BILL NUMBER: SB 602	CHAPTERED
	BILL TEXT

	CHAPTER  424
	FILED WITH SECRETARY OF STATE  OCTOBER 2, 2011
	APPROVED BY GOVERNOR  OCTOBER 2, 2011
	PASSED THE SENATE  SEPTEMBER 1, 2011
	PASSED THE ASSEMBLY  AUGUST 31, 2011
	AMENDED IN ASSEMBLY  AUGUST 29, 2011
	AMENDED IN ASSEMBLY  AUGUST 23, 2011
	AMENDED IN ASSEMBLY  AUGUST 15, 2011
	AMENDED IN ASSEMBLY  JULY 5, 2011
	AMENDED IN ASSEMBLY  JUNE 6, 2011
	AMENDED IN SENATE  APRIL 25, 2011
	AMENDED IN SENATE  MARCH 30, 2011
	AMENDED IN SENATE  MARCH 21, 2011

INTRODUCED BY   Senator Yee

                        FEBRUARY 17, 2011

   An act to add Title 1.81.15 (commencing with Section 1798.90) to
Part 4 of Division 3 of the Civil Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 602, Yee. Reader Privacy Act.
   The California Public Records Act requires state and local
agencies to make their records available for public inspection and,
upon request of any person, to provide a copy of any public record
unless the record is exempt from disclosure. The act provides that
all registration and circulation records of any library that is in
whole or in part supported by public funds are confidential and shall
not be disclosed to any person, except as provided.
   Existing law protects the privacy of personal information,
including customer records, and requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information, in order to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure.
   The Civil Discovery Act generally provides for the scope of
discovery in civil actions and proceedings, and permits a party to a
civil action to obtain discovery by inspecting documents, tangible
things, and land or other property in the possession of any other
party to the action.
   This bill would enact the Reader Privacy Act, which would, among
other things, prohibit a commercial provider of a book service, as
defined, from disclosing, or being compelled to disclose, any
personal information relating to a user of the book service, subject
to certain exceptions. The bill would require a provider to disclose
personal information of a user only if a court order has been issued,
as specified, and certain other conditions have been satisfied. The
bill would also require a provider to disclose a user's personal
information if the user has consented to the disclosure, and would
authorize a provider to disclose a user's personal information to a
government entity, as defined, if an imminent danger of death or
serious physical injury exists, as specified, or if the provider in
good faith believes the information is directly relevant to a crime
against the provider or user. The bill would require a provider, upon
request by a law enforcement entity, to preserve records and other
evidence in its possession of a user's personal information pending
issuance of a court order or warrant. The bill would impose civil
penalties on a provider of a book service for knowingly disclosing a
user's personal information to a government entity in violation of
these provisions, except as otherwise provided. The bill would
require a provider of a book service, except as specified, to prepare
a specified report relating to demands for disclosure of personal
information of users of the book service, and to publish that
information in a searchable format on the Internet, or, if the
provider does not have an Internet Web site, to either prominently
post the report on its premises or send the report annually to the
Office of Privacy Protection. The bill would specify additional
requirements for publishing the report for a provider that collects
personally identifiable information through the Internet about
individual consumers in the state.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Title 1.81.15 (commencing with Section 1798.90) is
added to Part 4 of Division 3 of the Civil Code, to read:

      TITLE 1.81.15.  Reader Privacy Act


   1798.90.  (a) This title shall be known and may be cited as the
Reader Privacy Act.
   (b) For purposes of this section:
   (1) "Book" means paginated or similarly organized content in
printed, audio, electronic, or other format, including fiction,
nonfiction, academic, or other works of the type normally published
in a volume or finite number of volumes, excluding serial
publications such as a magazine or newspaper.
   (2) "Book service" means a service that, as its primary purpose,
provides the rental, purchase, borrowing, browsing, or viewing of
books. "Book service" does not include a store that sells a variety
of consumer products when the book service sales do not exceed 2
percent of the store's total annual gross sales of consumer products
sold in the United States.
   (3) "Government entity" means any state or local agency,
including, but not limited to, a law enforcement entity or any other
investigative entity, agency, department, division, bureau, board, or
commission, or any individual acting or purporting to act for or on
behalf of a state or local agency.
   (4) "Law enforcement entity" means a district attorney, a district
attorney's office, a municipal police department, a sheriff's
department, a county probation department, a county social services
agency, the Department of Justice, the Department of Corrections and
Rehabilitation, the Department of Corrections and Rehabilitation
Division of Juvenile Facilities, the Department of the California
Highway Patrol, the police department of a campus of a community
college, the University of California, or the California State
University, or any other department or agency of the state authorized
to investigate or prosecute the commission of a crime.
   (5) "Personal information" means all of the following:
   (A) Any information that identifies, relates to, describes, or is
associated with a particular user, including, but not limited to, the
information specifically listed in Section 1798.80.
   (B) A unique identifier or Internet Protocol address, when that
identifier or address is used to identify, relate to, describe, or be
associated with a particular user or book, in whole or in partial
form.
   (C) Any information that relates to, or is capable of being
associated with, a particular user's access to or use of a book
service or a book, in whole or in partial form.
   (6) "Provider" means any commercial entity offering a book service
to the public.
   (7) "User" means any person or entity that uses a book service.
   (c) A provider shall not knowingly disclose to any government
entity, or be compelled to disclose to any person, private entity, or
government entity, any personal information of a user, except under
any of the following circumstances:
   (1) A provider shall disclose personal information of a user to a
law enforcement entity only pursuant to a court order issued by a
duly authorized court with jurisdiction over an offense that is under
investigation and only if all of the following conditions are met:
   (A) The court issuing the order finds that probable cause exists
to believe the personal information requested is relevant evidence to
the investigation of an offense and any of the grounds in Section
1524 of the Penal Code is satisfied.
   (B) The court issuing the order finds that the law enforcement
entity seeking disclosure has a compelling interest in obtaining the
personal information sought.
   (C) The court issuing the order finds that the personal
information sought cannot be obtained by the law enforcement entity
seeking disclosure through less intrusive means.
   (D) Prior to issuance of the court order, the law enforcement
entity seeking disclosure provides, in a timely manner, the provider
with reasonable notice of the proceeding to allow the provider the
opportunity to appear and contest issuance of the order.
   (E)  The law enforcement entity seeking disclosure has informed
the provider that it has given notice of the court order to the user
contemporaneously with the execution of the order, unless there is a
judicial determination of a strong showing of necessity to delay that
notification for a reasonable period of time, not to exceed 90 days.

