BILL NUMBER: SB 602	AMENDED
	BILL TEXT

	AMENDED IN SENATE  MARCH 21, 2011

INTRODUCED BY   Senator Yee

                        FEBRUARY 17, 2011

    An act to amend Section 1798.91 of the Civil Code,
relating to consumer privacy.   An act to add Title
1.81.15 (commencing with Section 1798.90) to Part 4 of Division 3 of
the Civil Code, relating to the reader privacy. 


	LEGISLATIVE COUNSEL'S DIGEST


   SB 602, as amended, Yee.  Consumer privacy: medical
information.   Reader Privacy Act.  
   The California Public Records Act requires state and local
agencies to make their records available for public inspection and,
upon request of any person, to provide a copy of any public record
unless the record is exempt from disclosure. The act provides that
all registration and circulation records of any library which is in
whole or in part supported by public funds is confidential and shall
not be disclosed to any person, except as provided.  
   Existing law protects the privacy of personal information,
including customer records, and requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information, to protect the personal
information from unauthorized access, destruction, use,
modification, or disclosure.  
   Existing law provides various grounds for the issuance of a search
warrant, and provides that a search warrant cannot be issued but
upon probable cause, supported by affidavit, naming or describing the
person to be searched or searched for, and particularly describing
the property and the place to be searched.  
   The Civil Discovery Act generally provides for the scope of
discovery in civil actions and proceedings, and permits a party to a
civil action to obtain discovery by inspecting documents, tangible
things, and land or other property in the possession of any other
party to the action.  
   This bill would enact the Reader Privacy Act, which would, among
other things, prohibit a commercial provider of a book service, as
defined, from disclosing, or being compelled to disclose, any
personal information relating to a user of the book service, subject
to certain exceptions. The bill would require a court, when
considering whether to issue a search warrant or an order for civil
discovery, to make specified findings, including that the person or
entity seeking disclosure of personal information of a user of a book
service has a compelling interest in obtaining that information. The
bill would impose civil penalties on a provider of a book service
for knowingly disclosing a user's personal information to a
government entity in violation of these provisions. The bill would
require that any provider of a book service prepare a specified
report relating to demands for disclosure of personal information of
users of the book service, and publish that information in a
searchable format on the Internet.  
   Existing law prohibits a business from requesting medical
information directly from an individual and disclosing it for direct
marketing purposes, as defined, without first informing the
individual that the information will be used to market or advertise
products to him or her and obtaining the individual's consent to use
the information for that purpose.  
   This bill would make nonsubstantive changes to this provision
regarding obtaining and disclosing medical information for direct
marketing purposes. 
   Vote: majority. Appropriation: no. Fiscal committee:  no
  yes  . State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1.    Title 1.81.15 (commencing with Section
1798.90) is added to Part 4 of Division 3 of the   Civil
Code   , to read:  

