BILL NUMBER: SB 328	INTRODUCED
	BILL TEXT


INTRODUCED BY   Senator Corbett

                        FEBRUARY 16, 2007

   An act to amend Sections 1798.80 and 1798.84 of, and to add
Section 1798.83.5 to, the Civil Code, relating to personal
information.



	LEGISLATIVE COUNSEL'S DIGEST


   SB 328, as introduced, Corbett. Personal information: prohibited
practices.
   Existing law requires a business to ensure the privacy of a
customer's personal information, as defined, contained in records, as
defined, by destroying, or arranging for the destruction of, the
records. Existing law requires, subject to certain exceptions, a
business that discloses a customer's personal information, including
information relating to income or purchases, to a 3rd party for
direct marketing purposes to provide the customer, within 30 days
after the customer's request, as specified, in writing or by e-mail
the names and addresses of the recipients of that information and
specified details regarding the information disclosed, except as
specified. Existing law requires a person or business that owns or
licenses computerized data that include personal information to
disclose any breach of the security of its system, as specified.
Existing law requires a business, other than one of specified
entities, that owns or licenses personal information about a
California resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or disclosure.
Any customer injured by a business' violation of these provisions is
entitled to recover damages, a civil penalty, attorney's fees,
injunctive relief, and other remedies.
   This bill would include a telephone calling pattern record or list
in the definition of "personal information" for purposes of the
above-described provisions. The bill would also prohibit any person,
as defined, from, among other things, obtaining or attempting to
obtain, or causing or attempting to cause the disclosure of, personal
information about a customer or employee contained in the records of
a business through specified methods, such as by making false,
fictitious, or fraudulent statements or representations, with
specified exceptions. The bill would provide civil remedies for the
violation thereof, and would make related and conforming changes in
that regard.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 1798.80 of the Civil Code is amended to read:
   1798.80.  The following definitions apply to this title:
   (a) "Business" means a sole proprietorship, partnership,
corporation, association, or other group, however organized and
whether or not organized to operate at a profit, including a
financial institution organized, chartered, or holding a license or
authorization certificate under the law of this state, any other
state, the United States, or of any other country, or the parent or
the subsidiary of a financial institution. The term includes an
entity that destroys records. 
   (b) "Records" means any material, regardless of the physical form,
on which information is recorded or preserved by any means,
including in written or spoken words, graphically depicted, printed,
or electromagnetically transmitted. "Records" does not include
publicly available directories containing information an individual
has voluntarily consented to have publicly disseminated or listed,
such as name, address, or telephone number.  
   (c) 
    (b)  "Customer" means an individual who provides
personal information to a business for the purpose of purchasing or
leasing a product or obtaining a service from the business. 
   (d) 
    (c)  "Individual" means a natural person. 
   (d) "Person" means an individual, business association,
partnership, limited partnership, corporation, limited liability
company, trust, estate, cooperative association, or other entity.

   (e) "Personal information" means any information that identifies,
relates to, describes, or is capable of being associated with, a
particular individual, including, but not limited to, his or her
name, signature, social security number, physical characteristics or
description, address, telephone number,  telephone calling
pattern record or list,  passport number, driver's license or
state identification card number, insurance policy number, education,
employment, employment history, bank account number, credit card
number, debit card number, or any other financial information. 
   (f) "Records" means any material, regardless of the physical form,
on which information is recorded or preserved by any means,
including in written or spoken words, graphically depicted, printed,
or electromagnetically transmitted. "Records" does not include
publicly available directories containing information an individual
has voluntarily consented to have publicly disseminated or listed,
such as name, address, or telephone number. 
  SEC. 2.  Section 1798.83.5 is added to the Civil Code, to read:
   1798.83.5.  (a) A person shall not obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be disclosed, personal
information about a customer or employee contained in the records of
a business using any of the following methods:
   (1) By making a false, fictitious, or fraudulent statement or
representation to an officer, employee, or agent of a business.
   (2) By making a false, fictitious, or fraudulent statement or
representation to a customer of a business.
   (3) By providing any document to an officer, employee, or agent of
a business, knowing that the document is forged, counterfeit, lost,
or stolen, was fraudulently obtained, or contains a false,
fictitious, or fraudulent statement or representation.
   (b) A person shall not request a person to obtain personal
information about a customer or employee contained in the records of
a business, knowing that the person will obtain, or attempt to
obtain, the information in any manner described in subdivision (a).
   (c) No provision of this section shall be construed to prevent any
action by a law enforcement agency, or any officer, employee, or
agent of that agency, to obtain personal information about a customer
or employee contained in the records of a business, as permitted by
law in connection with the performance of the official duties of the
agency.
   (d) No provision of this section shall be construed to prevent any
business, or any officer, employee, or agent of that business, from
obtaining personal information about a customer or employee contained
in the records of the business, in the course of any of the
following:
   (1) Testing the security procedures or systems of the business,
for maintaining the confidentiality of personal information about a
customer or employee.
   (2) Investigating allegations of misconduct or negligence on the
part of any officer, employee, or agent of the business.
   (3) Recovering personal information about a customer or employee
of the business, which was obtained or received by another person in
any manner described in subdivision (a) or (b).
   (4) Analyzing its customer records for patterns of activity in an
effort to identify fraud or identity theft.
   (e) Any personal information that is obtained in violation of
subdivision (a) or (b) shall be inadmissible as evidence in any
judicial, administrative, legislative, or other proceeding, except
when that information is offered as proof in an action for a
violation of this title.
   (f) No provision of this section shall be construed to prevent any
person from obtaining personal information pursuant to a lawfully
issued and noticed subpoena or court order.
   (g) The rights and remedies of a customer or employee for a
violation of this section are the remedies provided in Section
1798.84.
  SEC. 3.  Section 1798.84 of the Civil Code is amended to read:
   1798.84.  (a) Any waiver of a provision of this title is contrary
to public policy and is void and unenforceable.
   (b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
   (c) In addition, for a willful, intentional, or reckless violation
of Section  1798.83,   1798.83 or 1798.83.5,
 a customer may recover a civil penalty not to exceed three
thousand dollars ($3,000) per violation; otherwise, the customer may
recover a civil penalty of up to five hundred dollars ($500) per
violation for a violation of Section  1798.83.  
1798.83 or 1798.83.5. 
   (d) Unless the violation is willful, intentional, or reckless, a
business that is alleged to have not provided all the information
required by subdivision (a) of Section 1798.83, to have provided
inaccurate information, failed to provide any of the information
required by subdivision (a) of Section 1798.83, or failed to provide
information in the time period required by subdivision (b) of Section
1798.83, may assert as a complete defense in any action in law or
equity that it thereafter provided regarding the information that was
alleged to be untimely, all the information, or accurate
information, to all customers who were provided incomplete or
inaccurate information, respectively, within 90 days of the date the
business knew that it had failed to provide the information, timely
information, all the information, or the accurate information,
respectively.
   (e) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
   (f) A prevailing plaintiff in any action commenced under Section
1798.83  or 1798.83.5  shall also be entitled to recover his
or her reasonable attorney's fees and costs.
   (g) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law. 
   (h) The term "customer," as used in this section, with respect to
a violation of Section 1798.83.5 only, includes a customer or
employee of a business.