WeVote

Bill

Bill

AB 1542

Sensitive personal information.

2025-2026 Regular Session Introduced by Chris Ward

AB 1542 bans selling or sharing sensitive personal information and requires explicit consumer-directed limits and clear upfront disclosures on SPI use, sharing, and retention.

Referred to Com. on P., D.T., & C.P.
0
WeVote Research Nonpartisan
Bill Summary · AB 1542

Summary of AB 1542 (2025-2026) – California: Sensitive Personal Information

Purpose and Intent

  • AB 1542, introduced by Assembly Member Ward, amends the California Civil Code to strengthen protections around sensitive personal information under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
  • The bill aims to prohibit selling or sharing sensitive personal information with third parties and to reinforce the rights of consumers to direct how sensitive data is used and disclosed.

Key Provisions and Changes

General framework (Sections 1798.100 and 1798.121)

  • The bill updates and clarifies the duties of businesses that collect personal information, including sensitive personal information (SPI).
  • It requires businesses to provide clear, at-or-before-collection notices about:
    • Categories of personal information collected and the purposes for collection, use, sale, or sharing.
    • For SPI, the specific categories and purposes, and whether SPI is sold or shared.
    • Retention periods or the criteria used to determine retention.
  • If a business acts as a third party that controls collection (e.g., on its homepage or at a physical location like a vehicle), it must prominently inform consumers about the categories of information and purposes before or at collection.
  • The information collection, use, retention, and sharing must be reasonably necessary and proportionate to the purposes for which it is collected, avoiding processing that is incompatible with those purposes.
  • Data-sharing arrangements with third parties/service providers/contractors must be governed by written agreements that:
    • Limit purposes of use/disclosure.
    • Ensure third parties provide equivalent privacy protections.
    • Allow the business to monitor and remediate unauthorized uses.
    • Require notice to the business if the third party can no longer meet obligations.
  • Businesses must implement reasonable security procedures and practices to protect personal information, aligned with existing standards (e.g., Civil Code § 1798.81.5).

Sensitive Personal Information – Consumer rights (Section 1798.121)

  • Consumers have a right to direct a business that collects SPI to limit its use of SPI to what is necessary to provide goods/services and to perform services as reasonably expected by an average consumer.
  • If a business uses or discloses SPI for purposes beyond those specified, it must provide notice to consumers that SPI may be used or disclosed to a service provider or contractor for additional purposes, and that consumers have the right to limit such use or disclosure.
  • If a consumer directs a business not to use/disclose SPI beyond the authorized purposes, the business (and any service providers/contractors under contract) must not use or disclose SPI for other purposes without separate consumer consent.
  • Service providers/contractors must not use SPI beyond what is directed by the business and only to the extent they have actual knowledge that the data is SPI in that context.
  • SPI that is collected or processed without the purpose of inferring characteristics remains subject to applicable limits as defined in CPRA regulations.
  • Importantly, the bill adds a clear prohibition: a business, service provider, or contractor shall not sell or share SPI with a third party.

Who/What is Affected

  • Businesses, including service providers and contractors, that collect personal information from California consumers, particularly those that collect or handle SPI.
  • Consumers in California, who gain strengthened rights to limit the use/disclosure of SPI and to be informed about collection, retention, and sharing practices.

Procedural and Timeline Highlights

  • Legislative History (as of Actions):
    • Introduced and referred for review in early 2026.
    • Passed committee stage with a “Do pass and re-refer to APPR” action (April 16, 2026), with a vote tally of 9 ayes to 5 nays in the committee.
    • Subsequent referrals: Referred to the Committee on Privacy and Consumer Protection (P. & C.P.) on Feb 2, 2026; prior steps include a printing/reading for introduction on Jan 5, 2026.
  • Fiscal impact: Not designated as an appropriation in the Digest, and no specific general fund appropriation is indicated.
  • The bill explicitly states it furthers the purposes of CPRA (Prop 2020) and aligns with CCPA framework for SPI protections.

Practical Implications

  • Businesses must provide upfront and ongoing disclosures about SPI, including categories, purposes, sharing/selling status, and retention.
  • Stronger contractual controls with third parties must be in place to ensure SPI is used only for specified purposes and with adequate protections.
  • Consumers gain clearer rights to limit the use/disclosure of SPI and to ensure thatSPI is not sold or shared without authorization.
  • Compliance will require updates to privacy notices, vendor agreements, data processing agreements, and security practices to reflect the prohibition on selling or sharing SPI and the enhanced disclosure requirements.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.