AB 1300 creates a new chapter in the Government Code that restricts how California state and local agencies collect and share immigration-related personally identifiable information (PII). The bill bans collection of immigration-related PII unless a statute explicitly requires it and the collection serves a legitimate government purpose, and it bars sharing PII with federal immigration enforcement agencies absent a judicial warrant or court order.
The measure also places recurring oversight duties on state actors: it directs the State Auditor to audit all government data-sharing agreements at least every two years and requires the Attorney General to convene a task force to review complaints and deliver annual reports to the Legislature. Enforcement is centralized in the Attorney General through administrative remedies or civil penalties, and the bill anticipates reimbursement procedures if the Commission on State Mandates finds state-mandated local costs.
At a Glance
What It Does
The bill prohibits collection of immigration-related PII unless explicitly required by law and justified by a legitimate government purpose, and forbids sharing that PII with federal immigration enforcement without a judicial warrant or court order. It subjects data‑sharing contracts to State Auditor review and mandates biennial audits of such agreements.
Who It Affects
State agencies, counties, municipalities, local law enforcement, public health and social services departments, and any private vendors or contractors that maintain government-held PII or operate government data systems are directly regulated. The Attorney General and State Auditor gain new oversight and enforcement responsibilities.
Why It Matters
AB 1300 tightens privacy protections for immigrants and vulnerable populations by imposing legal barriers to information flows to federal immigration agencies and creating recurring independent oversight. For compliance officers and counsel, it changes risk calculus for data collection policies, third‑party contracts, and responses to federal requests.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1300 adds the California Data Protection and Privacy for All Communities Act to the Government Code and starts by defining key terms: what counts as a ‘government agency,’ which federal entities qualify as ‘immigration enforcement agencies,’ and a non‑exhaustive list of data types that constitute personally identifiable information (PII), including immigration status and biometrics.
The core operational rule is twofold. First, agencies may not collect immigration‑related PII unless a state or federal law explicitly requires that collection and the agency can point to a legitimate government purpose for it.
Second, agencies may not share PII with federal immigration enforcement — named as ICE, CBP, and similar agencies — unless the request is accompanied by a judicial warrant or court order. The bill packages these prohibitions with contract controls: any agreement or memorandum of understanding that would enable data sharing with federal immigration authorities must include ‘‘strict oversight mechanisms’’ and is explicitly made subject to review under the State Auditor provisions.To detect and deter unauthorized sharing, the State Auditor must audit all state and local government data‑sharing agreements at least once every two years.
The Attorney General must form an oversight task force to review complaints and violations related to unauthorized data collection or sharing and must report annually to the Legislature on privacy trends, risks, and recommendations. Enforcement authority rests with the Attorney General, who may pursue administrative actions or civil penalties to remedy violations; the bill does not set penalty amounts but centralizes enforcement in the AG’s office.Finally, the statute acknowledges state‑mandated local costs and ties reimbursement to existing state procedures if the Commission on State Mandates finds the bill imposes reimbursable duties.
The bill therefore creates a compliance architecture that mixes statutory prohibitions, contract governance, independent auditing, and centralized enforcement instead of relying solely on case‑by‑case litigation or agency guidance.
The Five Things You Need to Know
The bill bars any state or local agency from collecting immigration-related PII unless collection is explicitly required by law and justified by a legitimate government purpose.
Agencies cannot share PII with federal immigration enforcement (e.g.
ICE or CBP) without a judicial warrant or court order.
The State Auditor must audit all state and local government data‑sharing agreements at least once every two years to check for compliance with privacy and civil‑rights protections.
The Attorney General must create an oversight task force to review complaints about unauthorized data collection or sharing and must issue an annual report to the Legislature.
Enforcement is through the Attorney General via administrative action or civil penalties; the bill does not specify penalty amounts but centralizes enforcement authority in the AG.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Legislative findings and policy statement
This opening provision declares the Legislature’s intent to reinforce privacy protections for vulnerable communities and frames the chapter as building on existing consumer privacy law. Practically, it signals that later provisions should be interpreted to emphasize safeguarding immigrant data and aligning with civil‑rights goals — an interpretive cue for agencies and courts when resolving ambiguities.
Definitions (government agency, immigration enforcement agencies, PII)
This section sets the operational vocabulary: it covers which entities are regulated, which federal agencies count as immigration enforcement, and what kinds of data qualify as PII for the chapter’s purposes. The definition of PII is broad — immigration status, biometrics, driver’s license and financial information are all listed — which expands the universe of records subject to the statute and affects records retention, redaction, and access practices.
