AB 1291, as introduced, Lowenthal. Privacy: disclosure of a customer’s personal information.
(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.
This bill would repeal and reorganize certain provisions of existing law.
(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.
This bill would instead require any business that has a customer’s personal information, as defined, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.
This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.
(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.
This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1798.83 of the Civil Code is repealed.
(a) Except as otherwise provided in subdivision (d),
3if a business has an established business relationship with a
4customer and has within the immediately preceding calendar year
5disclosed personal information that corresponds to any of the
6categories of personal information set forth in paragraph (6) of
7subdivision (e) to third parties, and if the business knows or
8reasonably should know that the third parties used the personal
9information for the third parties’ direct marketing purposes, that
10business shall, after the receipt of a written or electronic mail
11request, or, if the business chooses to receive requests by toll-free
12telephone or facsimile numbers, a telephone or facsimile request
P3 1from the customer, provide all of the following information to the
2customer free of charge:
3(1) In writing or by electronic mail, a list of the categories set
4forth in paragraph (6) of subdivision (e) that correspond to the
5personal information disclosed by the business to third parties for
6the third parties’ direct marketing purposes during the immediately
7preceding calendar year.
8(2) In writing or by electronic mail, the names and addresses of
9all of the third parties that received personal information from the
10business for the third parties’ direct marketing purposes during
11the preceding calendar year and, if the nature of the third parties’
12business cannot reasonably be determined from the third parties’
13name, examples of the products or services marketed, if known to
14the business, sufficient to give the customer a reasonable indication
15of the nature of the third parties’ business.
16(b) (1) A business required to comply with this section shall
17designate a mailing address, electronic mail address, or, if the
18business chooses to receive requests by telephone or facsimile, a
19toll-free telephone or facsimile number, to which customers may
20deliver requests pursuant to subdivision (a). A business required
21to comply with this section shall, at its election, do at least one of
23(A) Notify all agents and managers who directly supervise
24employees who regularly have contact with customers of the
25designated addresses or numbers or the means to obtain those
26addresses or numbers and instruct those employees that customers
27who inquire about the business’s privacy practices or the business’s
28compliance with this section shall be informed of the designated
29addresses or numbers or the means to obtain the addresses or
31(B) Add to the home page of its Web site a link either to a page
32titled “Your Privacy Rights” or add the words “Your Privacy
34If the business elects to add the words “Your Privacy Rights” to
36Rights” shall be in the same style and size as the link to the
40written in larger type than the surrounding text, or in contrasting
P4 1type, font, or color to the surrounding text of the same size, or set
2off from the surrounding text of the same size by symbols or other
3marks that call attention to the language. The first page of the link
4shall describe a customer’s rights pursuant to this section and shall
5provide the designated mailing address, e-mail address, as required,
6or toll-free telephone number or facsimile number, as appropriate.
7If the business elects to add the words “Your California Privacy
9in a manner that complies with this subdivision, and the first page
10of the link describes a customer’s rights pursuant to this section,
11and provides the designated mailing address, electronic mailing
12address, as required, or toll-free telephone or facsimile number,
13as appropriate, the business need not respond to requests that are
14not received at one of the designated addresses or numbers.
15(C) Make the designated addresses or numbers, or means to
16obtain the designated addresses or numbers, readily available upon
17request of a customer at every place of business in California where
18the business or its agents regularly have contact with customers.
19The response to a request pursuant to this section received at
20one of the designated addresses or numbers shall be provided
21within 30 days. Requests received by the business at other than
22one of the designated addresses or numbers shall be provided
23within a reasonable period, in light of the circumstances related
24to how the request was received, but not to exceed 150 days from
25the date received.
26(2) A business that is required to comply with this section and
27Section 6803 of Title 15 of the United States Code may comply
28with this section by providing the customer the disclosure required
29by Section 6803 of Title 15 of the United States Code, but only if
30the disclosure also complies with this section.
31(3) A business that is required to comply with this section is not
32obligated to provide information associated with specific
33individuals and may provide the information required by this
34section in standardized format.
35(c) (1) A business that is required to comply with this section
36is not obligated to do so in response to a request from a customer
37more than once during the course of any calendar year. A business
38with fewer than 20 full-time or part-time employees is exempt
39from the requirements of this section.
P5 1(2) If a business that is required to comply with this section
3of not disclosing personal information of customers to third parties
4for the third parties’ direct marketing purposes unless the customer
5first affirmatively agrees to that disclosure, or of not disclosing
6the personal information of customers to third parties for the third
7parties’ direct marketing purposes if the customer has exercised
8an option that prevents that information from being disclosed to
9third parties for those purposes, as long as the business maintains
10and discloses the policies, the business may comply with
11subdivision (a) by notifying the customer of his or her right to
12prevent disclosure of personal information, and providing the
13customer with a cost-free means to exercise that right.