   (2) (A) A provider shall disclose personal information of a user
to any of the following only if all of the conditions listed in
subparagraph (B) are satisfied:
   (i) A government entity, other than a law enforcement entity,
pursuant to a court order issued by a court having jurisdiction over
an offense under investigation by that government entity.
   (ii) A government entity, other than a law enforcement entity, or
a person or private entity pursuant to a court order in a pending
action brought by the government entity or by the person or private
entity.
    (B) A provider shall disclose personal information of a user
pursuant to subparagraph (A) only if all of the following conditions
are satisfied:
   (i) The court issuing the order finds that the person or entity
seeking disclosure has a compelling interest in obtaining the
personal information sought.
   (ii) The court issuing the order finds that the personal
information sought cannot be obtained by the person or entity seeking
disclosure through less intrusive means.
   (iii)  Prior to issuance of the court order, the person or entity
seeking disclosure provides, in a timely manner, the provider with
reasonable notice of the proceeding to allow the provider the
opportunity to appear and contest the issuance of the court order.
   (iv) The provider refrains from disclosing any personal
information pursuant to the court order until it provides, in a
timely manner, notice to the user about the issuance of the order and
the ability to appear and quash the order, and the user has been
given a minimum of 35 days prior to disclosure of the information
within which to appear and quash the order.
   (3) A provider shall disclose the personal information of a user
to any person, private entity, or government entity if the user has
given his or her informed, affirmative consent to the specific
disclosure for a particular purpose.
   (4) A provider may disclose personal information of a user to a
government entity, if the government entity asserts, and the provider
in good faith believes, that there is an imminent danger of death or
serious physical injury requiring the immediate disclosure of the
requested personal information and there is insufficient time to
obtain a court order. The government entity seeking the disclosure
shall provide the provider with a written statement setting forth the
facts giving rise to the emergency upon request or no later than 48
hours after seeking disclosure.
   (5) A provider may disclose personal information of a user to a
government entity if the provider in good faith believes that the
personal information is evidence directly related and relevant to a
crime against the provider or that user.
   (d) (1) Any court issuing a court order requiring the disclosure
of personal information of a user shall impose appropriate safeguards
against the unauthorized disclosure of personal information by the
provider and by the person, private entity, or government entity
seeking disclosure pursuant to the order.
   (2) The court may, in its discretion, quash or modify a court
order requiring the disclosure of the user's personal information
upon a motion made by the user, provider, person, or entity seeking
disclosure.
   (e) A provider, upon the request of a law enforcement entity,
shall take all necessary steps to preserve records and other evidence
in its possession of a user's personal information related to the
use of a book or part of a book, pending the issuance of a court
order or a warrant pursuant to this section or Section 1798.90.05.
The provider shall retain the records and evidence for a period of 90
days from the date of the request by the law enforcement entity,
which shall be extended for an additional 90-day period upon a
renewed request by the law enforcement entity.
   (f) Except in an action for a violation of this section, no
evidence obtained in violation of this section shall be admissible in
any civil or administrative proceeding.
   (g) (1) Violations of this section shall be subject to the
following penalties:
   (A) Any provider that knowingly provides personal information
about a user to a government entity in violation of this section
shall be subject to a civil penalty not to exceed five hundred
dollars ($500) for each violation, which shall be paid to the user in
a civil action brought by the user.
   (B) Any provider that knowingly provides personal information
about a user to a government entity in violation of this section
shall, in addition to the penalty prescribed by subparagraph (A), be
subject to a civil penalty not to exceed five hundred dollars ($500)
for each violation, which may be assessed and recovered in a civil
action brought by the Attorney General, by any district attorney or
city attorney, or by a city prosecutor in any city having a full-time
city prosecutor, in any court of competent jurisdiction.
   (2) If an action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney, the penalty collected
shall be paid to the treasurer of the county in which the judgment
was entered. If the action is brought by a city attorney or city
prosecutor, one-half of the penalty shall be paid to the treasurer of
the city in which the judgment was entered, and one-half to the
treasurer of the county in which the judgment was entered.
   (3) The penalties provided by this section are not the exclusive
