Tech Privacy Bill Threatens Huge Costs and Employee Job Security
Should the statutes and internal regulations that govern the information practices of state agencies also be applied to all local agencies? AB 2677 would do just that in regard to how personal information is stored and shared, without regard to the many differences between state agencies, counties, school districts, cities, and all manner of special districts. In doing so, it would impose tremendous costs, both upfront and ongoing, new civil liabilities, and would even threaten termination for employees that make mistakes in how the information is handled.
Modeled after the Federal Privacy Act of 1974 and in response to the increasing use of computers and other technology, California’s Information Practices Act of 1977 (IPA) was enacted to prevent the indiscriminate collection, maintenance, and dissemination of personal information by state agencies. Notably, counties and other local agencies were explicitly excluded from these requirements, along with the Legislature, the courts, and the State Compensation Insurance Fund. Today, IPA still serves as the primary statute that governs state agencies’ collection and handling of personal information in order to uphold the right to privacy granted by the Californian Constitution.
AB 2677 by Assembly Member Gabriel would apply the entirety of the Information Practices Act of 1977 to all local agencies beginning January 1, 2024 (the Legislature, courts, and SCIF would continue to be exempt). The bill also makes additional amendments to IPA, including the expansion of the definition of personal information, and making negligent violations of IPA—not just intentional violations—a cause for disciplinary action up to and including termination.
Among its many provisions, the IPA prohibits the use of anyone’s personal information for purposes other than that for which it was collected, making it impossible for counties to work across departments to tackle difficult community problems like homelessness. It also requires various disclosures and consent agreements every time personal information is collected. Personal information includes everything from a person’s name and phone number to IP address and geolocation and everything in between, including their physical description, financial matters and statements made by or attributed to them.
The IPA also requires agencies to establish rules consistent with the 330-page State Administrative Manual and the State Information Management Manual (a collection of 88 different required documents, worksheets, and webpages—some of which are only accessible to designated personnel—and many other documents listed as optional). It is not clear why local agencies should be subject to the constantly changing requirements of internal state manuals.
These requirements, and the many others that comprise the IPA, were clearly designed for state agencies, which are large, generally do not provide direct services to the public, and are able to contact the California Department of Technology for questions and guidance. Local agencies, on the other hand, vary in size from 100,000 employees to less than one, almost always provide direct services to the public, and can only rely on themselves and hired consultants for guidance on these issues.
CSAC is leading a coalition of local agencies in opposition to AB 2677 due to the substantial one-time and ongoing costs required to comply with IPA and the complications of applying a law designed for state agencies to locals. Although the bill was recently amended to delay the application of IPA to local agencies by one year, local agencies would be required to adopt new policies, purchase new equipment and software, hire specialized staff, and conduct widespread training prior to the beginning of 2024, and many of those costs would be ongoing. The bill also exposes counties to new litigation costs and requires employee discipline for the intentional or negligent violation of any provision of IPA, including termination of employment.
AB 2677 passed out of the Assembly Privacy and Consumer Protection Committee, which the author chairs, and is currently pending a hearing in Assembly Appropriations Committee. CSAC will continue to engage with the author and committee staff to remove the overly burdensome and costly mandates on counties that were not written with local agencies in mind and lack the appropriate funding and resources to implement.