14(d) The following are among the disclosures not deemed to be
15disclosures of personal information by a business for a third party’s
16direct marketing purposes for purposes of this section:
17(1) Disclosures between a business and a third party pursuant
18to contracts or arrangements pertaining to any of the following:
19(A) The processing, storage, management, or organization of
20personal information, or the performance of services on behalf of
21the business during which personal information is disclosed, if the
22third party that processes, stores, manages, or organizes the
23personal information does not use the information for a third party’s
24direct marketing purposes and does not disclose the information
25to additional third parties for their direct marketing purposes.
26(B) Marketing products or services to customers with whom
27the business has an established business relationship where, as a
28part of the marketing, the business does not disclose personal
29information to third parties for the third parties’ direct marketing
31(C) Maintaining or servicing accounts, including credit accounts
32and disclosures pertaining to the denial of applications for credit
33or the status of applications for credit and processing bills or
34insurance claims for payment.
35(D) Public record information relating to the right, title, or
36interest in real property or information relating to property
37characteristics, as defined in Section 408.3 of the Revenue and
38Taxation Code, obtained from a governmental agency or entity or
39from a multiple listing service, as defined in Section 1087, and not
P6 1provided directly by the customer to a business in the course of
2an established business relationship.
3(E) Jointly offering a product or service pursuant to a written
4agreement with the third party that receives the personal
5information, provided that all of the following requirements are
7(i) The product or service offered is a product or service of, and
8is provided by, at least one of the businesses that is a party to the
10(ii) The product or service is jointly offered, endorsed, or
11sponsored by, and clearly and conspicuously identifies for the
12customer, the businesses that disclose and receive the disclosed
14(iii) The written agreement provides that the third party that
15receives the personal information is required to maintain the
16confidentiality of the information and is prohibited from disclosing
17or using the information other than to carry out the joint offering
18or servicing of a product or service that is the subject of the written
20(2) Disclosures to or from a consumer reporting agency of a
21customer’s payment history or other information pertaining to
22transactions or experiences between the business and a customer
23if that information is to be reported in, or used to generate, a
24consumer report as defined in subdivision (d) of Section 1681a of
25Title 15 of the United States Code, and use of that information is
26limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec.
271681 et seq.).
28(3) Disclosures of personal information by a business to a third
29party financial institution solely for the purpose of the business
30obtaining payment for a transaction in which the customer paid
31the business for goods or services with a check, credit card, charge
32card, or debit card, if the customer seeks the information required
33by subdivision (a) from the business obtaining payment, whether
34or not the business obtaining payment knows or reasonably should
35know that the third party financial institution has used the personal
36information for its direct marketing purposes.
37(4) Disclosures of personal information between a licensed agent
38and its principal, if the personal information disclosed is necessary
39to complete, effectuate, administer, or enforce transactions between
40the principal and the agent, whether or not the licensed agent or
P7 1principal also uses the personal information for direct marketing
2purposes, if that personal information is used by each of them
3solely to market products and services directly to customers with
4whom both have established business relationships as a result of
5the principal and agent relationship.
6(5) Disclosures of personal information between a financial
7institution and a business that has a private label credit card, affinity
8card, retail installment contract, or cobranded card program with
9the financial institution, if the personal information disclosed is
10necessary for the financial institution to maintain or service
11accounts on behalf of the business with which it has a private label
12credit card, affinity card, retail installment contract, or cobranded
13card program, or to complete, effectuate, administer, or enforce
14customer transactions or transactions between the institution and
15the business, whether or not the institution or the business also
16uses the personal information for direct marketing purposes, if that
17personal information is used solely to market products and services
18directly to customers with whom both the business and the financial
19institution have established business relationships as a result of
20the private label credit card, affinity card, retail installment
21contract, or cobranded card program.
22(e) For purposes of this section, the following terms have the
24(1) “Customer” means an individual who is a resident of
25California who provides personal information to a business during
26the creation of, or throughout the duration of, an established
27business relationship if the business relationship is primarily for
28personal, family, or household purposes.