      TITLE 1.81.15.  Reader Privacy Act


   1798.90.  (a) This title shall be known and may be cited as the
Reader Privacy Act.
   (b) For purposes of this section:
   (1) "Book" means paginated or similarly organized content in
printed, audio, electronic, or other format, including fiction,
nonfiction, academic, or other works of the type normally published
in a volume or volumes.
   (2) "Book service" means a service that, as its primary purpose,
provides the rental, purchase, borrowing, browsing, or viewing of
books.
   (3) "Government entity" means any state or local agency,
including, but not limited to, a law enforcement or any other
investigative agency, department, division, bureau, board, or
commission, or any individual acting or purporting to act for or on
behalf of a state or local agency.
   (4) "Personal information" means any information described in
Section 1798.80, and specifically includes a unique identifier or
Internet Protocol (IP) address when that identifier or address is
being used to identify, relate, describe, or be associated with, a
particular individual, and any information associated with a
particular user's access or use of a book service or a book in whole
or partial form.
   (5) "Provider" means any commercial entity offering a book service
to the public.
   (6) "User" means any person or entity that uses a book service.
   (c) A provider shall not knowingly disclose to any government
entity, or be compelled to disclose to any person or entity, any
personal information of a user, in whole or in part, except under any
of the following circumstances:
   (1) A provider shall disclose personal information of a user
pursuant to a search warrant issued by a duly authorized court with
jurisdiction over an offense under investigation using the procedures
described in Chapter 3 (commencing with Section 1523) of Title 12 of
Part 2 of the Penal Code, if all of the following conditions are
met:
   (A) The court issuing the warrant finds that the person or entity
seeking disclosure has a compelling interest in obtaining the
personal information sought.
   (B) The court issuing the warrant finds that the personal
information sought cannot be obtained by the person or entity seeking
disclosure through less intrusive means.
   (C) The person or entity seeking disclosure provides the provider
with reasonable notice of the proceeding prior to the issuance of the
warrant.
   (D) The opportunity to appear and contest the issuance of the
warrant is afforded to the provider prior to the issuance of the
warrant.
   (E) Notice of the warrant is given to the user by the person or
entity seeking disclosure contemporaneous with execution of the
warrant, unless there is a judicial determination of a strong showing
of necessity to delay that notification for a reasonable period of
time, not to exceed seven days.
   (2) A provider shall disclose personal information of a user
pursuant to a court order in a pending civil or administrative
action, if all of the following conditions are met:
   (A) The court issuing the discovery order finds that the person or
entity seeking disclosure has a compelling interest in obtaining the
personal information sought.
   (B) The court issuing the discovery order finds that the personal
information sought cannot be obtained by the person or entity seeking
disclosure through less intrusive means.
   (C) The person or entity seeking disclosure takes reasonable steps
to provide the user and the provider with reasonable notice of the
proceeding prior to the issuance of the court order in a timely
manner to allow the user and provider the opportunity to appear and
contest the issuance of the court order.
   (D) The provider refrains from disclosing any personal information
pursuant to the court order until it provides notice to the user
about the issuance of the order and the ability to appear and quash
the order, and the user has been given a reasonable opportunity to
appear and quash the order.
   (3) A provider shall disclose the personal information of a user
to any person with the informed, affirmative consent of that user.
   (4) A provider may disclose to a government entity, if the
government entity asserts, and the provider in good faith believes,
that there is an imminent danger of death or serious physical injury
requiring the immediate disclosure of the requested personal
information and there is insufficient time to obtain a warrant. The
government entity seeking the disclosure shall provide the provider
with a written statement setting forth the facts giving rise to the
emergency upon request or no later than 48 hours after seeking
disclosure.
   (5) A provider may disclose personal information of a user of a
book service to a government entity if the provider in good faith
believes that the personal information is evidence directly related
and relevant to a crime against the provider or that user of the book
service.
   (d) (1) Any court issuing a search warrant or civil discovery
order requiring the disclosure of personal information of a user of a
book service shall impose appropriate safeguards against the
unauthorized disclosure of personal information by the provider
pursuant to the warrant or order.
   (2) The court may, in its discretion, quash or modify a warrant or
court order requiring the disclosure of the user's personal
information upon a motion made by the user, provider, or person or
entity seeking disclosure.
   (e) Except as proof in an action for a violation of this section,
no evidence obtained in violation of this section shall be admissible
in any civil, administrative, or other proceeding.
   (f) (1) Violations of this section shall be subject to the
following penalties:
   (A) Any provider that knowingly provides personal information
about the use of a book service to a government entity in violation
of this section shall be subject to a civil penalty not to exceed
five hundred dollars ($500) for each violation, which may be
recovered in a civil action brought by the person who is the subject
of the records.
   (B) Any provider that knowingly provides personal information to a
government entity in violation of this section on three or more
occasions in any six-month period shall, in addition to the penalty
prescribed by subparagraph (A), be subject to a civil penalty not to
exceed five hundred dollars ($500) for each violation, which may be
assessed and recovered in a civil action brought by the Attorney
General, by any district attorney or city attorney, or by a city
prosecutor in any city having a full-time city prosecutor, in any
court of competent jurisdiction.
   (2) If an action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney, the penalty collected
shall be paid to the treasurer of the county in which the judgment
was entered. If the action is brought by a city attorney or city
prosecutor, one-half of the penalty shall be paid to the treasurer of
the city in which the judgment was entered, and one-half to the
treasurer of the county in which the judgment was entered.
   (3) The penalties provided by this section are not the exclusive
remedy and do not affect any other relief or remedy provided by law.
   (4) A civil action brought pursuant to this section shall be
commenced within two years after the date upon which the claimant
first discovered the violation.
   (g) An objectively reasonable reliance by the provider on a
warrant or court order for the disclosure of personal information of
a user of a book service, or on any of the enumerated exceptions to
the confidentiality of a user's personal information set forth in
this section, is a complete defense to any civil, administrative, or
criminal action.
   (h) Unless disclosure of information pertaining to a particular
request or set of requests is specifically prohibited by law, a
provider shall prepare a report including all of the following
information, to the extent it can be reasonably determined:
   (1) The number of federal warrants, state warrants, grand jury
subpoenas, civil and administrative subpoenas, court orders, and
requests for information made with the informed consent of the user
as described in paragraph (3) of subdivision (a), seeking disclosure
of any personal information of a user related to the access or use of
a book service or book, received by the provider from January 1 to
December 31, inclusive, of the previous year.
   (2) The number of disclosures made by the provider pursuant to
paragraphs (5) and (6) of subdivision (a) from January 1 to December
31, inclusive, of the previous year.
   (3) For each category of demand or disclosure, the provider shall
include all of the following information:
   (A) The number of times notice of a warrant or a court order in a
civil or administrative action has been provided by the provider and
the date the notice was provided.
   (B) The number of times personal information has been disclosed by
the provider.
   (C) The number of times no personal information has been disclosed
by the provider.
   (D) The number of times the provider contests the demand.
   (E) The number of times the user contests the demand.
   (F) The number of users whose personal information was disclosed
by the provider.
   (G) The type of personal information that was disclosed and the
number of times that type of personal information was disclosed.
   (i) Reports prepared pursuant to subdivision (h) shall be made
publicly available in an online, searchable format by March 1 of each
year.
   (j) Any provider subject to Section 22575 of the Business and
Professions Code shall create a prominent hyperlink to its latest
report published pursuant to subdivision (i) in the disclosure
section of the privacy policy applicable to its book service by March
1 of each year.
   (k) Nothing in this section shall otherwise affect the rights of
any person under the California Constitution or any other law. 

