BILL NUMBER: SB 761 AMENDED BILL TEXT AMENDED IN SENATE MAY 10, 2011 AMENDED IN SENATE APRIL 25, 2011 AMENDED IN SENATE APRIL 4, 2011 AMENDED IN SENATE MARCH 24, 2011 INTRODUCED BY Senator Lowenthal FEBRUARY 18, 2011 An act to add Section 22947.45 to the Business and Professions Code, relating to business. LEGISLATIVE COUNSEL'S DIGEST SB 761, as amended, Lowenthal. Computer spyware. Existing law, the Consumer Protection Against Computer Spyware Act, prohibits a person or entity other than the authorized user of computer software from, with actual knowledge, conscious avoidance of actual knowledge, or willfully, causing computer software to be copied onto the computer of a consumer in this state and using the software to (1) take control of the computer, as specified, (2) modify certain settings relating to the computer's access to or use of the Internet, as specified, (3) collect, through intentionally deceptive means, personally identifiable information, as defined, (4) prevent, without authorization, an authorized user's reasonable efforts to block the installation of or disabling of software, as specified, (5) intentionally misrepresent that the software will be uninstalled or disabled by an authorized user's action, or (6) through intentionally deceptive means, remove, disable, or render inoperative security, antispyware, or antivirus software installed on the computer. Existing law establishes the Office of Privacy Protection for specified purposes relating to protecting the privacy rights of consumers. This bill would, no later than July 1, 2012, require the Attorney General, in consultation with the Office of Privacy Protection, to adopt regulations that would require a covered entity, defined as a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state, to provide a consumer in California with a method to opt out of that collection, use, and storage of such information. The bill would specify that such information, includes, but is not limited to, the online activity of an individual and other personal information. The bill would subject these regulations to certain requirements, including, but not limited to, a requirement that a covered entity disclose to a consumer certain information relating to its collection, use, and storage information practices. The bill would, to the extent consistent with federal law, prohibit a covered entity from selling, sharing, or transferring a consumer's covered information , except as specified . The bill would make a covered entity that willfully fails to comply with the adopted regulations liable to a consumer in a civil action for damages, as specified, and would require such an action to be brought within a certain time period. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 22947.45 is added to the Business and Professions Code, to read: 22947.45. (a) For the purposes of this section, the following definitions shall apply: (1) "Covered entity" means a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state. "Covered entity" shall not include any of the following: (A) The federal government or any instrumentality of the federal government. (B) The government of any state or any instrumentality of state government. (C) Any local government or instrumentality of local government. (D) Any person who can demonstrate that he or she does all of the following: (i) Stores covered information from or about fewer than 15,000 individuals. (ii) Collects covered information from or about fewer than 10,000 individuals during any 12-month period. (iii) Does not collect or store sensitive information. (iv) Does not use covered information to study, monitor, or analyze the behavior of individuals as the person's primary business. (2) (A) "Covered information" means, with respect to an individual, any of the following that is transmitted online: (i) The online activity of the individual, including, but not limited to, the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application. (ii) Any unique or substantially unique identifier, such as a customer number or Internet Protocol address. (iii) Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual' s financial account. (B) "Covered information" shall not include the title, business address, business e-mail address, business telephone number, or business fax number associated with an individual's status as an employee of an organization, or an individual's name when collected, stored, used, or disclosed in connection with that employment status; or any information collected from or about an employee by an employer, prospective employer, or former employer that directly relates to the employee-employer relationship. (3) (A) "Sensitive information" means any of the following: (i) Any information that is associated with covered information of an individual and relates directly to that individual's medical history, physical or mental health, or the provision of health care to the individual; race or ethnicity; religious beliefs and affiliation; sexual orientation or sexual behavior; income, assets, liabilities, or financial records, and other financial information associated with a financial account, including balances and other financial information, except when financial account information is provided by the individual and is used only to process an authorized credit or debit to the account; or precise geolocation information and any information about the individual's activities and relationships associated with that geolocation. (ii) An individual's