The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information, as specified. The CCPA requires a business that controls the collection of a consumer’s personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.

This bill would enact the Stop Foreign Governments from Accessing Californians’ Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumer’s personal information outside of the United States. The bill would prohibit a business from maintaining a consumer’s personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumer’s personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.

This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.