AB 2520 makes non-substantive edits to Civil Code §1799.1, the California law that bars business entities performing bookkeeping services from disclosing client records without express written consent. The draft polishes awkward phrasing in the statute but does not change the core rule or the enumerated exceptions.
The practical effect is grammatical and drafting clarity rather than a substantive change in rights or duties. Nevertheless, compliance officers, in-house counsel, and bookkeeping vendors should confirm that contracts and disclosure protocols still track the statute’s consent requirement and its exceptions (subpoenas/court orders, discovery, search warrants, law-enforcement investigations, and tax-administration requests).
At a Glance
What It Does
The bill revises the wording of Civil Code §1799.1 to remove redundant phrasing and tighten sentence structure while retaining the statute’s ban on disclosing any record prepared or maintained by a bookkeeping business without the subject’s express written consent. The statute expressly protects information disclosed as part of any composite of information.
Who It Affects
Third-party bookkeeping firms and other business entities that prepare or maintain financial records for clients; the clients (individuals and businesses) whose records are covered; lawyers and compliance staff who draft confidentiality provisions and respond to legal process; and public agencies that rely on statutory exceptions (courts, law enforcement, taxing agencies).
Why It Matters
Although the bill does not change legal outcomes, clarifying statutory text can reduce avoidable litigation over interpretation and help businesses standardize contract language. The retained exceptions mean that providers still must respond to subpoenas, discovery, search warrants, criminal-investigation requests (unless prohibited by law), and taxing-agency demands.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The current text of Civil Code §1799.1 bars bookkeeping providers from disclosing any record they prepare or maintain about a client unless the client gives express written consent. AB 2520 cleans the statutory language—fixing duplicated words and tightening sentences—without expanding or narrowing the risk that the statute addresses.
That means the baseline duty remains: bookkeeping businesses should treat client records as confidential by default and obtain written consent before disclosure.
The statute’s protection explicitly reaches not only individual documents but also disclosures made through composites or aggregations of information derived from client records. For practitioners, that phrase signals that summaries, aggregates, or combined reports drawn from client files are still within the confidentiality rule when they reveal underlying client data.
The bill leaves that language intact, so operations that generate consolidated reports need the same consent treatment as item-level disclosures.AB 2520 also leaves intact the exceptions that allow disclosure without client consent: compliance with a subpoena or court order, disclosure that is otherwise discoverable in litigation, compliance with a lawful search warrant, disclosure to law enforcement when required for a criminal investigation (subject to other legal prohibitions), and disclosures to taxing agencies for tax administration. Because the bill is silent on definitions, the covered universe—what counts as "bookkeeping services," what qualifies as a "record," and how "discoverable" is defined—continues to depend on existing case law and related statutes.On implementation, the change is primarily administrative: bookkeeping firms should update boilerplate confidentiality clauses and internal playbooks to reflect the cleaned language, but they do not have new substantive obligations.
Legal teams should also verify notice and consent mechanisms (who signs, what scope consent covers, and recordkeeping of consent) and maintain procedures to handle legal process requests that fall within the retained exceptions.
The Five Things You Need to Know
The statute protects "any record" prepared or maintained by a bookkeeping business, and explicitly includes disclosures made through any composite or aggregation of that information.
The bill keeps the statute’s consent standard as "express written consent" from the individual or business that is the subject of the record—oral or implied consent is not authorized by the text.
Section 1799.1(b) preserves five specific exceptions permitting disclosure without client consent: (1) subpoena or court order, (2) disclosures that are discoverable, (3) lawful search warrants, (4) law-enforcement requests for criminal investigations unless otherwise prohibited, and (5) disclosures to taxing agencies for tax administration.
AB 2520 is a drafting cleanup; it does not add a statutory definition of "bookkeeping services," so questions about the statute’s reach (e.g.
to CPAs, payroll processors, or cloud bookkeeping platforms) remain unresolved.
The amendment does not add penalties, enforcement mechanisms, or new notice requirements—enforcement still relies on existing civil causes of action and related law.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Prohibition on disclosure by bookkeeping businesses
This subsection contains the primary prohibition: a business entity that performs bookkeeping services may not disclose, in whole or in part, the contents of any record it prepares or maintains about a client without that client’s express written consent. Practically, this creates a default confidentiality rule for third-party bookkeepers and requires businesses to build consent processes into client onboarding for any situation where disclosure might be needed.