29(2) “Direct marketing purposes” means the use of personal
30information to solicit or induce a purchase, rental, lease, or
31exchange of products, goods, property, or services directly to
32individuals by means of the mail, telephone, or electronic mail for
33their personal, family, or household purposes. The sale, rental,
34exchange, or lease of personal information for consideration to
35businesses is a direct marketing purpose of the business that sells,
36rents, exchanges, or obtains consideration for the personal
37information. “Direct marketing purposes” does not include the use
38of personal information (A) by bona fide tax exempt charitable or
39religious organizations to solicit charitable contributions, (B) to
40raise funds from and communicate with individuals regarding
P8 1politics and government, (C) by a third party when the third party
2receives personal information solely as a consequence of having
3obtained for consideration permanent ownership of accounts that
4might contain personal information, or (D) by a third party when
5the third party receives personal information solely as a
6consequence of a single transaction where, as a part of the
7transaction, personal information had to be disclosed in order to
8effectuate the transaction.
9(3) “Disclose” means to disclose, release, transfer, disseminate,
10or otherwise communicate orally, in writing, or by electronic or
11any other means to any third party.
12(4) “Employees who regularly have contact with customers”
13means employees whose contact with customers is not incidental
14to their primary employment duties, and whose duties do not
15predominantly involve ensuring the safety or health of the
16business’s customers. It includes, but is not limited to, employees
17whose primary employment duties are as cashier, clerk, customer
18service, sales, or promotion. It does not, by way of example,
19include employees whose primary employment duties consist of
20food or beverage preparation or service, maintenance and repair
21of the business’s facilities or equipment, direct involvement in the
22operation of a motor vehicle, aircraft, watercraft, amusement ride,
23heavy machinery or similar equipment, security, or participation
24in a theatrical, literary, musical, artistic, or athletic performance
26(5) “Established business relationship” means a relationship
27formed by a voluntary, two-way communication between a
28business and a customer, with or without an exchange of
29consideration, for the purpose of purchasing, renting, or leasing
30real or personal property, or any interest therein, or obtaining a
31product or service from the business, if the relationship is ongoing
32and has not been expressly terminated by the business or the
33customer, or if the relationship is not ongoing, but is solely
34established by the purchase, rental, or lease of real or personal
35property from a business, or the purchase of a product or service,
36and no more than 18 months have elapsed from the date of the
37purchase, rental, or lease.
38(6) (A) The categories of personal information required to be
39disclosed pursuant to paragraph (1) of subdivision (a) are all of
P9 1(i) Name and address.
2(ii) Electronic mail address.
3(iii) Age or date of birth.
4(iv) Names of children.
5(v) Electronic mail or other addresses of children.
6(vi) Number of children.
7(vii) The age or gender of children.
13(xiii) Telephone number.
15(xv) Political party affiliation.
16(xvi) Medical condition.
17(xvii) Drugs, therapies, or medical products or equipment used.
18(xviii) The kind of product the customer purchased, leased, or
20(xix) Real property purchased, leased, or rented.
21(xx) The kind of service provided.
22(xxi) Social security number.
23(xxii) Bank account number.
24(xxiii) Credit card number.
25(xxiv) Debit card number.
26(xxv) Bank or investment account, debit card, or credit card
28(xxvi) Payment history.
29(xxvii) Information pertaining to the customer’s
30creditworthiness, assets, income, or liabilities.
31(B) If a list, description, or grouping of customer names or
32addresses is derived using any of these categories, and is disclosed
33to a third party for direct marketing purposes in a manner that
34permits the third party to identify, determine, or extrapolate any
35other personal information from which the list was derived, and
36that personal information when it was disclosed identified,
37described, or was associated with an individual, the categories set
38forth in this subdivision that correspond to the personal information
39used to derive the list, description, or grouping shall be considered
40personal information for purposes of this section.
P10 1(7) “Personal information” as used in this section means any
2information that when it was disclosed identified, described, or
3was able to be associated with an individual and includes all of
5(A) An individual’s name and address.
6(B) Electronic mail address.
7(C) Age or date of birth.
8(D) Names of children.
9(E) Electronic mail or other addresses of children.
10(F) Number of children.
11(G) The age or gender of children.
17(M) Telephone number.
19(O) Political party affiliation.
20(P) Medical condition.
21(Q) Drugs, therapies, or medical products or equipment used.
22(R) The kind of product the customer purchased, leased, or
24(S) Real property purchased, leased, or rented.
25(T) The kind of service provided.
26(U) Social security number.
27(V) Bank account number.
28(W) Credit card number.
29(X) Debit card number.
30(Y) Bank or investment account, debit card, or credit card
32(Z) Payment history.
33(AA) Information pertaining to creditworthiness, assets, income,
35(8) “Third party” or “third parties” means one or more of the
37(A) A business that is a separate legal entity from the business
38that has an established business relationship with a customer.
39(B) A business that has access to a database that is shared among
40businesses, if the business is authorized to use the database for
P11 1direct marketing purposes, unless the use of the database is exempt
2from being considered a disclosure for direct marketing purposes
3pursuant to subdivision (d).
