Rick Sable, of the Office of Legislative Counsel, walked the Legislative Council through Committee Amendment 2 to H.211 during a Jan. 14 committee session, describing a suite of changes that would broaden what counts as brokered personal information, add a new definition for artificial‑intelligence systems, and alter registration, fee and notice rules for data brokers.

Sable said the amendment replaces a narrowly enumerated list of covered data with broader language so that brokered personal information can include "any information, including derived data," and indicated the bill would treat information that can be used to identify a person or a device as covered. "Brokered personal information means any information including derived data that is linked or reasonably linkable alone or in combination with other information to an identified or identifiable individual or to a device," he said while reading the proposed language.

The change removes a prior exception for certain "publicly available information," replacing it with a new, specific definition of what counts as publicly available information later in the amendment. Sable said the revision aligns several definitions with the broader comprehensive data‑privacy drafting the Legislature has considered and with recent California privacy regulatory language.

Key operational changes in the amendment include a faster registration requirement for data brokers and new reporting obligations. Under the proposed language, "a person" who meets the definition of a data broker must register with the state not more than 30 days after meeting that definition and thereafter must register annually on or before Jan. 31, Sable said. The amendment also removes a flat statutory $100 fee and gives the Secretary of State discretion to set the registration amount; committee members questioned how that discretion would be structured.

The bill creates (and updates) a data‑broker security‑breach notice regime, clarifies enforcement consistent with existing security‑breach statutes, and requires brokers to disclose, in registration filings, the number of security breaches experienced in the prior year and, if known, the total number of consumers affected. It would also require brokers to report whether, in the past year, they shared or sold consumer data to foreign actors, federal or state governments (outside of subpoenas), law enforcement (outside of subpoenas), or to developers of Gen‑AI systems or models.

The amendment adds two defined terms the committee had not previously used in H.211: a "Gen AI system," described as an artificial‑intelligence system that can generate synthetic content resembling its training data, and "identified or identifiable individual," consistent with the comprehensive privacy bill's language.

On consumer rights, Sable read provisions that would require a data broker to publish a link informing consumers about opt‑out rights and procedures, including whether opt‑out applies to certain activities or to all collection/sales, fee procedures, and whether a consumer may designate an authorized agent to act on their behalf. The amendment also includes an "accessible deletion mechanism," with an example timeline read into the record: beginning Aug. 1, 2028, brokers would be expected to access that mechanism and process requests at least once every 40 days.

Committee members pressed for clarifications and raised practical concerns. An unidentified participant worried about how the amendment would affect legitimate transactions between regulated financial institutions, arguing that disrupting certain data flows could increase costs: "My concern's persistent from day one ... rates will go up because you can't trust the data anymore," the participant said. Sable responded: "I think it would help to have experts," and recommended the committee hear sector specialists to determine whether carve‑outs or clarifying language are needed.

Members also discussed penalties in the amendment. Sable summarized that registration failures and incomplete filings can trigger daily fines, materially incorrect filings can carry a civil penalty of $25,000 plus additional daily penalties until corrected, and that the committee may revisit penalty levels.

The committee did not take a vote during the session. Members said they plan further consultations with the Attorney General and the Secretary of State to reconcile overlapping authorities and to refine fee and registration language; the meeting recessed for lunch and will continue work in future meetings.