BILL NUMBER: SB 550 AMENDED
BILL TEXT
AMENDED IN SENATE MAY 2, 2005
AMENDED IN SENATE APRIL 11, 2005
INTRODUCED BY Senator Speier
FEBRUARY 18, 2005
An act to amend Section 1798.84 of, and to add Title
1.805 (commencing with Section 1798.79) to Part 4 of Division 3 of,
the Civil Code, relating to personal information. An
act relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
SB 550, as amended, Speier. Data brokers.
(1) Existing law generally
regulates a business businesses that
discloses disclose personal information
about a California resident
residents to 3rd parties.
The bill would declare the intent of the Legislature to enact
legislation that allows consumers access to their personal
information held by data brokers, as specified.
This bill would further regulate a data broker, which would be
defined as a commercial entity that collects, assembles, or maintains
personally identifiable information about a California resident for
the sale or transmission of, or provision of access to, that
information to any 3rd party. The bill would, among other things,
authorize a California resident to request that his or her personally
identifiable information, as defined, be excluded from any report
prepared by a data broker, and would require a data broker to inform
that resident every time the broker issues a report containing that
information. The bill would further require every data broker to
allow every California resident the right to obtain disclosure of all
personally identifiable information pertaining to that individual
held by the broker, and to be informed of the identity of each person
or entity that procures that information from the broker. The bill
would require the prompt correction of errors in any report, and,
upon a breach of security of an individual's information, would
require the data broker to pay for a security freeze of that
individual's credit reports. The bill would provide for specified
penalty provisions and injunctive relief.
(2) Existing law requires a business to take all reasonable steps
to destroy, or arrange for the destruction of, a customer's records
within its custody or control that contains personal information.
Existing law further regulates the disclosure of personal information
about a California resident to 3rd parties, and requires any person
or business that conducts business in California, and that owns or
licenses computerized data that includes personal information, to
disclose to those individuals a breach of its security system.
Existing law provides a private cause of action to a customer, as
defined, who is injured by a violation of the above provisions.
This bill would provide that cause of action to any individual who
is injured by a violation of the above provisions.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1.
It is the intent of the Legislature to enact legislation that
allows consumers access to their personal information held by data
brokers and the ability to request corrections in that information
from the source of error.
SECTION 1. Title 1.805 (commencing with Section 1798.79) is added
to Part 4 of Division 3 of the Civil Code, to read:
TITLE 1.805. DATA BROKERS
1798.79.
For purposes of this title:
(a) "Data broker" means a commercial entity that collects,
assembles, or maintains personally identifiable information about a
California resident for the sale or transmission of, or the provision
of access to, that information to any third party, whether that
collection, assembly, or maintenance is performed by the data broker
directly or by contract or subcontract with any other entity.
(b) "Individual" means a natural person residing in California.
(c) "Personally identifiable information" means any information
that identifies, relates to, describes, or is capable of being
associated with, a particular individual, including, but not limited
to, his or her name, signature, social security number, physical
characteristics or description, address, telephone number, passport
number, driver's license or state identification card number,
insurance policy number, education, employment, employment history,
bank account number, credit card number, debit card number, or any
other financial information.
1798.79.2.
(a) Every individual may request that his or her personally
identifiable information be excluded from any report prepared by a
data broker. Every data broker shall establish a notification system,
including, but not limited to, a toll-free telephone number, through
which an individual can provide notice to that broker that the
individual's personally identifiable information shall be excluded
therefor. The data broker shall be prohibited from disclosing that
personally identifiable information after receipt of that notice,
except that no penalty shall be imposed for any disclosure made
within five business days after the notice if the data broker proves
that the data was disclosed in response to a request received prior
to receipt of the election and the data broker took all reasonable
steps to prevent disclosure.
(b) Whenever a data broker issues a report containing personally
identifiable information, except for a report issued to a government
agency or pursuant to a court order, the data broker shall send a
written notice to the individual who is the subject of the report.
That notice shall provide the name and address of the person or
entity who requested the report, and shall advise the data subject
that he or she has a right to receive a copy of the report and to
have all personally identifiable information excluded from future
reports.
(c) Every data broker shall allow every individual the right to
obtain disclosure of all personally identifiable information
pertaining to the individual held by the broker, and to be informed
of the identity of each person or entity that procures any personally
identifiable information from the broker.
(d) Every data broker shall allow every individual the right to
request and receive prompt correction of errors in personally
identifiable information held by the broker.
(e) Upon request of an individual, a data broker shall provide the
name and address of any recipient of a report about the individual
provided within the prior 12 months.
1798.79.4.
In the event of a breach in information security by a data broker
that holds an individual's personally identifiable information, the
data broker shall pay for a security freeze of that individual's
credit reports pursuant to Section 1785.11.2.
1798.79.6.
(a) For a willful, intentional, or reckless violation of this
title, an individual may recover a civil penalty not to exceed three
thousand dollars ($3,000) per violation. Otherwise, the individual
may recover a civil penalty of up to five hundred dollars ($500) per
violation for a violation of this title.
(b) Any data broker that violates, proposes to violate, or has
violated this title may be enjoined.
(c) The rights and remedies available under this section are
cumulative with each other and with any other rights and remedies
available under law.
SEC. 2. Section 1798.84 of the Civil Code is amended to read:
1798.84.
(a) Any waiver of a provision of this title is contrary to public
policy and is void and unenforceable.
(b) Any customer or individual whose personal information is
disclosed who is injured by a violation of this title may institute a
civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83, a customer may recover a civil penalty not to
exceed three thousand dollars ($3,000) per violation; otherwise, the
customer may recover a civil penalty of up to five hundred dollars
($500) per violation for a violation of Section 1798.83.
(d) Unless the violation is willful, intentional, or reckless, a
business that is alleged to have not provided all the information
required by subdivision (a) of Section 1798.83, to have provided
inaccurate information, failed to provide any of the information
required by subdivision (a) of Section 1798.83, or failed to provide
information in the time period required by subdivision (b) of Section
1798.83, may assert as a complete defense in any action in law or
equity that it thereafter provided regarding the information that was
alleged to be untimely, all the information, or accurate
information, to all customers who were provided incomplete or
inaccurate information, respectively, within 90 days of the date the
business knew that it had failed to provide the information, timely
information, all the information, or the accurate information,
respectively.
(e) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section
1798.83 shall also be entitled to recover his or her reasonable
attorney's fees and costs.
(g) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.