BILL NUMBER: SB 31 AMENDED BILL TEXT AMENDED IN SENATE JANUARY 7, 2008 AMENDED IN SENATE APRIL 17, 2007 AMENDED IN SENATE MARCH 20, 2007 INTRODUCED BY Senator Simitian DECEMBER 4, 2006 An act to add Title 1.80 (commencing with Section 1798.79) and Title 1.81.4 (commencing with Section 1798.98) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 31, as amended, Simitian. Identification documents. The Information Practices Act of 1977 regulates the collection and disclosure of personal information regarding individuals by state agencies, except as specified. Existing law also prohibits certain business entities, as defined, from making specified disclosures in relation to individual consumer records. This bill would provide that a person or entity that intentionally remotely reads or attempts to remotely read a person's identification document, as defined, using radio waves without his or her knowledge and prior consent, as described, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than
$5,000$1,500 , or both that fine and imprisonment. The bill would also provide that a person or entity who knowingly discloses, or causes to be disclosed, specified operational system keys shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $5,000$1,500 , or both that fine and imprisonment. The bill would provide that the provisions regarding knowing disclosure of operational system keys is to become operative only if SB 30 of the 2007-08 Regular Session is also enacted and becomes effective on or before January 1, 20082009 . By creating a new crime, this bill would result in a state-mandated local program. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. The Legislature hereby finds and declares all of the following: (a) The right to privacy is a personal and fundamental right protected by Section 1 of Article I of the California Constitution and by the United States Constitution. All individuals have a right of privacy in information pertaining to them. (b) This state has previously recognized the importance of protecting the confidentiality and privacy of an individual's personal information contained in identification documents such as drivers' licenses. SEC. 2. Title 1.80 (commencing with Section 1798.79) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.80. Identification Documents 1798.79. (a) Except as provided in subdivisions (b) and (c), a person or entity that intentionally remotely reads or attempts to remotely read a person's identification document using radio waves, for the purpose of reading that person's identification document without that person's knowledge and prior consent, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than five thousand dollars ($5,000)one thousand five hundred dollars ($1,500) , or both that fine and imprisonment. (b) Subdivision (a) shall not apply to: (1) The reading of a person's identification document for triage or medical care during a disaster and immediate hospitalization or immediate outpatient care directly related to a disaster, as defined by the local emergency medical services agency organized under Section 1797.200 of the Health and Safety Code. (2) The reading of a person's identification document by a health care professional for reasons relating to the health or safety of that person or an identification document issued to a patient by emergency services. (3) The reading of an identification document of a person who is incarcerated in the state prison or a county jail, detained in a juvenile facility operated by the Division of Juvenile Facilities in the Department of Corrections and Rehabilitation, or housing in a mental health facility, pursuant to a court order after having been charged with a crime, or to a person pursuant to a court-ordered electronic monitoring. (4) Law enforcement or government personnel who need to read a lost identification document when the owner is unavailable for notice, knowledge, or consent, or those parties specifically authorized by law enforcement or government personnel for the limited purpose of reading a lost identification document when the owner is unavailable for notice, knowledge, or consent. (5) Law enforcement personnel who need to read a person's identification document after an accident in which the person is unavailable for notice, knowledge, or consent. (6) Law enforcement personnel who need to read a person's identification document pursuant to a search warrant. (7) A person or entity that in the course of operating its own contactless identification document system inadvertently reads or collects data from another contactless identification document system, provided that the inadvertently received data comports with all of the following: (A) The data is not disclosed to any other party. (B) The data is not used for any purpose. (C) The data is not stored or is promptly destroyed. (8) The reading of a person's identification document in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities. (c) Nothing in this section shall affect the existing rights of law enforcement to access data stored electronically on drivers' licenses. (d) The penalties set forth in subdivision (a) are independent of, and do not supersede, any other penalties provided by state law, and in the case of any conflict, the greater penalties shall apply. 1798.795. For purposes of this title, the following definitions shall apply: (a) "Contactless identification document system" means a group of identification documents issued and operated under a single authority that use radio waves to transmit data remotely to readers intended to read that data. In a contactless identification document system, every reader must be able to read every identification document in the system. (b) "Data" means information stored on an identification document in machine-readable form including, but not limited to, personal information and other unique personal identifier numbers. (c) "Identification document" means any document containing data that is issued to an individual and which that individual, and only that individual, uses alone or in conjunction with any other information for the primary purpose of establishing his or her identity. Identification documents specifically include, but are not limited to, the following: (1) Driver's licenses or identification cards issued pursuant to Section 13000 of the Vehicle Code. (2) Identification cards for employees or contractors. (3) Identification cards issued by educational institutions. (4) Health insurance or benefit cards. (5) Benefit cards issued in conjunction with any government-supported aid program. (6) Licenses, certificates, registration, or other means to engage in a business or profession regulated by the Business and Professions Code. (7) Library cards issued by any public library. (d) "Key" means a string of bits of information used as part of a cryptographic algorithm used in encryption. (e) "Personal information" includes any of the following data elements to the extent that they are used alone or in conjunction with any other information to identify an individual: (1) First or last name. (2) Address. (3) Telephone number. (4) E-mail address. (5) Date of birth. (6) Driver's license number or California identification card number. (7) Any unique personal identifier number contained or encoded on a driver's license or identification card issued pursuant to Section 13000 of the Vehicle Code. (8) Bank, credit card, or other financial institution account number. (9) Credit or debit card number. (10) Any unique personal identifier number contained or encoded on a health insurance, health benefit, or benefit card issued in conjunction with any government-supported aid program. (11) Religion. (12) Ethnicity or nationality. (13) Photograph. (14) Fingerprint or other biometric identification. (15) Social security number. (16) Any unique personal identifier. (f) "Reader" means a scanning device that is capable of using radio waves to communicate with an identification document and read the data transmitted by that identification document. (g) "Remotely" means that no physical contact between the identification document and a reader is necessary in order to transmit data using radio waves. (h) "Unique personal identifier number" means a randomly assigned string of numbers or symbols that is encoded onto the identification document and is intended to identify the identification document that has been issued to a particular individual. SEC. 3. Title 1.81.4 (commencing with Section 1798.98) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.4. Operational System Keys 1798.98. (a) A person or entity who knowingly discloses, or causes to be disclosed, the operational system keys described in Section 1798.11 in violation of Section 1798.11 shall be punished by imprisonment in a county jail for up to one year, a fine of not more than five thousand dollars ($5,000)one thousand five hundred dollars ($1,500) , or both that fine and imprisonment. (b) The definitions described in Section 1798.795 shall apply to this title. 1798.99. This title shall become operative on January 1, 20082009 , only if Senate Bill 30 of the 2007-08 Regular Session is enacted and becomes effective on or before January 1, 20082009 . SEC. 4. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.