BILL NUMBER: SB 31 CHAPTERED
BILL TEXT
CHAPTER 746
FILED WITH SECRETARY OF STATE SEPTEMBER 30, 2008
APPROVED BY GOVERNOR SEPTEMBER 30, 2008
PASSED THE SENATE AUGUST 19, 2008
PASSED THE ASSEMBLY AUGUST 12, 2008
AMENDED IN ASSEMBLY AUGUST 7, 2008
AMENDED IN ASSEMBLY JULY 3, 2008
AMENDED IN ASSEMBLY JUNE 17, 2008
AMENDED IN ASSEMBLY JUNE 5, 2008
AMENDED IN SENATE JANUARY 7, 2008
AMENDED IN SENATE APRIL 17, 2007
AMENDED IN SENATE MARCH 20, 2007
INTRODUCED BY Senator Simitian
DECEMBER 4, 2006
An act to add Title 1.80 (commencing with Section 1798.79) to Part
4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 31, Simitian. Identification documents.
The Information Practices Act of 1977 regulates the collection and
disclosure of personal information regarding individuals by state
agencies, except as specified. Existing law also prohibits certain
business entities, as defined, from making specified disclosures in
relation to individual consumer records.
This bill would provide that a person or entity that intentionally
remotely reads or attempts to remotely read a person's
identification document using radio frequency identification (RFID)
without his or her knowledge and prior consent, as described, shall
be punished by imprisonment in a county jail for up to one year, a
fine of not more than $1,500, or both that fine and imprisonment,
except as specified. The bill would also provide that a person or
entity that knowingly discloses, or causes to be disclosed, specified
operational system keys shall be punished by imprisonment in a
county jail for up to one year, a fine of not more than $1,500, or
both that fine and imprisonment. By creating new crimes, this bill
would impose a state-mandated local program.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. The Legislature hereby finds and declares all of the
following:
(a) The right to privacy is a personal and fundamental right
protected by Section 1 of Article I of the California Constitution
and by the United States Constitution. All individuals have a right
of privacy in information pertaining to them.
(b) This state has previously recognized the importance of
protecting the confidentiality and privacy of an individual's
personal information contained in identification documents such as
driver's licenses.
SEC. 2. Title 1.80 (commencing with Section 1798.79) is added to
Part 4 of Division 3 of the Civil Code, to read:
TITLE 1.80. Identification Documents
1798.79. (a) Except as provided in this section, a person or
entity that intentionally remotely reads or attempts to remotely read
a person's identification document using radio frequency
identification (RFID), for the purpose of reading that person's
identification document without that person's knowledge and prior
consent, shall be punished by imprisonment in a county jail for up to
one year, a fine of not more than one thousand five hundred dollars
($1,500), or both that fine and imprisonment.
(b) A person or entity that knowingly discloses, or causes to be
disclosed, the operational system keys used in a contactless
identification document system shall be punished by imprisonment in a
county jail for up to one year, a fine of not more than one thousand
five hundred dollars ($1,500), or both that fine and imprisonment.
(c) Subdivision (a) shall not apply to:
(1) The reading of a person's identification document for triage
or medical care during a disaster and immediate hospitalization or
immediate outpatient care directly related to a disaster, as defined
by the local emergency medical services agency organized under
Section 1797.200 of the Health and Safety Code.
(2) The reading of a person's identification document by a health
care professional for reasons relating to the health or safety of
that person or an identification document issued to a patient by
emergency services.
(3) The reading of an identification document of a person who is
incarcerated in the state prison or a county jail, detained in a
juvenile facility operated by the Division of Juvenile Facilities in
the Department of Corrections and Rehabilitation, or housed in a
mental health facility, pursuant to a court order after having been
charged with a crime, or to a person pursuant to a court-ordered
electronic monitoring.
(4) Law enforcement or government personnel who need to read a
lost identification document when the owner is unavailable for
notice, knowledge, or consent, or those parties specifically
authorized by law enforcement or government personnel for the limited
purpose of reading a lost identification document when the owner is
unavailable for notice, knowledge, or consent.
(5) Law enforcement personnel who need to read a person's
identification document after an accident in which the person is
unavailable for notice, knowledge, or consent.
(6) Law enforcement personnel who need to read a person's
identification document pursuant to a search warrant.
(d) Subdivision (a) shall not apply to a person or entity that
unintentionally remotely reads a person's identification document
using RFID in the course of operating a contactless identification
document system unless it knows it unintentionally read the document
and thereafter intentionally does any of the following acts:
(1) Discloses what it read to a third party whose purpose is to
read a person's identification document, or any information derived
therefrom, without that person's knowledge and consent.
(2) Stores what it read for the purpose of reading a person's
identification document, or any information derived therefrom,
without that person's knowledge and prior consent.
(3) Uses what it read for the purpose of reading a person's
identification document, or any information derived therefrom,
without that person's knowledge and prior consent.
(e) Subdivisions (a) and (d) shall not apply to the reading,
storage, use, or disclosure to a third party of a person's
identification document, or information derived therefrom, in the
course of an act of good faith security research, experimentation, or
scientific inquiry, including, but not limited to, activities useful
in identifying and analyzing security flaws and vulnerabilities.
(f) Nothing in this section shall affect the existing rights of
law enforcement to access data stored electronically on driver's
licenses.
(g) The penalties set forth in subdivisions (a) and (b) are
independent of, and do not supersede, any other penalties provided by
state law, and in the case of any conflict, the greater penalties
shall apply.
1798.795. For purposes of this title, the following definitions
shall apply:
(a) "Contactless identification document system" means a group of
identification documents issued and operated under a single authority
that use RFID to transmit data remotely to readers intended to read
that data. In a contactless identification document system, every
reader must be able to read every identification document in the
system.
(b) "Data" means any information stored or transmitted on an
identification document in machine-readable form.
(c) "Identification document" means any document containing data
that is issued to an individual and which that individual, and only
that individual, uses alone or in conjunction with any other
information for the primary purpose of establishing his or her
identity. Identification documents specifically include, but are not
limited to, the following:
(1) Driver's licenses or identification cards issued pursuant to
Section 13000 of the Vehicle Code.
(2) Identification cards for employees or contractors.
(3) Identification cards issued by educational institutions.
(4) Health insurance or benefit cards.
(5) Benefit cards issued in conjunction with any
government-supported aid program.
(6) Licenses, certificates, registration, or other means to engage
in a business or profession regulated by the Business and
Professions Code.
(7) Library cards issued by any public library.
(d) "Key" means a string of bits of information used as part of a
cryptographic algorithm used in encryption.
(e) "Radio frequency identification" or "RFID" means the use of
electromagnetic radiating waves or reactive field coupling in the
radio frequency portion of the spectrum to communicate to or from an
identification document through a variety of modulation and encoding
schemes.
(f) "Reader" means a scanning device that is capable of using RFID
to communicate with an identification document and read the data
transmitted by that identification document.
(g) "Remotely" means that no physical contact between the
identification document and a reader is necessary in order to
transmit data using RFID.
SEC. 3. No reimbursement is required by this act pursuant to
Section 6 of Article XIII B of the California Constitution because
the only costs that may be incurred by a local agency or school
district will be incurred because this act creates a new crime or
infraction, eliminates a crime or infraction, or changes the penalty
for a crime or infraction, within the meaning of Section 17556 of the
Government Code, or changes the definition of a crime within the
meaning of Section 6 of Article XIII B of the California
Constitution.