BILL NUMBER: SB 602 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY JULY 5, 2011
AMENDED IN ASSEMBLY JUNE 6, 2011
AMENDED IN SENATE APRIL 25, 2011
AMENDED IN SENATE MARCH 30, 2011
AMENDED IN SENATE MARCH 21, 2011
INTRODUCED BY Senator Yee
FEBRUARY 17, 2011
An act to add Title 1.81.15 (commencing with Section 1798.90) to
Part 4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 602, as amended, Yee. Reader Privacy Act.
The California Public Records Act requires state and local
agencies to make their records available for public inspection and,
upon request of any person, to provide a copy of any public record
unless the record is exempt from disclosure. The act provides that
all registration and circulation records of any library that is in
whole or in part supported by public funds are confidential and shall
not be disclosed to any person, except as provided.
Existing law protects the privacy of personal information,
including customer records, and requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information, in order to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure.
The Civil Discovery Act generally provides for the scope of
discovery in civil actions and proceedings, and permits a party to a
civil action to obtain discovery by inspecting documents, tangible
things, and land or other property in the possession of any other
party to the action.
This bill would enact the Reader Privacy Act, which would, among
other things, prohibit a commercial provider of a book service, as
defined, from disclosing, or being compelled to disclose, any
personal information relating to a user of the book service, subject
to certain exceptions. The bill would require a court, when
considering whether to issue an order in a pending civil or
administrative action, to make specified findings, including that the
person or entity seeking disclosure of personal information of a
user of a book service has a compelling interest in obtaining that
information. The bill would additionally require a court having
jurisdiction over an offense to make specified findings before
issuing an order to disclose the personal information of a user to a
government entity. a provider to disclose personal
information of a user only if a court order has been issued, as
specified, and certain other conditions have been satisfied. The bill
would also require a provider to disclose personal information of a
user if the user has consented to the disclosure and would authorize
a provider to disclose the personal information of a user to a
government entity, as defined, if an imminent danger of death or
serious physical injury exists, as specified, or if the provider in
good faith believes the information is directly relevant to a crime
against the provider or user. The bill would impose civil
penalties on a provider of a book service for knowingly disclosing a
user's personal information to a government entity in violation of
these provisions, except as otherwise provided. The bill would
require that any provider of a book service prepare a specified
report relating to demands for disclosure of personal information of
users of the book service, and publish that information in a
searchable format on the Internet or if the provider does not have an
Internet Web site, to prominently post the report on its premises or
send the report annually to the Office of Privacy Protection.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Title 1.81.15 (commencing with Section 1798.90) is
added to Part 4 of Division 3 of the Civil Code, to read:
TITLE 1.81.15. Reader Privacy Act
1798.90. (a) This title shall be known and may be cited as the
Reader Privacy Act.
(b) For purposes of this section:
(1) "Book" means paginated or similarly organized content in
printed, audio, electronic, or other format, including fiction,
nonfiction, academic, or other works of the type normally published
in a volume or volumes.
(2) "Book service" means a service that, as its primary purpose,
provides the rental, purchase, borrowing, browsing, or viewing of
books.
(3) "Government entity" means any state or local agency,
including, but not limited to, a law enforcement entity or
any other investigative entity, agency, department,
division, bureau, board, or commission, or any individual acting or
purporting to act for or on behalf of a state or local agency.
(4) "Law enforcement entity" means a district attorney, a district
attorney's office, a municipal police department, a sheriff's
department, a county probation department, a county social services
agency, the Department of Justice, the Department of Corrections and
Rehabilitation, the Department of the Youth Authority, the Department
of the California Highway Patrol, the police department of a campus
of a community college, the University of California, or the
California State University, or any other department or agency of the
state authorized to investigate or prosecute the commission of a
crime.
(4)
(5) "Personal information" means all of the following:
(A) Any information that identifies, relates to, describes, or is
associated with a particular user, including, but not limited to, the
information specifically listed in Section 1798.80.
(B) A unique identifier or Internet Protocol address, when that
identifier or address is being used to identify,
relate to, describe, or be associated with a particular user
of a book service or book, in whole or in partial form.
(C) Any information that relates to, or is capable of being
associated with, a particular user's access to or use of a book
service or a book, in whole or in partial form.
(5)
(6) "Provider" means any commercial entity offering a
book service to the public.
(6)
(7) "User" means any person or entity that uses a book
service.
