BILL NUMBER: SB 761 AMENDED
BILL TEXT
AMENDED IN SENATE MAY 10, 2011
AMENDED IN SENATE APRIL 25, 2011
AMENDED IN SENATE APRIL 4, 2011
AMENDED IN SENATE MARCH 24, 2011
INTRODUCED BY Senator Lowenthal
FEBRUARY 18, 2011
An act to add Section 22947.45 to the Business and Professions
Code, relating to business.
LEGISLATIVE COUNSEL'S DIGEST
SB 761, as amended, Lowenthal. Computer spyware.
Existing law, the Consumer Protection Against Computer Spyware
Act, prohibits a person or entity other than the authorized user of
computer software from, with actual knowledge, conscious avoidance of
actual knowledge, or willfully, causing computer software to be
copied onto the computer of a consumer in this state and using the
software to (1) take control of the computer, as specified, (2)
modify certain settings relating to the computer's access to or use
of the Internet, as specified, (3) collect, through intentionally
deceptive means, personally identifiable information, as defined, (4)
prevent, without authorization, an authorized user's reasonable
efforts to block the installation of or disabling of software, as
specified, (5) intentionally misrepresent that the software will be
uninstalled or disabled by an authorized user's action, or (6)
through intentionally deceptive means, remove, disable, or render
inoperative security, antispyware, or antivirus software installed on
the computer.
Existing law establishes the Office of Privacy Protection for
specified purposes relating to protecting the privacy rights of
consumers.
This bill would, no later than July 1, 2012, require the Attorney
General, in consultation with the Office of Privacy Protection, to
adopt regulations that would require a covered entity, defined as a
person or entity doing business in California that collects, uses, or
stores online data containing covered information from a consumer in
this state, to provide a consumer in California with a method to opt
out of that collection, use, and storage of such information. The
bill would specify that such information, includes, but is not
limited to, the online activity of an individual and other personal
information. The bill would subject these regulations to certain
requirements, including, but not limited to, a requirement that a
covered entity disclose to a consumer certain information relating to
its collection, use, and storage information practices. The bill
would, to the extent consistent with federal law, prohibit a covered
entity from selling, sharing, or transferring a consumer's covered
information , except as specified . The bill would make a
covered entity that willfully fails to comply with the adopted
regulations liable to a consumer in a civil action for damages, as
specified, and would require such an action to be brought within a
certain time period.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 22947.45 is added to the Business and
Professions Code, to read:
22947.45. (a) For the purposes of this section, the following
definitions shall apply:
(1) "Covered entity" means a person or entity doing business in
California that collects, uses, or stores online data containing
covered information from a consumer in this state. "Covered entity"
shall not include any of the following:
(A) The federal government or any instrumentality of the federal
government.
(B) The government of any state or any instrumentality of state
government.
(C) Any local government or instrumentality of local government.
(D) Any person who can demonstrate that he or she does all of the
following:
(i) Stores covered information from or about fewer than 15,000
individuals.
(ii) Collects covered information from or about fewer than 10,000
individuals during any 12-month period.
(iii) Does not collect or store sensitive information.
(iv) Does not use covered information to study, monitor, or
analyze the behavior of individuals as the person's primary business.
(2) (A) "Covered information" means, with respect to an
individual, any of the following that is transmitted online:
(i) The online activity of the individual, including, but not
limited to, the Internet Web sites and content from Internet Web
sites accessed; the date and hour of online access; the computer and
geolocation from which online information was accessed; and the means
by which online information was accessed, such as, but not limited
to, a device, browser, or application.
(ii) Any unique or substantially unique identifier, such as a
customer number or Internet Protocol address.
(iii) Personal information including, but not limited to, a name;
a postal address or other location; an e-mail address or other user
name; a telephone or fax number; a government-issued identification
number, such as a tax identification number, a passport number, or a
driver's license number; or a financial account number, or credit
card or debit card number, or any required security code, access
code, or password that is necessary to permit access to an individual'
s financial account.
(B) "Covered information" shall not include the title, business
address, business e-mail address, business telephone number, or
business fax number associated with an individual's status as an
employee of an organization, or an individual's name when collected,
stored, used, or disclosed in connection with that employment status;
or any information collected from or about an employee by an
employer, prospective employer, or former employer that directly
relates to the employee-employer relationship.
