California lawmaker wants to ban selling your sensitive data

Assembly Bill 1542 amends the California Consumer Privacy Act by inserting language that would prevent businesses, service providers, and contractors from selling or sharing sensitive personal information to third parties. The bill modifies Section 1798.121 of California's Civil Code to add an explicit prohibition: "A business, service provider, or contractor shall not sell or share sensitive personal information to a third party."

Ward, who represents the 78th Assembly District covering San Diego and El Cajon, introduced the measure during the first week of the 2025-26 legislative session. The bill received its first reading on January 5, 2026, and was printed the following day. Committee hearings can begin after February 5, 2026, following the mandatory 31-day printing period.

The legislation specifically targets the transfer of sensitive categories of personal information that California law already recognizes as requiring heightened protection. Under current CCPA definitions, sensitive personal information includessocial security numbers, driver's license numbers, passport numbers, account login credentials combined with security codes, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, mail content, email content, text message content, genetic data, biometric data used for identification purposes, health data, sex life information, and sexual orientation information. Neural data, representing information generated by measuring nervous system activity, was added as a protected category in recent CCPA amendments that took effect January 1, 2026.

California's existing privacy framework permits businesses to use sensitive personal information for limited purposes that consumers reasonably expect when requesting goods or services. The current law allows consumers to direct businesses to limit sensitive personal information use to these necessary purposes. Businesses that use sensitive personal information beyond these limited purposes must provide notice and give consumers the right to restrict such use. The proposed amendment would eliminate the ability to sell or share sensitive information entirely, regardless of consumer consent or notice provisions.

The bill modifies Section 1798.100 by striking the phrase "and whether that information is sold or shared" when describing disclosure requirements for sensitive personal information collection. The amended language would require businesses to inform consumers only about the categories of sensitive personal information collected and the purposes for collection and use. This change reflects the underlying prohibition on selling or sharing such data, making disclosure about sales or sharing irrelevant.

Ward's legislation declares that its provisions further the purposes and intent of the California Privacy Rights Act of 2020, which voters approved as Proposition 24 during the November 3, 2020, statewide general election. The California Privacy Rights Act substantially expanded the original CCPA by creating the California Privacy Protection Agency, establishing new consumer rights, and adding enforcement mechanisms. The 2020 measure specifically required businesses to limit their use of sensitive personal information unless consumers received notice and the right to limit such use.

Data brokers and advertising technology companies would face significant operational constraints under AB-1542. These businesses currently monetize sensitive personal information through sales to third parties or sharing arrangements that enable targeted advertising. The real-time bidding systems that power programmatic advertising frequently process bid requests containing detailed personal information, including potentially sensitive categories. Industry complaints filed with federal regulators in January 2025 alleged that major advertising platforms expose sensitive data about Americans through automated auction systems operating across millions of websites and mobile applications.

California implemented new CCPA requirements on January 1, 2026, that expanded contractual obligations for businesses transferring personal information to third parties. Assembly Bills 137 and 566, which took effect at the start of this year, now mandate that companies enter into agreements with any third party, service provider, or contractor receiving consumer data. These contracts must specify that information transfers occur only for limited purposes and obligate recipients to provide equivalent privacy protections required under the statute. Ward's AB-1542 would build upon this framework by categorically preventing sensitive personal information from being sold or shared, eliminating certain data transfer scenarios entirely rather than merely regulating them through contractual requirements.

The California Privacy Protection Agency approved regulations in November 2025 establishing the Delete Request and Opt-out Platform, a state-hosted system where California residents can submit deletion requests that reach all registered data brokers simultaneously. The platform becomes operational in January 2026, with mandatory data broker compliance beginning August 1, 2026. Data brokers must pay tiered access fees ranging from $6,000 for January access down to $500 for December access during their first year of operation. The regulations establish that data brokers cannot contact consumers to verify deletion requests submitted through the platform.

Ward's legislative focus extends to housing access, homelessness, climate action, water resilience, and responsible budgeting, according to his official biography. He currently serves as Chair of the Assembly Committee on Arts, Entertainment, Sports, and Tourism and Chair of the California Legislative LGBTQ Caucus. He also leads the Select Committee on Biotechnology and Medical Technology. Ward previously served on the San Diego City Council, where he authored the city's Equal Pay Ordinance and chaired both the Land Use and Housing Committee and the San Diego County Regional Task Force on the Homeless.

