Personal information: maintenance.

Assembly Member DeMaio's privacy legislation would establish new requirements for California businesses that maintain consumer personal information outside the United States, while prohibiting foreign storage of certain sensitive data categories. The bill requires businesses to inform consumers about potential risks of storing their personal information abroad and obtain explicit consent before doing so.

Under the proposed changes, businesses would be barred from maintaining health care information, financial information, or geolocation data outside U.S. borders. The bill specifically prohibits these sensitive data categories from being held by foreign governments or third parties under foreign government control. These provisions add to existing California Consumer Privacy Act requirements regarding disclosure of data collection practices and consumer rights.

The legislation builds upon the framework established by the California Privacy Rights Act of 2020, with enforcement authority vested in the California Privacy Protection Agency. Businesses would need to update their privacy policies, consent mechanisms, and data storage practices to comply with the new international data maintenance restrictions while continuing to meet current obligations around data minimization, security procedures, and agreements with third-party data handlers.