
This law amends CalECPA to provide an exemption for pen registers and trap and trace devices. Specifically, the law permits courts to give peace officers authorization to use the pen registers and trap and trace devices for 60 days initially. Penal Code §§ 638.52, 1546.1 (amended), 638.54, & 638.55 (added)

AB 2263 (Santiago) Safe at Home Participants: Information about protecting addresses in real property records
This law standardizes the confidentiality protections for participants in the Secretary of State’s Safe at Home program, regardless of whether their participation is based on their status as victims of domestic violence, stalking, or sexual assault, or on their status as a patient, employee, or volunteer at a reproductive health care clinic. It requires the Secretary of State to provide program enrollees with information about how to protect their privacy on real property records. Additionally, it prohibits public postings or displaying on the Internet the home address of program participants under certain conditions. Government Code §§ 6209.5, 6215.10, and 6215.12

AB 2524 (Irwin) OpenJustice Data Act of 2016
This law requires the Department of Justice to make its mandatory criminal justice statistics reports and other information related to criminal statistics available to the public through the OpenJustice Web Portal, to be updated at least yearly. Business and Professions Code § 21627 (amended), Government Code § 12525.2 (amended), Penal Code §§ 13010, 13010.5, 13012, 13012.6, 13013, 13014, 13023, and 13519.4 (amended)

AB 2536 (Chau) Cyber sexual bullying
This law adds cyber sexual bullying to the definition of an act of bullying for which a pupil may be suspended or expelled. The law also requires the California Department of Education to include information specifically about cyber sexual bullying on a dedicated website. Education Code §§ 234.2 and 48900 (amended)

AB 2799 (Chau) Early Learning Personal Information Protection Act (ELPIPA): Data privacy for preschool and prekindergarten
This law applies protections for student data like those for K-12 schools in the Student Online Personal Information Protection Act (SOPIPA) to operators of education technology used primarily, designed, and marketed for preschool and prekindergarten purposes. Effective July 1, 2017. Business and Professions Code §§ 22586-22587

AB 2828 (Chau) Data breach: encryption key
This law amends the data breach notification law to require notification of a breach of encrypted personal information, but only when the encryption key or security credential that could render the personal information readable or useable was, or is reasonably believed to have been, acquired by an unauthorized person. Civil Code §§ 1798.29 and 1798.82 (amended)

SB 514 (Anderson) California Health Benefit Exchange – Applicant privacy
This law prohibits the California Health Benefit Exchange (CoveredCA) from disclosing any personal information that the exchange obtained from an application for health care coverage to certified insurance agents or enrollment counselors without the consent of the applicants, with exceptions. Government Code § 100503 (amended)

SB 741 (Hill) Mobile Communications Privacy – Cellular communications interception technology
This law establishes requirements that local agencies must fulfill before operating cellular communications interception technology. The requirements include implementing a usage and privacy policy and maintaining reasonable security procedures and practices, among other things. Government Code § 53166

Legislation chaptered in: 2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999