BILL NUMBER: SB 602 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY AUGUST 15, 2011
AMENDED IN ASSEMBLY JULY 5, 2011
AMENDED IN ASSEMBLY JUNE 6, 2011
AMENDED IN SENATE APRIL 25, 2011
AMENDED IN SENATE MARCH 30, 2011
AMENDED IN SENATE MARCH 21, 2011
INTRODUCED BY Senator Yee
FEBRUARY 17, 2011
An act to add Title 1.81.15 (commencing with Section 1798.90) to
Part 4 of Division 3 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 602, as amended, Yee. Reader Privacy Act.
The California Public Records Act requires state and local
agencies to make their records available for public inspection and,
upon request of any person, to provide a copy of any public record
unless the record is exempt from disclosure. The act provides that
all registration and circulation records of any library that is in
whole or in part supported by public funds are confidential and shall
not be disclosed to any person, except as provided.
Existing law protects the privacy of personal information,
including customer records, and requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information, in order to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure.
The Civil Discovery Act generally provides for the scope of
discovery in civil actions and proceedings, and permits a party to a
civil action to obtain discovery by inspecting documents, tangible
things, and land or other property in the possession of any other
party to the action.
This bill would enact the Reader Privacy Act, which would, among
other things, prohibit a commercial provider of a book service, as
defined, from disclosing, or being compelled to disclose, any
personal information relating to a user of the book service, subject
to certain exceptions. The bill would require a provider to disclose
personal information of a user only if a court order has been issued,
as specified, and certain other conditions have been satisfied. The
bill would also require a provider to disclose personal information
of a user if the user has consented to the disclosure and would
authorize a provider to disclose the personal information of a user
to a government entity, as defined, if an imminent danger of death or
serious physical injury exists, as specified, or if the provider in
good faith believes the information is directly relevant to a crime
against the provider or user. The bill would require
a provider, upon request by a law enforcement entity, to preserve
records and other evidence in its possession of a user's personal
information pending issuance of a court order or warrant. The
bill would impose civil penalties on a provider of a book service for
knowingly disclosing a user's personal information to a government
entity in violation of these provisions, except as otherwise
provided. The bill would require that any provider of a book service
, except as specified, prepare a specified report relating
to demands for disclosure of personal information of users of the
book service, and publish that information in a searchable format on
the Internet or if the provider does not have an Internet Web site,
to prominently post the report on its premises or send the report
annually to the Office of Privacy Protection. The bill would
specify additional requirements for publishing the repor t
for a provider that collects personally identifiable
information through the Internet about individual consumers in the
state.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Title 1.81.15 (commencing with Section 1798.90) is
added to Part 4 of Division 3 of the Civil Code, to read:
TITLE 1.81.15. Reader Privacy Act
1798.90. (a) This title shall be known and may be cited as the
Reader Privacy Act.
(b) For purposes of this section:
(1) "Book" means paginated or similarly organized content in
printed, audio, electronic, or other format, including fiction,
nonfiction, academic, or other works of the type normally published
in a volume or finite number of volumes , excluding
serial publications such as a magazine or newspaper .
(2) "Book service" means a service that, as its primary purpose,
provides the rental, purchase, borrowing, browsing, or viewing of
books. "Book service" does not include a store that sells a
variety of consumer products when the book service sales do not
exceed 2 percent of the store's total annual gross sales of consumer
products sold in the United States.
(3) "Government entity" means any state or local agency,
including, but not limited to, a law enforcement entity or any other
investigative entity, agency, department, division, bureau, board, or
commission, or any individual acting or purporting to act for or on
behalf of a state or local agency.
(4) "Law enforcement entity" means a district attorney, a district
attorney's office, a municipal police department, a sheriff's
department, a county probation department, a county social services
agency, the Department of Justice, the Department of Corrections and
Rehabilitation, the Department of the Youth Authority, the Department
of the California Highway Patrol, the police department of a campus
of a community college, the University of California, or the
California State University, or any other department or agency of the
state authorized to investigate or prosecute the commission of a
crime.
(5) "Personal information" means all of the following:
(A) Any information that identifies, relates to, describes, or is
associated with a particular user, including, but not limited to, the
information specifically listed in Section 1798.80.
(B) A unique identifier or Internet Protocol address, when that
identifier or address is used to identify, relate to, describe, or be
associated with a particular user or book, in whole or in partial
form.
(C) Any information that relates to, or is capable of being
associated with, a particular user's access to or use of a book
service or a book, in whole or in partial form.
(6) "Provider" means any commercial entity offering a book service
to the public.
(7) "User" means any person or entity that uses a book service.