(c) A provider shall not knowingly disclose to any government
entity, or be compelled to disclose to any person, private entity, or
government entity, any personal information of a user, except under
any of the following circumstances:
(1) A provider shall disclose personal information of a user to a
government law enforcement entity only
pursuant to a court order issued by a duly authorized court with
jurisdiction over an offense that is under investigation and only if
all of the following conditions are met:
(A) The court issuing the order finds that probable cause exists
to believe the personal information requested is relevant evidence to
the investigation of an offense and any of the grounds in Section
1524 of the Penal Code is satisfied.
(B) The court issuing the order finds that the person or
law enforcement entity seeking disclosure has a
compelling interest in obtaining the personal information sought.
(C) The court issuing the order finds that the personal
information sought cannot be obtained by the person or
law enforcement entity seeking disclosure
through less intrusive means.
(D) The person or entity seeking disclosure provides the provider
with reasonable notice of the proceeding prior to the issuance of the
order.
(E) The opportunity to appear and contest the issuance of the
order is afforded to the provider prior to the issuance of the order.
(F) Notice of the order is given to the user by the person or
entity seeking disclosure contemporaneous with execution of
(D) Prior to issuance of the court order, the law enforcement
entity seeking disclosure provides, in a timely manner, the provider
with reasonable notice of the proceeding to allow the provider the
opportunity to appear and contest issuance of the order.
(E) The law enforcement entity seeking
disclosure has informed the provider that it has given notice of the
court order to the user contemporaneously with the execution of
the order, unless there is a judicial determination of a strong
showing of necessity to delay that notification for a reasonable
period of time, not to exceed seven days.
(2) A provider shall disclose personal information of a user
to a government entity, other than a law enforcement entity,
pursuant to a court order in a pending civil or
administrative action, issued by a court having
jurisdiction over an offense under investigation by that government
entity or to a government entity, other than a law enforcement
entity, or to a person or private entity pursuant to a court order in
a pending action brought by the government entity or by the person
or private entity only if all of the following conditions are
met:
(A) The court issuing the order finds that the person or entity
seeking disclosure has a compelling interest in obtaining the
personal information sought.
(B) The court issuing the order finds that the personal
information sought cannot be obtained by the person or entity seeking
disclosure through less intrusive means.
(C) The person or entity seeking disclosure takes reasonable steps
to provide the user and the provider with reasonable notice of the
proceeding prior to the issuance of the court order in a timely
manner to allow the user and provider the opportunity to appear
(C) Prior to issuance of the court
order, the person or entity seeking disclosure provides, in a timely
manner, the provider with reasonable notice of the proceeding to
allow the provider the opportunity to appear and contest the
issuance of the court order.
(D) The provider refrains from disclosing any personal information
pursuant to the court order until it provides , in a timely
manner, notice to the user about the issuance of the order and
the ability to appear and quash the order, and the user has been
given a reasonable opportunity a minimum of
35 days prior to disclosure of the information within which to
appear and quash the order.
(3) A provider shall disclose the personal information of a user
to any person , private entity, or government entity if
the user has given his or her informed, affirmative consent to the
specific disclosure for a particular purpose.
(4) A provider may disclose personal information of a user
to a government entity, if the government entity asserts, and
the provider in good faith believes, that there is an imminent danger
of death or serious physical injury requiring the immediate
disclosure of the requested personal information and there is
insufficient time to obtain a court order. The government entity
seeking the disclosure shall provide the provider with a written
statement setting forth the facts giving rise to the emergency upon
request or no later than 48 hours after seeking disclosure.
(5) A provider may disclose personal information of a user
of a book service to a government entity if the
provider in good faith believes that the personal information is
evidence directly related and relevant to a crime against the
provider or that user of the book service .
(d) (1) Any court issuing an a court
order requiring the disclosure of personal information of a user
of a book service shall impose appropriate
safeguards against the unauthorized disclosure of personal
information by the provider and by the person, private entity,
or government entity seeking disclosure pursuant to the order.
(2) The court may, in its discretion, quash or modify an
a court order requiring the disclosure of the
user's personal information upon a motion made by the user, provider,
or person person, or entity seeking
disclosure.
(e) Except as proof in an action for a
violation of this section, no evidence obtained in violation of this
section shall be admissible in any civil , administrative,
or other or administrative proceeding.
(f) (1) Violations of this section shall be subject to the
following penalties:
(A) Any provider that knowingly provides personal information
about a user to a government entity in violation of this section
shall be subject to a civil penalty not to exceed five hundred
dollars ($500) for each violation, which may be recovered in
a civil action brought by the person who is the subject of the
records. shall be paid to the user in a civil action
brought by the user.