remedy and do not affect any other relief or remedy provided by law.
   (4) A civil action brought pursuant to this section shall be
commenced within two years after the date upon which the claimant
first discovered the violation.
   (h) An objectively reasonable reliance by the provider on a
warrant or court order for the disclosure of personal information of
a user, or on any of the enumerated exceptions to the confidentiality
of a user's personal information set forth in this section, is a
complete defense to any civil action for the violation of this
section.
   (i) (1) Unless disclosure of information pertaining to a
particular request or set of requests is specifically prohibited by
law, a provider shall prepare a report including all of the following
information, to the extent it can be reasonably determined:
   (A) The number of federal and state warrants, federal and state
grand jury subpoenas, federal and state civil and administrative
subpoenas, federal and state civil and criminal court orders, and
requests for information made with the informed consent of the user
as described in paragraph (3) of subdivision (c), seeking disclosure
of any personal information of a user related to the access or use of
a book service or book, received by the provider from January 1 to
December 31, inclusive, of the previous year.
   (B) The number of disclosures made by the provider pursuant to
paragraphs (4) and (5) of subdivision (c) from January 1 to December
31, inclusive, of the previous year.
   (C) For each category of demand or disclosure, the provider shall
include all of the following information:
   (i) The number of times notice of a court order in a criminal,
civil, or administrative action has been provided by the provider and
the date the notice was provided.
   (ii) The number of times personal information has been disclosed
by the provider.
   (iii) The number of times no personal information has been
disclosed by the provider.
   (iv) The number of times the provider contests the demand.
   (v) The number of times the user contests the demand.
   (vi) The number of users whose personal information was disclosed
by the provider.
   (vii) The type of personal information that was disclosed and the
number of times that type of personal information was disclosed.
   (2) Notwithstanding paragraph (1), a provider is not required to
prepare a report pursuant to this subdivision unless it has disclosed
personal information related to the access or use of a book service
or book of more than 30 total users consisting of users located in
this state or users whose location is unknown or of both types of
users.
   (3) The reporting requirements of this subdivision shall not apply
to information disclosed to a government entity that is made by a
provider serving a postsecondary educational institution when the
provider is required to disclose the information in order to be
reimbursed for the sale or rental of a book that was purchased or
rented by a student using book vouchers or other financial aid
subsidies for books.
   (j) Reports prepared pursuant to subdivision (i) shall be made
publicly available in an online, searchable format on or before March
1 of each year. If the provider does not have an Internet Web site,
the provider shall post the reports prominently on its premises or
send the reports to the Office of Privacy Protection on or before
March 1 of each year.
   (k) On or before March 1 of each year, a provider subject to
Section 22575 of the Business and Professions Code shall complete one
of the following actions:
   (1) Create a prominent hyperlink to its latest report prepared
pursuant to subdivision (i) in the disclosure section of its privacy
policy applicable to its book service.
   (2) Post the report prepared pursuant to subdivision (i) in the
section of its Internet Web site explaining the way in which user
information and privacy issues related to its book service are
addressed.
   (3) State on its Internet Web site in one of the areas described
in paragraphs (1) and (2) that no report prepared pursuant to
subdivision (i) is available because the provider is exempt from the
reporting requirement pursuant to paragraph (2) of subdivision (i).
   (l) Nothing in this section shall otherwise affect the rights of
any person under the California Constitution or any other law or be
construed as conflicting with the federal Privacy Protection Act of
1980 (42 U.S.C. 2000aa et seq.).
   1798.90.05.  Section 1798.90 does not make it unlawful for a law
enforcement entity subject to Section 2000aa of Title 42 of the
United States Code to obtain a search warrant for the personal
information of a user pursuant to otherwise applicable law in
connection with the investigation or prosecution of a criminal
offense when probable cause exists to believe that the person
possessing the personal information has committed, or is committing,
a criminal offense involving the production, possession, receipt,
mailing, sale, distribution, shipment, or transportation of child
pornography, the sexual exploitation of children, or the sale or
purchase of children prohibited by Sections 2251, 2251A, 2252, and
2252A of Title 18 of the United States Code. Nothing in Section
1798.90 shall prevent a provider from complying with a proper search
warrant issued by a duly authorized court in connection with the
investigation or prosecution of any of those offenses.