4(C) A business not affiliated by a common ownership or
5common corporate control with the business required to comply
6with subdivision (a).
7(f) (1) Disclosures of personal information for direct marketing
8purposes between affiliated third parties that share the same brand
9name are exempt from the requirements of paragraph (1) of
10subdivision (a) unless the personal information disclosed
11corresponds to one of the following categories, in which case the
12customer shall be informed of those categories listed in this
13subdivision that correspond to the categories of personal
14information disclosed for direct marketing purposes and the third
15party recipients of personal information disclosed for direct
16marketing purposes pursuant to paragraph (2) of subdivision (a):
17(A) Number of children.
18(B) The age or gender of children.
19(C) Electronic mail or other addresses of children.
24(H) Telephone number.
25(I) Medical condition.
26(J) Drugs, therapies, or medical products or equipment used.
27(K) Social security number.
28(L) Bank account number.
29(M) Credit card number.
30(N) Debit card number.
31(O) Bank or investment account, debit card, or credit card
33(2) If a list, description, or grouping of customer names or
34addresses is derived using any of these categories, and is disclosed
35to a third party or third parties sharing the same brand name for
36direct marketing purposes in a manner that permits the third party
37to identify, determine, or extrapolate the personal information from
38which the list was derived, and that personal information when it
39was disclosed identified, described, or was associated with an
40individual, any other personal information that corresponds to the
P12 1categories set forth in this subdivision used to derive the list,
2description, or grouping shall be considered personal information
3for purposes of this section.
4(3) If a business discloses personal information for direct
5marketing purposes to affiliated third parties that share the same
6brand name, the business that discloses personal information for
7direct marketing purposes between affiliated third parties that share
8the same brand name may comply with the requirements of
9paragraph (2) of subdivision (a) by providing the overall number
10of affiliated companies that share the same brand name.
11(g) The provisions of this section are severable. If any provision
12of this section or its application is held invalid, that invalidity shall
13not affect other provisions or applications that can be given effect
14without the invalid provision or application.
15(h) This section does not apply to a financial institution that is
16subject to the California Financial Information Privacy Act
17(Division 1.2 (commencing with Section 4050) of the Financial
18Code) if the financial institution is in compliance with Sections
194052, 4052.5, 4053, 4053.5, and 4054.6 of the Financial Code, as
20those sections read when they were chaptered on August 28, 2003,
21and as subsequently amended by the Legislature or by initiative.
22(i) This section shall become operative on January 1, 2005.
Section 1798.83 is added to the Civil Code, to read:
(a) (1) A business that has a customer’s personal
25information shall make available to the customer free of charge
26access to, or copies of, all of the customer’s personal information
27held by the business.
28(2) A business that has a customer’s personal information and
29discloses that personal information to a third party shall make the
30following information available to the customer free of charge:
31(A) All personal information that was disclosed, including the
32categories set forth in paragraph (1) of subdivision (e).
33(B) The names and contact information of all of the third parties
34that received personal information from the business, including
35the third party’s designated request address or addresses if
37(b) A business required to comply with subdivision (a) shall
38make the required information available by one or more of the
P13 1(1) By providing a designated request address and, upon receipt
2of a request under this section to the designated request address,
3providing the customer within 30 days the required information
4for all disclosures occurring in the prior 12 months, provided that:
6includes a description of a customer’s rights pursuant to this section
7accompanied by one or more designated request addresses. A
8business with multiple online privacy policies must include a
9description in the policy of each product or service that collects
10personal information that may be disclosed to a third party.
11(B) The business ensures that all persons responsible for
12handling customer inquiries about the business’ privacy practices
13or the business’ compliance with this section are informed of all
14designated request addresses.
15(C) The business provides information pertaining to the specific
16customer if that information is reasonably available to the business,
17and provides information in standardized format if information
18pertaining to the specific customer is not reasonably available.
19(2) For information required to be provided by paragraph (2)
20of subdivision (a), by providing the customer with notice including
21the required information prior to or immediately following a
23(3) By providing the customer the disclosure required by Section
246803 of Title 15 of the United States Code, but only if the
25disclosure also complies with this section.
26(c) A business is not obligated to provide more than one notice
27under paragraph (2) of subdivision (b) to the same customer in a
2812-month period about the disclosure of the same personal
29information to the same third party and is not obligated under
30paragraph (1) of subdivision (b) to respond to a request by the
31same customer more than once within a given 12-month period.
32(d) A violation of this section by a business subject to these
33provisions is deemed to constitute an injury to a customer.