His legislative accomplishments include authoring California's first community solar program, legislation curbing ghost gun proliferation, measures expanding the behavioral health workforce, bills improving transparency around government automated decision-making, and provisions prohibiting discrimination in mixed-income housing developments. The California Labor Federation awarded him the "Labor Superhero" designation in 2022, while the League of California Cities named him "Distinguished Legislator" in 2023. SEIU recognized him as "California Legislative Champion" in 2024, and the Coalition for Community Solar Access gave him the "Community Solar Champion" award in 2022.

The advertising industry operates under multiple privacy regulations that govern sensitive personal information. The General Data Protection Regulation in the European Union strictly limits processing of special categories of data, which include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, and data concerning sex life or sexual orientation. The Digital Services Act prohibits online platforms from targeting minors with profiling-based advertising and restricts sensitive data targeting for all users. The Transparency and Consent Framework version 2.2, developed by IAB Europe as an industry-standard technical solution for GDPR compliance, explicitly prohibits processing sensitive data categories for personalized advertising.

California's approach differs from European regulations by focusing on sales and sharing restrictions rather than comprehensive processing prohibitions. The CCPA defines "sell" as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration. The statute defines "share" as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising.

Enforcement investigations have demonstrated California regulators' willingness to pursue advertising technology companies over data practices. The California Attorney General announced an investigative sweep into the location data industry in March 2025, sending letters to advertising networks, mobile app providers, and data brokers appearing to violate the California Consumer Privacy Act. The Attorney General secured a settlement with Healthline in July 2025 over data sharing practices, establishing precedent for enforcement priorities around consumer health information.

Recent investigations into browser extension data collection revealed that some technology companies systematically collected information from consumers despite privacy policy claims to the contrary. PayPal's Honey extension faced scrutiny in December 2025 over allegations that it targeted minors for data collection while maintaining policies stating the service was created exclusively for adults 18 and older. The Children's Online Privacy Protection Act prohibits collection of personal information from children under 13 without verifiable parental consent, creating federal liability for companies that process data from minors.

Platform policies from major advertising networks already restrict certain sensitive targeting practices. Google's platform policies, updated in December 2024 with implementation scheduled for February 2025, prohibit publishers from targeting advertisements based on sensitive user information including health conditions, financial status, racial or ethnic origins, religious beliefs, and sexual interests. For United States and Canadian markets, the policies implement specific restrictions preventing housing listings, employment opportunities, and financial services advertisements from targeting audiences based on gender, age, parental status, marital status, or ZIP code, with limited exceptions for government employment advertising.

Consent management has become increasingly complex as privacy regulations proliferate across multiple jurisdictions. Consent Management Platforms emerged as technological solutions helping companies comply with regulations like GDPR, CCPA, and similar laws by streamlining the process of giving users choices about data collection and processing. These platforms typically display banners or pop-ups offering users choices to accept or reject cookies and tracking technologies. Google works with a network of certified CMPs to help website owners manage user consent and improve advertising personalization and measurement accuracy.

The advertising technology ecosystem relies heavily on data matching and audience targeting capabilities that sensitive personal information enables. Research published in November 2025 by data validation provider Truthset revealed that IP address matching produces accuracy rates of only 16% for email matches and 13% for postal matches when examined against verified records from internet service providers and multichannel video programming distributors. The findings, which analyzed over 1 billion email addresses and nearly 250 million IP addresses, challenged the industry's reliance on deterministic data supposedly matching sophisticated targeting attributes to individuals and households.

Retail media networks have developed sophisticated audience segmentation approaches that leverage first-party consumer data for targeting. A December 2025 blueprint for retail media audience segmentation recommended consent and privacy-tiered segmentation that divides customers based on consent levels and privacy preferences, ensuring compliant targeting and flexible activation. The document positioned privacy protection as foundational to sustainable retail media growth and directed retailers to treat data ethics and privacy as competitive differentiators.