(c) A provider shall not knowingly disclose to any government
entity, or be compelled to disclose to any person, private entity, or
government entity, any personal information of a user, except under
any of the following circumstances:
(1) A provider shall disclose personal information of a user to a
law enforcement entity only pursuant to a court order issued by a
duly authorized court with jurisdiction over an offense that is under
investigation and only if all of the following conditions are met:
(A) The court issuing the order finds that probable cause exists
to believe the personal information requested is relevant evidence to
the investigation of an offense and any of the grounds in Section
1524 of the Penal Code is satisfied.
(B) The court issuing the order finds that the law enforcement
entity seeking disclosure has a compelling interest in obtaining the
personal information sought.
(C) The court issuing the order finds that the personal
information sought cannot be obtained by the law enforcement entity
seeking disclosure through less intrusive means.
(D) Prior to issuance of the court order, the law enforcement
entity seeking disclosure provides, in a timely manner, the provider
with reasonable notice of the proceeding to allow the provider the
opportunity to appear and contest issuance of the order.
(E) The law enforcement entity seeking disclosure has informed
the provider that it has given notice of the court order to the user
contemporaneously with the execution of the order, unless there is a
judicial determination of a strong showing of necessity to delay that
notification for a reasonable period of time, not to exceed
seven 90 days.
(2) A provider shall disclose personal information of a user to a
government entity, other than a law enforcement entity, or to a
person or a private entity pursuant to a court order issued by
a court having jurisdiction over an offense under investigation
by that government entity or to a government entity, other
than a law enforcement entity, or to a person or private entity
pursuant to a court order in by that government entity
or a pending action brought by the government entity or by the
person or private entity only if all of the following conditions are
met:
(A) The court issuing the order finds that the person or entity
seeking disclosure has a compelling interest in obtaining the
personal information sought.
(B) The court issuing the order finds that the personal
information sought cannot be obtained by the person or entity seeking
disclosure through less intrusive means.
(C) Prior to issuance of the court order, the person or entity
seeking disclosure provides, in a timely manner, the provider with
reasonable notice of the proceeding to allow the provider the
opportunity to appear and contest the issuance of the court order.
(D) The provider refrains from disclosing any personal information
pursuant to the court order until it provides, in a timely manner,
notice to the user about the issuance of the order and the ability to
appear and quash the order, and the user has been given a minimum of
35 days prior to disclosure of the information within which to
appear and quash the order.
(3) A provider shall disclose the personal information of a user
to any person, private entity, or government entity if the user has
given his or her informed, affirmative consent to the specific
disclosure for a particular purpose.
(4) A provider may disclose personal information of a user to a
government entity, if the government entity asserts, and the provider
in good faith believes, that there is an imminent danger of death or
serious physical injury requiring the immediate disclosure of the
requested personal information and there is insufficient time to
obtain a court order. The government entity seeking the disclosure
shall provide the provider with a written statement setting forth the
facts giving rise to the emergency upon request or no later than 48
hours after seeking disclosure.
(5) A provider may disclose personal information of a user to a
government entity if the provider in good faith believes that the
personal information is evidence directly related and relevant to a
crime against the provider or that user.
(d) (1) Any court issuing a court order requiring the disclosure
of personal information of a user shall impose appropriate safeguards
against the unauthorized disclosure of personal information by the
provider and by the person, private entity, or government entity
seeking disclosure pursuant to the order.
(2) The court may, in its discretion, quash or modify a court
order requiring the disclosure of the user's personal information
upon a motion made by the user, provider, person, or entity seeking
disclosure.
(e) A provider, upon the request of a law enforcement entity,
shall take all necessary steps to preserve records and other evidence
in its possession of a user's personal information related to the
use of a book or part of a book, pending the issuance of a court
order or a warrant pursuant to this section or Section 1798.90.05.
The provider shall retain the records and evidence for a period of 90
days from the date of the request by the law enforcement entity,
which shall be extended for an additional 90-day period upon a
renewed request by the law enforcement entity.
(e)
(f) Except in an action for a violation of this
section, no evidence obtained in violation of this section shall be
admissible in any civil or administrative proceeding.
(f)
(g) (1) Violations of this section shall be subject to
the following penalties:
(A) Any provider that knowingly provides personal information
about a user to a government entity in violation of this section
shall be subject to a civil penalty not to exceed five hundred
dollars ($500) for each violation, which shall be paid to the user in
a civil action brought by the user.
(B) Any provider that knowingly provides personal information
about a user to a government entity in violation of this section
shall, in addition to the penalty prescribed by subparagraph (A), be
subject to a civil penalty not to exceed five hundred dollars ($500)
for each violation, which may be assessed and recovered in a civil
action brought by the Attorney General, by any district attorney or
city attorney, or by a city prosecutor in any city having a full-time
city prosecutor, in any court of competent jurisdiction.