Collection and sharing prohibitions; contract controls; enforcement
This is the bill’s substantive core. It (a) prohibits collection of immigration‑related PII absent explicit legal authorization and a legitimate government purpose; (b) prohibits sharing such PII with federal immigration enforcement without a judicial warrant or court order; and (c) requires that any contract or MOU facilitating data sharing incorporate strict oversight mechanisms and be subject to State Auditor review. It also makes violations enforceable by the Attorney General via administrative or civil remedies. For agencies, this creates three compliance levers: policy review before collection, legal review of each external request for data, and contract clauses that allow oversight and audit.
Biennial State Auditor reviews of data-sharing agreements
The State Auditor must audit all state and local government data‑sharing agreements at least every two years to confirm compliance with privacy and civil‑rights protections. That audit mandate expands the Auditor’s scope to include both intra‑state and vendor‑operated agreements and imposes a recurring workload. Audits will surface contract terms, sharing practices, and compliance lapses for legislative and public review.
Attorney General oversight task force and annual reporting
The Attorney General must establish a task force to review complaints and violations related to unauthorized data collection and sharing and must report annually to the Legislature on privacy trends, risks, and recommendations. This creates a central intake and analytic body for incidents, standardizes reporting to the Legislature, and provides a vehicle for policy recommendations — effectively turning incident reviews into a recurring policy feedback loop.
State mandates and reimbursement procedure
If the Commission on State Mandates finds that the bill imposes costs on local agencies, this section ties reimbursement to existing statutory procedures. The practical effect is twofold: it acknowledges that local compliance will have budgetary impacts and it points agencies toward the formal reimbursement process rather than ad hoc funding.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Immigrants and mixed‑status families — Reduce the risk that routine state or local records (driver’s license data, benefits records, biometrics) are passed to ICE/CBP without judicial oversight, lowering the chance of immigration enforcement actions triggered by state data.
- Civil‑rights and privacy advocates — Gain statutory tools (audit reports and an AG task force) to document and challenge unauthorized data sharing and to push for policy reforms based on AG reports and State Auditor findings.
- Legal services organizations and public defenders — Benefit from clearer statutory barriers to data disclosure, strengthening arguments to resist disclosure requests and improving client confidentiality protections.
Who Bears the Cost
- Local governments and counties — Must review and potentially redesign data‑collection practices, contract language, and disclosure processes to demonstrate that any collection is legally required and justified, creating administrative and legal costs.
- State Auditor’s office and Attorney General’s office — Face expanded, recurring workloads from biennial audits and annual reporting plus handling complaints and enforcement actions, which may require additional staffing and budget.
- Third‑party vendors and contractors managing government databases — Must accept contract clauses allowing oversight and audits and may need to change data management and disclosure practices, raising compliance costs and renegotiation demands.
Key Issues
The Core Tension
The bill attempts to resolve an inevitable trade‑off: protect immigrant privacy by restricting government data flows versus preserve lawful information sharing that supports public safety, regulatory enforcement, and statutory duties; tightening privacy reduces disclosure risks for vulnerable people but raises legal and operational friction when agencies confront federal requests or statutory obligations that appear to require data sharing.
AB 1300 leaves several implementation questions unresolved. The bill ties collection permissibility to being ‘‘explicitly required by law’’ and ‘‘justified by a legitimate government purpose,’’ but it does not define what qualifies as ‘‘legitimate government purpose’’ or how agencies should document that justification.
Agencies will need operational guidance on evidentiary thresholds for documenting legal necessity and purpose‑justification, or they will face uneven enforcement and litigation over discretionary determinations.
The warrant requirement for sharing with federal immigration authorities narrows routine transfer channels, but the bill is silent about other legal process instruments (for example, subpoenas, administrative summons, or national security requests) and about exigent‑circumstance exceptions. That omission creates ambiguity when federal actors seek information by means other than a warrant, and it invites legal conflict over preemption, compelled cooperation, and the limits of state authority to restrict federal access.
Finally, the audit mandate substantially expands workloads for the State Auditor and the AG’s office without specifying funding, staffing, or audit scope, raising the practical risk that audits will be delayed, superficial, or uneven across agencies unless the Legislature or budgetary processes provide resources.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.