Covers aggregated and composite disclosures
The text specifies that confidentiality covers not only discrete records but also information disclosed as part of a composite of information. That means aggregated reports, consolidated financial summaries, or analytics that reveal client-specific data remain subject to the same consent requirement. Operational teams that generate consolidated outputs must treat them as protected unless client consent has been obtained.
Process and judicial exceptions: subpoenas, discovery, and search warrants
Subsections (b)(1)–(3) permit disclosures compelled by legal process: subpoenas or court orders, disclosures that are otherwise discoverable in litigation, and lawful search warrants. These provisions put bookkeeping entities into the same practical position as other custodians of records when responding to judicial or investigatory demands; they must have procedures to validate and, where appropriate, challenge or limit overbroad requests.
Law-enforcement exception for criminal investigations
Subsection (b)(4) allows disclosure to law enforcement when required for criminal investigations, but it includes the caveat "unless such disclosure is prohibited by law." That language preserves conflicts with statutory protections (for example, other confidentiality laws) and signals that bookkeeping firms should consult counsel before complying with overlapping legal demands.
Tax-agency exception
The statute permits disclosures to taxing agencies for tax-administration purposes. This carve-out is consequential for bookkeeping vendors that also provide tax support: it authorizes direct cooperation with tax authorities without client consent and may require firms to maintain procedures for responding to administrative tax inquiries.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Clients of bookkeeping firms — They retain statutory protection for both raw records and aggregated outputs, preserving confidentiality and control over disclosures of their financial information.
- Bookkeeping vendors and their counsel — The grammatical cleanup reduces drafting ambiguity, which can lower litigation risk and make contract language easier to harmonize with internal policies.
- Taxing agencies — The explicit tax-administration exception preserves agencies’ access to records held by third-party bookkeepers without needing client consent, supporting audits and collections.
- Courts and law enforcement — The retained exceptions keep established legal-process channels available for compelled disclosures, maintaining investigatory and adjudicative functions.
Who Bears the Cost
- Third-party bookkeeping firms — They must continue to maintain consent workflows, validate legal process requests, and potentially litigate narrow disputes over applicability; smaller vendors may face compliance overhead without substantive relief from the amendment.
- Compliance and legal teams — Need to update template contracts, consent forms, and incident-response plans to reflect the cleaned statutory language and to clarify procedures for handling composite outputs and external legal demands.
- Cloud service providers and software vendors used by bookkeepers — Must ensure that product configurations and data-export features permit bookkeeping clients to control disclosures and that APIs/logging support proof of consent or lawful process compliance.
- Clients with cross-border data — Firms serving clients whose data is stored or processed across jurisdictions face complexity reconciling California confidentiality rules with foreign legal process and data-transfer obligations.
Key Issues
The Core Tension
The central dilemma is between preserving strong, predictable confidentiality protections for clients of bookkeeping services and maintaining the state’s and courts’ ability to obtain records for legitimate law-enforcement, judicial, and tax-administration purposes; AB 2520 resolves none of the underlying policy trade-offs and instead narrows only the risk of interpretation errors caused by sloppy drafting.
AB 2520 is a classic drafting cleanup: it tidies grammar without changing the statute’s prohibitions or exceptions. That simplicity is helpful, but it leaves open important operational and legal questions.
The statute still lacks definitions for "bookkeeping services," "record," and "discoverable," so parties will continue to rely on ancillary statutes, case law, and contract interpretation to define the boundaries of protection. In particular, the statute does not enumerate whether licensed accountants, payroll processors, or embedded bookkeeping functions inside larger software platforms fall inside the prohibition.
Another unresolved area is how the law interacts with other confidentiality regimes and the practical mechanics of consent. The bill preserves exceptions for subpoenas, discovery, warrants, criminal-investigation requests, and tax-administration demands, but it does not provide guidance on how to handle conflicting legal obligations, cross-jurisdictional requests, or dual-use data (e.g., when records implicate both tax and criminal inquiries).
The absence of new enforcement or penalty provisions means disputes will continue to route through existing civil remedies, which can be slower and less predictable than administrative schemes.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.