unique biometric data, including a fingerprint or retina scan, or social security number. (iii) Information deemed sensitive information pursuant to regulations adopted by the Attorney General under subparagraph (B). (B) The Attorney General in consultation with the Office of Privacy Protection may, by regulations adopted pursuant to subdivision (b), modify the scope or application of the definition of "sensitive information" as necessary to promote the purposes of this act. In adopting these regulations, the Attorney General shall consider the purpose of collecting the information and the context in which the information is used; how easily the information can be used to identify a specific individual; the nature and extent of authorized access to the information; an individual's reasonable expectations under the circumstances; and adverse effects that may be experienced by an individual if the information is disclosed to an unauthorized person. (b) (1) No later than July 1, 2012, the Attorney General, in consultation with the Office of Privacy Protection, shall adopt regulations that would require a covered entity doing business in California to provide a consumer in this state with a method for the consumer to opt out of the collection or use of any covered information by a covered entity. (2) The regulations shall do the following: (A) Include a requirement for a covered entity to disclose, in a manner that is easily accessible to a consumer, information on the covered entity's collection, use, and storage of information practices, how the entity uses or discloses
thatcovered information, and the names of the persons to whom that entity would disclose thatcovered information. (B) Prohibit the collection or use of covered information by a covered entity for which a consumer has opted out of such collection or use, unless the consumer changes his or her opt-out preference to allow the collection or use of that information. (3) The regulations may do the following: (A) Include a requirement that a covered entity provide a consumer with a means to access the covered information of that consumer and the data retention and security policies of the covered entity in a format that is clear and easy to understand. (B) Include a requirement that some or all of the regulations apply with regard to the collection and use of covered information, regardless of the source. (4) The regulations shall not interfere with, affect, or prohibit a commercial relationship between a consumer and a covered entity where the consumer expressly opts in to the collection and use of his or her covered information by the covered entity for the purpose of engaging in that commercial relationship. However, if a majority of the covered entity's revenue is derived from online advertising and marketing, the regulations may regulate and affect such a commercial relationship. (5) The Attorney General may exempt from some or all of the regulations required by this section certain commonly accepted commercial practices, including the following: (A) Providing, operating, or improving a product or service used, requested, or authorized by an individual, including the ongoing provision of customer service and support. (B) Analyzing data related to use of the product or service for purposes of improving the products, services, or operations. (C) Basic business functions, such as, but not limited to, accounting, inventory and supply chain management, quality assurance, and internal auditing. (D) Protecting or defending rights or property, including, but not limited to, intellectual property, against actual or potential security threats, fraud, theft, unauthorized transactions, or other illegal activities. (E) Preventing imminent danger to the personal safety of an individual or group of individuals. (F) Complying with a federal, state, or local law, regulation, rule, or other applicable legal requirement, including, but not limited to, disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process. (G) Any other category of operational use specified by the Attorney General in regulations adopted pursuant to this subdivision that is consistent with the purposes of this act. (c) Notwithstanding any other provision of law and to the extent consistent with federal law, no covered entity shall sell, share, or transfer a consumer's covered information , except that the regulations adopted by the Attorney General shall permit a covered entity to enter into a commercial transaction with a consumer and to collect, store, and share that consumer's covered information solely to complete that transaction . (d) A covered entity that willfully fails to comply with regulations promulgated by the Attorney General pursuant to subdivision (b) with respect to any individual is liable to that individual in a civil action brought in a California court of appropriate jurisdiction in an amount equal to the sum of the greater of any actual damages, but in no event less than one hundred dollars ($100) or more than one thousand dollars ($1,000), and such amount of punitive damages as the court may allow. In the case of any successful action under this section, the covered entity shall be liable to the individual for the costs of the action together with reasonable attorney's fees as determined by the court. A civil action under this section shall not be commenced later than two years after the date upon which the claimant first discovered or had a reasonable opportunity to discover the violation.