Bill Text: CA SB930 | 2025-2026 | Regular Session | Amended


Bill Title: Student Test Taker Privacy Protection Act: end-to-end encryption.

Sponsorship: Partisan Bill (Democrat 1)

Status: (Engrossed) 2026-06-17 - From committee: Do pass and re-refer to Com. on ED. with recommendation: To consent calendar. (Ayes 15. Noes 0.) (June 16). Re-referred to Com. on ED. [SB930 Detail]

Download: California-2025-SB930-Amended.html

Amended  IN  Senate  March 25, 2026

CALIFORNIA LEGISLATURE— 2025–2026 REGULAR SESSION

Senate Bill
No. 930


Introduced by Senator Reyes

January 29, 2026


An act to amend Section 22588 of the Business and Professions Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 930, as amended, Reyes. Student Test Taker Privacy Protection Act: end-to-end encryption.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), imposes various obligations on businesses with respect to personal information, as defined. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.
The CCPA requires a business to inform consumers of the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. Existing law, the Student Online Personal Information Protection Act, prohibits an operator, as defined, from, among other things, disclosing a K–12 student’s personal information, except as specified. Existing law, the Student Test Taker Privacy Protection Act, prohibits a business providing proctoring services in an educational setting from collecting, retaining, using, or disclosing personal information except to the extent necessary to provide those proctoring services and in other specified circumstances.
This bill would require a business providing those proctoring services to a school district, county office of education, or charter school for classroom- or course-based exams to use end-to-end encryption, as defined, for those purposes. The bill would define “end-to-end encryption” for these purposes to mean a security method where data is encrypted on the sender’s device and remains encrypted until it reaches the intended recipient’s device and is unreadable by any other party, including the business providing proctoring services.
The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 22588 of the Business and Professions Code is amended to read:

22588.
 (a) Notwithstanding Section 22584 of the Business and Professions Code, a business providing proctoring services in an educational setting shall collect, use, retain, and disclose only the personal information strictly necessary to provide those services, and, if the business is providing proctoring services to a local educational agency for classroom- or course-based exams, shall use end-to-end encryption (E2EE) to provide those proctoring services.
(b) This section shall not prohibit a business from collecting, using, retaining, or disclosing personal information if doing so is necessary for any of the following:
(1) To comply with federal, state, or local law.
(2) To comply with a court order or subpoena.
(3) To comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, or local agency authorized by law to conduct that inquiry or investigation, or authorized to serve a subpoena or summons, as applicable.
(A) A law enforcement agency may direct a business, pursuant to a law enforcement agency-approved investigation with an active case number, not to delete a consumer’s personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days, in order to allow the law enforcement agency to obtain a court order or subpoena to obtain the consumer’s personal information.
(B) A business that has received direction from a law enforcement agency not to delete a consumer’s personal information that otherwise would not be permissible to retain or disclose pursuant to this section shall not use or disclose the consumer’s personal information for any purpose except in response to a court order or subpoena.
(4) To cooperate with a law enforcement agency concerning conduct or activity that the business reasonably and in good faith believes to violate federal, state, or local law.
(5) To cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at imminent risk of death or serious physical injury, provided that all of the following are met:
(A) The request is approved by a high-ranking agency officer for emergency access to a consumer’s personal information.
(B) The request is based on the agency’s good faith determination that it has a lawful basis to access the information on a nonemergency basis.
(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.
(6) To exercise or defend a legal claim.
(c) For purposes of this section, the following definitions apply:
(1) “End-to-end encryption” or “E2EE” means a security method where data is encrypted on the sender’s device and remains encrypted until it reaches the intended recipient’s device and is unreadable by any other party, including the business providing proctoring services.
(2) “Local educational agency” means a school district, county office of education, or charter school.
(3) “Personal information” has the same meaning as in Section 1798.140 of the Civil Code.
(4) “Proctoring services” includes, but is not limited to, services offered by a business to observe, monitor, or administer an exam.

SEC. 2.

 The Legislature finds and declares that the amendments to Section 22588 of the Business and Professions Code made by this act furthers the purpose and intent of the California Privacy Rights Act of 2020, enacted by Proposition 24 at the November 3, 2020, statewide election, within the meaning of Section 25 of Proposition 24.
feedback