  SECTION 1.    Section 1798.91 of the Civil Code is
amended to read:
   1798.91.  (a) For purposes of this title, the following
definitions shall apply:
   (1) "Direct marketing purposes" means the use of personal
information for marketing or advertising products, goods, or services
directly to individuals. "Direct marketing purposes" does not
include the use of personal information in either of the following
circumstances:
   (A) By bona fide tax exempt charitable or religious organizations
to solicit charitable contributions.
   (B) To raise funds from, and communicate with, individuals
regarding politics and government.
   (2) "Medical information" means any individually identifiable
information, in electronic or physical form, regarding the individual'
s medical history, or medical treatment or diagnosis by a health care
professional. "Individually identifiable" means that the medical
information includes or contains any element of personal identifying
information sufficient to allow identification of the individual,
such as the individual's name, address, electronic mail address,
telephone number, or social security number, or other information
that, alone or in combination with other publicly available
information, reveals the individual's identity. For purposes of this
section, "medical information" does not mean a subscription to,
purchase of, or request for a periodical, book, pamphlet, video,
audio, or other multimedia product or nonprofit association
information.
   (3) "Clear and conspicuous" means in larger type than the
surrounding text, or in contrasting type, font, or color to the
surrounding text of the same size, or set off from the surrounding
text of the same size by symbols or other marks that call attention
to the language.
   (4) For purposes of this section, the collection of medical
information online constitutes "in writing." For purposes of this
section, "written consent" includes consent obtained online.
   (b) A business may not orally request medical information directly
from an individual regardless of whether the information pertains to
the individual or not, and use, share, or otherwise disclose that
information for direct marketing purposes, without doing both of the
following prior to obtaining that information:
   (1) Orally disclosing to the individual in the same conversation
during which the business seeks to obtain the information, that it is
obtaining the information to market or advertise products, goods, or
services to the individual.
   (2) Obtaining the consent of either the individual to whom the
information pertains or a person legally authorized to consent for
the individual, to permit his or her medical information to be used
or shared to market or advertise products, goods, or services to the
individual, and making and maintaining for two years after the date
of the conversation, an audio recording of the entire conversation.
   (c) A business may not request in writing medical information
directly from an individual regardless of whether the information
pertains to the individual or not, and use, share, or otherwise
disclose that information for direct marketing purposes, without
doing both of the following prior to obtaining that information:
   (1) Disclosing in a clear and conspicuous manner that it is
obtaining the information to market or advertise products, goods, or
services to the individual.
   (2) Obtaining the written consent of either the individual to whom
the information pertains or a person legally authorized to consent
for the individual, to permit his or her medical information to be
used or shared to market or advertise products, goods, or services to
the individual.
   (d) This section does not apply to a provider of health care,
health care service plan, or contractor, as defined in Section 56.05.

   (e) This section shall not apply to an insurance institution,
agent, or support organization, as defined in Section 791.02 of the
Insurance Code, when engaged in an insurance transaction, as defined
in subdivision (m) of Section 791.02 of the Insurance Code, pursuant
to all the requirements of Article 6.6 (commencing with Section 791)
of Chapter 1 of Part 2 of Division 1 of the Insurance Code, and the
regulations promulgated thereunder.
   (f) This section does not apply to a telephone corporation, as
defined in Section 234 of the Public Utilities Code, when that
corporation is engaged in providing telephone services and products
pursuant to Sections 2881, 2881.1, and 2881.2 of the Public Utilities
Code, if the corporation does not share or disclose medical
information obtained as a consequence of complying with those
sections of the Public Utilities Code, to third parties for direct
marketing purposes.