(2) If an action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney, the penalty collected
shall be paid to the treasurer of the county in which the judgment
was entered. If the action is brought by a city attorney or city
prosecutor, one-half of the penalty shall be paid to the treasurer of
the city in which the judgment was entered, and one-half to the
treasurer of the county in which the judgment was entered.
(3) The penalties provided by this section are not the exclusive
remedy and do not affect any other relief or remedy provided by law.
(4) A civil action brought pursuant to this section shall be
commenced within two years after the date upon which the claimant
first discovered the violation.
(g)
(h) An objectively reasonable reliance by the provider
on a warrant or court order for the disclosure of personal
information of a user, or on any of the enumerated exceptions to the
confidentiality of a user's personal information set forth in this
section, is a complete defense to any civil action for the violation
of this section.
(h)
(i) (1) Unless disclosure of
information pertaining to a particular request or set of requests is
specifically prohibited by law, a provider shall prepare a report
including all of the following information, to the extent it can be
reasonably determined:
(1)
(A) The number of federal and state warrants, federal
and state grand jury subpoenas, federal and state civil and
administrative subpoenas, federal and state civil and criminal court
orders, and requests for information made with the informed consent
of the user as described in paragraph (3) of subdivision (c), seeking
disclosure of any personal information of a user related to the
access or use of a book service or book, received by the provider
from January 1 to December 31, inclusive, of the previous year.
(2)
(B ) The number of disclosures made by the
provider pursuant to paragraphs (4) and (5) of subdivision (c) from
January 1 to December 31, inclusive, of the previous year.
(3)
(C) For each category of demand or disclosure, the
provider shall include all of the following information:
(A)
(i) The number of times notice of a court order in a
criminal, civil, or administrative action has been provided by the
provider and the date the notice was provided.
(B)
(ii) The number of times personal information has been
disclosed by the provider.
(C)
(iii) The number of times no personal information has
been disclosed by the provider.
(D)
(iv) The number of times the provider contests the
demand.
(E)
(v) The number of times the user contests the demand.
(F)
(vi) The number of users whose personal information was
disclosed by the provider.
(G)
(vii) The type of personal information that was
disclosed and the number of times that type of personal information
was disclosed, except user textbook purchase or rental verifications
generated by a campus bookstore at a public postsecondary educational
institution in response to an audit request from a government entity
that provides textbook purchase or rental subsidies to users are
exempt from the reporting requirement of this subparagraph.
(2) Notwithstanding paragraph (1), a provider is not required to
prepare a report pursuant to this subdivision unless it has disclosed
personal information related to the access or use of a book service
or book of more than 30 total users consisting of users located in
this state or users whose location is unknown or of both types of
users.
(i)
(j) Reports prepared pursuant to subdivision
(h) (i) shall be made publicly available in an
online, searchable format on or before March 1 of each year. If the
provider does not have an Internet Web site, the provider shall post
the reports prominently on its premises or send the reports to the
Office of Privacy Protection on or before March 1 of each year.
(j) Any provider subject to Section 22575 of the Business and
Professions Code shall create a prominent hyperlink to its latest
report published pursuant to subdivision (i) in the disclosure
section of the privacy policy applicable to its book service on or
before March 1 of each year.
(k) On or before March 1 of each year, a provider subject to
Section 22575 of the Business and Professions Code shall complete one
of the following actions:
(1) Create a prominent hyperlink to its latest report prepared
pursuant to subdivision (i) in the disclosure section of its privacy
policy applicable to its book service.
(2) Post the report prepared pursuant to subdivision (i) in the
section of its Internet Web site explaining the way in which user
information and privacy issues related to its book service are
addressed.
(3) State on its Internet Web site in one of the areas described
in paragraphs (1) and (2) that no report prepared pursuant to
subdivision (i) is available because the provider is exempt from the
reporting requirement pursuant to paragraph (2) of subdivision (i).
(k)
(l) Nothing in this section shall otherwise affect the
rights of any person under the California Constitution or any other
law or be construed as conflicting with the federal Privacy
Protection Act of 1980 (Chapter 21A (commencing with Section 2000aa)
of Title 42 of the United States Code).
1798.90.05. Section 1798.90 does not make it unlawful for a law
enforcement entity subject to Section 2000aa of Title 42 of the
United States Code to obtain a search warrant for the personal
information of a user pursuant to otherwise applicable law in
connection with the investigation or prosecution of a criminal
offense when probable cause exists to believe that the person
possessing the personal information has committed, or is committing,
a criminal offense involving the production, possession, receipt,
mailing, sale, distribution, shipment, or transportation of child
pornography, the sexual exploitation of children, or the sale or
purchase of children prohibited by Sections 2251, 2251A, 2252, and
2252A of Title 18 of the United States Code. Nothing in Section
1798.90 shall prevent a provider from complying with a proper search
warrant issued by a duly authorized court in connection with the
investigation or prosecution of any of those offenses.