AB-1542 requires a majority vote for passage and does not appropriate funds, mandate state-funded local programs, or impose tax levies. The bill includes a fiscal committee designation, indicating it will undergo review for potential state costs or revenue impacts. The measure must pass through committee hearings, floor votes in both the Assembly and Senate, and receive the Governor's signature before becoming law. The California Legislature's 2025-26 regular session continues through late 2026, providing an extended timeline for the bill's consideration.

The legislation arrives as California strengthens its position as the nation's most aggressive state regulator of data privacy practices. The California Privacy Protection Agency, which began operations in 2023, has assumed regulatory authority previously held by the Attorney General and has initiated rulemaking processes establishing detailed compliance requirements for businesses operating in the state. The agency's mandate includes enforcing the CCPA, adopting regulations implementing the law, and educating consumers about their privacy rights.

Ward's bill represents a fundamental shift in how California regulates the most sensitive categories of personal information. Rather than giving consumers the right to limit use of their sensitive personal information, the proposed law would eliminate business ability to monetize such data through sales or sharing arrangements. This approach reflects growing legislative skepticism about whether notice-and-choice frameworks adequately protect consumer privacy when sensitive information is at stake.

The measure's success depends on navigating California's complex legislative process, which includes committee assignments, public hearings, amendments, floor debates, and potential opposition from industry groups that rely on data monetization for revenue. Technology companies, advertising platforms, and data broker organizations typically mount substantial lobbying campaigns against measures that restrict data collection, use, or transfer practices that underpin their business models.

Timeline

• November 3, 2020: California voters approve Proposition 24, the California Privacy Rights Act, which amended and expanded the California Consumer Privacy Act
• January 1, 2023: California Privacy Protection Agency begins operations with regulatory authority over CCPA enforcement
• March 2025: California Attorney General announces investigative sweep into location data industry targeting advertising networks, mobile app providers, and data brokers
• July 2025: California Attorney General secures Healthline settlement demonstrating enforcement priorities around data sharing practices
• November 6, 2025: California Office of Administrative Law approves Delete Act regulations establishing operational requirements for centralized data broker deletion platform
• December 2025: California Privacy Protection Agency announces CCPA amendments taking effect January 1, 2026, expanding requirements for contractual agreements when transferring personal information
• January 1, 2026: Updated CCPA requirements take effect, including new contractual obligations for data transfers and expanded sensitive personal information categories
• January 5, 2026: Assembly Member Christopher Ward introduces AB-1542 prohibiting sale or sharing of sensitive personal information
• January 6, 2026: AB-1542 printed and available for public review, with committee hearings eligible to begin after February 5, 2026
• January 2026: Delete Request and Opt-out Platform becomes operational for California consumers to submit deletion requests
• August 1, 2026: Data broker compliance with Delete Request and Opt-out Platform becomes mandatory

Summary

Who: California Assembly Member Christopher Ward introduced the legislation affecting businesses, service providers, contractors, data brokers, and advertising technology companies that collect, process, or transfer sensitive personal information about California consumers.

What: Assembly Bill 1542 would prohibit businesses from selling or sharing sensitive personal information to third parties under the California Consumer Privacy Act. The bill amends Sections 1798.100 and 1798.121 of California's Civil Code to insert categorical prohibitions on sensitive data sales and sharing, eliminating current provisions that allow such transfers with consumer notice and opt-out rights.

When: Ward introduced AB-1542 on January 5, 2026, during the first week of California's 2025-26 legislative session. The bill can be heard in committee after February 5, 2026, following the mandatory 31-day printing period. If enacted, the measure would add to privacy protections that took effect January 1, 2026.

Where: The legislation applies to California, affecting businesses that operate in the state regardless of physical location. The CCPA applies to for-profit entities doing business in California that meet specified thresholds related to revenue, consumer data volume, or revenue derived from selling consumer information.

Why: The bill aims to strengthen consumer privacy protections by eliminating business ability to monetize the most sensitive categories of personal information through sales or sharing arrangements. Ward's legislation builds on California's existing privacy framework by moving beyond notice-and-choice models to categorical prohibitions for information including social security numbers, biometric identifiers, health data, precise geolocation, genetic data, sexual orientation, religious beliefs, and neural data measuring nervous system activity. The measure responds to ongoing concerns about data broker practices, advertising technology data transfers, and insufficient consumer control over sensitive personal information despite existing opt-out rights.