(3) (A) "Sensitive information" means any of the following:
(i) Any information that is associated with covered information of
an individual and relates directly to that individual's medical
history, physical or mental health, or the provision of health care
to the individual; race or ethnicity; religious beliefs and
affiliation; sexual orientation or sexual behavior; income, assets,
liabilities, or financial records, and other financial information
associated with a financial account, including balances and other
financial information, except when financial account information is
provided by the individual and is used only to process an authorized
credit or debit to the account; or precise geolocation information
and any information about the individual's activities and
relationships associated with that geolocation.
(ii) An individual's unique biometric data, including a
fingerprint or retina scan, or social security number.
(iii) Information deemed sensitive information pursuant to
regulations adopted by the Attorney General under subparagraph (B).
(B) The Attorney General in consultation with the Office of
Privacy Protection may, by regulations adopted pursuant to
subdivision (b), modify the scope or application of the definition of
"sensitive information" as necessary to promote the purposes of this
act. In adopting these regulations, the Attorney General shall
consider the purpose of collecting the information and the context in
which the information is used; how easily the information can be
used to identify a specific individual; the nature and extent of
authorized access to the information; an individual's reasonable
expectations under the circumstances; and adverse effects that may be
experienced by an individual if the information is disclosed to an
unauthorized person.
(b) (1) No later than July 1, 2012, the Attorney General, in
consultation with the Office of Privacy Protection, shall adopt
regulations that would require a covered entity doing business in
California to provide a consumer in this state with a method for the
consumer to opt out of the collection or use of any covered
information by a covered entity.
(2) The regulations shall do the following:
(A) Include a requirement for a covered entity to disclose, in a
manner that is easily accessible to a consumer, information on the
covered entity's collection, use, and storage of
information practices, how the entity uses or discloses that
covered information, and the names of the
persons to whom that entity would disclose that
covered information.
(B) Prohibit the collection or use of covered information by a
covered entity for which a consumer has opted out of such collection
or use, unless the consumer changes his or her opt-out preference to
allow the collection or use of that information.
(3) The regulations may do the following:
(A) Include a requirement that a covered entity provide a consumer
with a means to access the covered information of that consumer and
the data retention and security policies of the covered entity in a
format that is clear and easy to understand.
(B) Include a requirement that some or all of the regulations
apply with regard to the collection and use of covered information,
regardless of the source.
(4) The regulations shall not interfere with, affect, or prohibit
a commercial relationship between a consumer and a covered entity
where the consumer expressly opts in to the collection and use of his
or her covered information by the covered entity for the purpose of
engaging in that commercial relationship. However, if a majority of
the covered entity's revenue is derived from online advertising and
marketing, the regulations may regulate and affect such a commercial
relationship.
(5) The Attorney General may exempt from some or all of the
regulations required by this section certain commonly accepted
commercial practices, including the following:
(A) Providing, operating, or improving a product or service used,
requested, or authorized by an individual, including the ongoing
provision of customer service and support.
(B) Analyzing data related to use of the product or service for
purposes of improving the products, services, or operations.
(C) Basic business functions, such as, but not limited to,
accounting, inventory and supply chain management, quality assurance,
and internal auditing.
(D) Protecting or defending rights or property, including, but not
limited to, intellectual property, against actual or potential
security threats, fraud, theft, unauthorized transactions, or other
illegal activities.
(E) Preventing imminent danger to the personal safety of an
individual or group of individuals.
(F) Complying with a federal, state, or local law, regulation,
rule, or other applicable legal requirement, including, but not
limited to, disclosures pursuant to a court order, subpoena, summons,
or other properly executed compulsory process.
(G) Any other category of operational use specified by the
Attorney General in regulations adopted pursuant to this subdivision
that is consistent with the purposes of this act.
(c) Notwithstanding any other provision of law and to the extent
consistent with federal law, no covered entity shall sell, share, or
transfer a consumer's covered information , except that the
regulations adopted by the Attorney General shall permit a
covered entity to enter into a commercial transaction with a
consumer and to collect, store, and share that consumer's covered
information solely to complete that transaction .
(d) A covered entity that willfully fails to comply with
regulations promulgated by the Attorney General pursuant to
subdivision (b) with respect to any individual is liable to that
individual in a civil action brought in a California court of
appropriate jurisdiction in an amount equal to the sum of the greater
of any actual damages, but in no event less than one hundred dollars
($100) or more than one thousand dollars ($1,000), and such amount
of punitive damages as the court may allow. In the case of any
successful action under this section, the covered entity shall be
liable to the individual for the costs of the action together with
reasonable attorney's fees as determined by the court. A civil action
under this section shall not be commenced later than two years after
the date upon which the claimant first discovered or had a
reasonable opportunity to discover the violation.