34(e) For purposes of this section, the following terms have the
36(1) “Categories of personal information” includes, but is not
37limited to, the following:
38(A) Identity information including, but not limited to, real name,
39alias, nickname, and user name.
P14 1(B) Address information, including, but not limited to, postal
2address or e-mail.
3(C) Telephone number.
4(D) Account name.
5(E) Social security number or other government-issued
6identification number, including, but not limited to, social security
7number, driver’s license number, identification card number, and
9(F) Birthdate or age.
characteristic information, including, but not
11limited to, height and weight.
12(H) Sexual information, including, but not limited to, sexual
13orientation, sex, gender status, gender identity, and gender
15(I) Race or ethnicity.
16(J) Religious affiliation or activity.
17(K) Political affiliation or activity.
18(L) Professional or employment-related information.
19(M) Educational information.
20(N) Medical information, including, but not limited to, medical
21conditions or drugs, therapies, mental health, or medical products
22or equipment used.
23(O) Financial information, including, but not limited to, credit,
24debit, or account numbers, account balances, payment history, or
25information related to assets, liabilities, or general creditworthiness.
26(P) Commercial information, including, but not limited to,
27records of property, products or services provided, obtained, or
28considered, or other purchasing or consuming histories or
30(Q) Location information.
31(R) Internet or mobile activity information, including, but not
32limited to, Internet Protocol addresses or information concerning
33the access or use of any Internet or mobile-based site or service.
34(S) Content, including text, photographs, audio or video
35recordings, or other material generated by or provided by the
37(T) Any of the above categories of information as they pertain
38to the children of the customer.
39(2) (A) “Customer” means an individual who is a resident of
40California who provides personal information to a business, with
P15 1or without an exchange of consideration, in the course of
2purchasing, viewing, accessing, renting, leasing, or otherwise using
3real or personal property, or any interest therein, or obtaining a
4product or service from the business including advertising or any
6(B) An individual is also the customer of a business if that
7business obtained the personal information of that individual from
8any other business.
9(3) “Designated request address” means a
10e-mail address, Web page, toll-free telephone number, or other
11applicable contact information, whereby customers may request
12or obtain the information required to be provided under subdivision
14(4) (A) “Disclose” means to disclose, release, share, transfer,
15disseminate, make available, or otherwise communicate orally, in
16writing, or by electronic or any other means to any third party as
17defined in this section.
18(B) “Disclose” does not include:
19(i) Disclosure of personal information by a business to a third
20party pursuant to a written contract authorizing the third party to
21utilize the personal information to perform services on behalf of
22the business, including maintaining or servicing accounts,
23providing customer service, processing or fulfilling orders and
24transactions, verifying customer information, processing payments,
25providing financing, or similar services, but only if (I) the contract
26prohibits the third party from using the personal information for
27any reason other than performing the specified service(s) on behalf
28of the business and from disclosing any such personal information
29to additional third parties and (II) the business effectively enforces
31(ii) Disclosure of personal information by a business to a third
32party based on a good-faith belief that disclosure is required to
33comply with applicable law, regulation, legal process, or court
35(iii) Disclosure of personal information by a business to a third
36party that is reasonably necessary to address fraud, security, or
37technical issues; to protect the disclosing business’s rights or
38property; or to protect customers or the public from illegal activities
39as required or permitted by law.
P16 1(iv) Disclosure of personal information by a business to a third
2party that is otherwise lawfully available to the general public,
3provided that the business did not direct the third party to the
5(5) “Personal information” means:
6(A) Any information that identifies or references a particular
7individual or electronic device, including, but not limited to, a real
8name, alias, postal address, telephone number, electronic mail
9address, Internet Protocol address, account name, social security
10number, driver’s license number, passport number, or any other
11identifier intended or able to be uniquely associated with a
12particular individual or device.
13(B) Any information that relates to or describes an
14including, but not limited to, any information specifically listed
15in subdivision (e) of Section 1798.80 of the Civil Code, and
16including inferences or conclusions drawn from other information,
17if such information is disclosed in connection with any identifying
18or referencing information as defined in subparagraph (A) above.
19(6) “Third party” or “third parties” means one or more of the
21(A) A business that is a separate legal entity from the business
22that has disclosed personal information.
23(B) A business that does not share common ownership or
24common corporate control with the business that has disclosed
26(C) A business that does not share a brand name or common
27branding with the business that has disclosed personal information
28such that the affiliate relationship is clear to the customer.
29(f) The provisions of this section are severable. If any provision
30of this section or its application is held invalid, that invalidity shall
31not affect other provisions or applications that can be given effect
32without the invalid provision or application.