As introduced: - Establishes the Office of Data Protection and Responsible Use within the Division of Consumer Affairs to regulate the processing of personally identifiable information. - Requires controllers to obtain a consumer's affirmative, opt-in consent before collecting or processing personally identifiable information. - Requires disclosures explaining how that data will be processed, and to issue additional disclosures before using the data for any new purpose. - Prohibits the processing of sensitive data, such as biometric or health information, without explicit opt-in consent. - Grants consumers rights to access, correct, delete their personal information, and the right to opt out of having data processed, or processed for direct marketing purposes, including profiling. - Prohibits subjecting a consumer to a decision based solely on automated decision making that produces legal effects concerning the consumer or similarly significantly affects the consumer without consent or unless necessary. - Requires notice of a security breach to the Office within 72 hours, and if the breach is likely to result in high risk to a person, notice to a consumer with undue delay. - Requires controllers to conduct data protection impact assessments.
| Date | Chamber | Action |
|---|---|---|
Jan 13, 2026 | — | Introduced, Referred to Assembly Science, Innovation and Technology Committee |
| Last Action | Jan 13, 2026 |
| Year | 2026 |
| Bill Type | Bill |
| Created | Jan 29, 2026 |
| Updated | Jan 29, 2026 |