(B) Any provider that knowingly provides personal information
about a user to a government entity in violation of this
section shall, in addition to the penalty prescribed by subparagraph
(A), be subject to a civil penalty not to exceed five hundred dollars
($500) for each violation, which may be assessed and recovered in a
civil action brought by the Attorney General, by any district
attorney or city attorney, or by a city prosecutor in any city having
a full-time city prosecutor, in any court of competent jurisdiction.
(2) If an action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney, the penalty collected
shall be paid to the treasurer of the county in which the judgment
was entered. If the action is brought by a city attorney or city
prosecutor, one-half of the penalty shall be paid to the treasurer of
the city in which the judgment was entered, and one-half to the
treasurer of the county in which the judgment was entered.
(3) The penalties provided by this section are not the exclusive
remedy and do not affect any other relief or remedy provided by law.
(4) A civil action brought pursuant to this section shall be
commenced within two years after the date upon which the claimant
first discovered the violation.
(g) An objectively reasonable reliance by the provider on a
warrant or court order for the disclosure of personal
information of a user of a book service , or on
any of the enumerated exceptions to the confidentiality of a user's
personal information set forth in this section, is a complete defense
to any civil , administrative, or criminal action
action for the violation of this section .
(h) Unless disclosure of information pertaining to a particular
request or set of requests is specifically prohibited by law, a
provider shall prepare a report including all of the following
information, to the extent it can be reasonably determined:
(1) The number of federal and state warrants, federal and
state grand jury subpoenas, federal and state civil
and administrative subpoenas, federal and state civil and criminal
court orders, and requests for information made with the informed
consent of the user as described in paragraph (3) of subdivision (c),
seeking disclosure of any personal information of a user related to
the access or use of a book service or book, received by the provider
from January 1 to December 31, inclusive, of the previous year.
(2) The number of disclosures made by the provider pursuant to
paragraphs (4) and (5) of subdivision (c) from January 1 to December
31, inclusive, of the previous year.
(3) For each category of demand or disclosure, the provider shall
include all of the following information:
(A) The number of times notice of a court order in a criminal,
civil, or administrative action has been provided by the provider and
the date the notice was provided.
(B) The number of times personal information has been disclosed by
the provider.
(C) The number of times no personal information has been disclosed
by the provider.
(D) The number of times the provider contests the demand.
(E) The number of times the user contests the demand.
(F) The number of users whose personal information was disclosed
by the provider.
(G) The type of personal information that was disclosed and the
number of times that type of personal information was disclosed
, except user textbook purchase or rental verifications generated by
a campus bookstore at a public postsecondary educational institution
in response to an audit request from a government entity
that provides textbook purchase or rental subsidies to users are
exempt from the reporting requirement of this subparagraph .
(i) Reports prepared pursuant to subdivision (h) shall be made
publicly available in an online, searchable format on or before March
1 of each year. If the provider does not have an Internet Web site,
the provider shall post the reports prominently on its premises or
send the reports to the Office of Privacy Protection on or before
March 1 of each year.
(j) Any provider subject to Section 22575 of the Business and
Professions Code shall create a prominent hyperlink to its latest
report published pursuant to subdivision (i) in the disclosure
section of the privacy policy applicable to its book service on or
before March 1 of each year.
(k) Nothing in this section shall otherwise affect the rights of
any person under the California Constitution or any other law or
be construed as conflicting with the federal Privacy Protection Act
of 1980 (Chapter 21A (commencing with Section 2000aa) of Title 42 of
the United States Code) .
1798.90.05. Section 1798.90 does not make it unlawful for a law
enforcement entity subject to Section 2000aa of Title 42 of the
United States Code to obtain a search warrant for the personal
information of a user pursuant to otherwise applicable law in
connection with the investigation or prosecution of a criminal
offense when probable cause exists to believe that the person
possessing the personal information has committed, or is committing,
a criminal offense involving the production, possession, receipt,
mailing, sale, distribution, shipment, or transportation of child
pornography, the sexual exploitation of children, or the sale or
purchase of children prohibited by Sections 2251, 2251A, 2252, and
2252A of Title 18 of the United States Code. Nothing in Section
1798.90 shall prevent a provider from complying with a proper search
warrant issued by a duly authorized court in connection with the
investigation or prosecution of any of those offenses.