AB 593 amends Welfare and Institutions Code section 18901.59 to change how CalFresh-related data exchanges are governed. The bill strips the explicit state-law authorization that previously allowed public entities to share data with the State Department of Social Services (CDSS) for purposes such as improving administration, increasing participation, and measuring program impact, while preserving the department’s ability to identify potential data-sharing opportunities.
The measure also requires the department to designate an executive-level employee who reports directly to the Director of Social Services on implementing this section and on related provisions in Section 18901.58. For program operators, researchers, and counties that run CalFresh locally, the change creates legal and operational uncertainty for existing cross-agency feeds, outreach matching, and evaluation pipelines that rely on state-authorized data transfers.
At a Glance
What It Does
The bill amends W&I Code §18901.59 so CDSS can still seek out opportunities to share data but removes the state-level authorization for other public entities to transfer data to CDSS for CalFresh purposes. It also requires CDSS to name an executive-level official to report to the Director on carrying out this and a related provision.
Who It Affects
Directly affected actors include CDSS, county human services and welfare offices that operate CalFresh, local public health and workforce agencies that exchange eligibility or referral data, researchers and evaluators who use administrative matches, and community-based organizations that rely on referrals from public-data matches.
Why It Matters
By narrowing state authorization to receive public-sector data, the bill reduces an important legal basis counties and state agencies used for programmatic data matches and outreach. That shift will force agencies to revisit agreements, rely on alternate legal bases or contracts, and potentially scale back data-driven enrollment and measurement activities.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
Before AB 593, state law did two things at once: it allowed the Department of Social Services to look for opportunities to share data with other public entities, and it expressly authorized other public entities — to the extent federal law allowed — to provide data to the department for specified CalFresh purposes. The bill separates those powers.
CDSS keeps the ability to identify where data sharing could help administration, outreach, measurement, or access to services, but the explicit permission for public agencies to hand over their data is removed from state law.
In practice, many CalFresh workflows relied on state-law authorization for county-to-state or cross-agency data matches: eligibility matches with Medi-Cal or employment records to find presumptively eligible people, automated referrals from public health clinics, and aggregated administrative datasets used for program evaluation. Eliminating the statutory authorization does not automatically make those data flows illegal — federal rules, memoranda of understanding, preexisting contracts, and other statutory authorities still matter — but it does remove a clear, state-level backstop many agencies relied on.
That creates discretion-driven decisions: agencies may pause exchanges until legal counsel signs off or seek new MOUs or statutory clarifications.The bill’s other change is operational: CDSS must appoint an executive-level employee to report to the Director on implementing this section and Section 18901.58. That adds an internal governance point person, which can centralize decisions about which data initiatives proceed and how privacy or compliance concerns are handled.
But the statute does not add new procedural safeguards, define permitted data elements, require consent protocols, or create specific timelines for reporting — leaving many implementation details for policy makers and agency leaders to resolve.
The Five Things You Need to Know
AB 593 amends Welfare and Institutions Code §18901.59 to remove the explicit state authorization for public entities to share data with the Department of Social Services for CalFresh-related purposes.
The statute preserves a separate authority: the department may still identify potential data-sharing opportunities with state and local public entities and other units of state government.
The bill adds a requirement that CDSS designate an executive-level employee who reports to the Director on implementing §18901.59 and §18901.58, creating a named internal lead for this work.
The listed purposes that remain in the statute are limited and programmatic: improving CalFresh administration, increasing participation, measuring CalFresh’s impact, and increasing access to related public-health and poverty-alleviating services.
AB 593 does not create new privacy rules, define permitted data fields, nor grandfather or expressly terminate existing interagency agreements — producing legal ambiguity for current data-sharing arrangements.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Department may identify data-sharing opportunities
This paragraph retains the department’s authority to identify where data sharing could improve CalFresh administration, outreach, measurement, and access to health and anti-poverty services. Practically, it keeps CDSS in a convening and planning role: the department can still pursue policy partnerships, recommend technical integrations, and propose pilot data projects, but the paragraph no longer provides the reciprocal state-law permission for other public agencies to transmit data to CDSS.
Removal of explicit permission for public entities to share data
The bill excises the clause that previously authorized public entities, 'to the extent permitted by federal law,' to share data with the department for CalFresh purposes. That deletion takes away a clear, state-level legal basis many counties and partner agencies cited when exchanging administrative records. Departments and counties will need to verify whether alternative authorities (federal permissions, other state statutes, MOUs, or court orders) continue to justify those exchanges.
Executive-level designee and reporting line
Subsection (b) requires CDSS to name an executive-level employee who reports to the Director of Social Services on implementing this section and Section 18901.58. That establishes accountability inside CDSS — a single official responsible for coordinating policy, legal review, and cross-agency negotiations — but the statute stops short of assigning specific duties, resources, or reporting frequency, leaving agencies to define the role’s operational scope.
This bill is one of many.
Codify tracks hundreds of bills on Social Services across all five countries.
Explore Social Services in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- CalFresh applicants and recipients concerned about privacy: narrowing statutory authorization reduces an automatic legal channel for public agencies to transmit personal data to CDSS, which privacy advocates can point to as a limit on cross-agency data exposure.
- Civil-society and privacy advocacy organizations: the change gives these groups a clearer statutory footing to press for stricter data controls, audits, or consent mechanisms because state law no longer presumes interagency transfers.
- Public agencies that prefer a cautious approach to data handling: organizations that were wary of legal and compliance burdens from accepting external datasets may welcome the statute’s restraint, which reduces pressure to manage complex inbound data feeds without clear funding or oversight.
Who Bears the Cost
- County human services and welfare offices: counties lose a commonly relied-on state-law basis for sharing data that supported automated matches and targeted outreach, which may increase administrative work and reduce identification of eligible households.
- CDSS program and analytics teams: with fewer inbound data feeds, the department will face limits on its ability to measure program impact, run longitudinal analyses, and target interventions, unless it secures alternate legal bases or new resources.
- Researchers and evaluators: university and independent analysts who depended on administrative matches for evaluation will see reduced access or more cumbersome approval processes, slowing assessments of program effectiveness.
- Community-based organizations and enrollment navigators: entities that relied on referrals generated by cross-agency matches may see fewer warm referrals and will need to rely more on manual outreach or opt-in systems, increasing outreach costs.
Key Issues
The Core Tension
The central dilemma is straightforward: the bill tightens state-law permission to share public-sector data to protect privacy and limit presumptive data transfers, but in doing so it weakens the administrative machinery used to identify eligible people, measure program impacts, and route supportive services—forcing agencies to choose between stronger privacy guards and the programmatic benefits of data-driven outreach and evaluation.
The bill addresses a narrow legal lever — state-law authorization — but leaves broader governance questions unanswered. It does not define whether existing interagency agreements remain valid, whether data already transferred under earlier authority must be deleted or retained, or how CDSS should weigh federal permissions against the new state posture.
Agencies will need to map their current pipelines to identify which flows depend solely on §18901.59’s prior language and which rely on other legal bases such as federal rules, separate state statutes, or contractual agreements.
Another practical tension arises from the bill’s governance change. Appointing an executive designee centralizes responsibility, which can improve oversight, but without resources, explicit duties, or reporting timelines the role risks being symbolic.
Meanwhile, the absence of new technical or privacy standards—no definitions of allowable data elements, no minimum de-identification requirements, and no consent framework—means the legislative change reduces one statutory permission without replacing it with operational guidance, potentially prompting conservative legal interpretations that halt benign, high-value data uses such as automated referrals or quality-improvement analytics.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.