AB 1291, as amended, Lowenthal. Privacy:begin insert Right to Know Act of 2013:end insert disclosure of a customer’s personal information.
(1) Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records by destroying, or arranging for the destruction of, the records, as specified. Any customer injured by a business’ violation of these provisions is entitled to recover damages, obtain injunctive relief, or seek other remedies.
This bill wouldbegin insert create the Right to Know Act of 2013,end insertbegin insert wouldend insert repeal and reorganize certain provisions of existing lawbegin insert, and would provide legislative findings in support thereofend insert.
(2) Existing law also requires a business that collects customer information for marketing purposes and that discloses a customer’s personal information to a 3rd party for direct marketing purposes, to provide the customer with whom it had a business relationship, as defined, within 30 days after the customer’s request, as specified, in writing or by e-mail, the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a business subject to these provisions to provide an address, electronic address, or toll-free telephone or facsimile number that a customer may use to deliver requests for copies of his or her personal information.
This bill would instead require any business thatbegin delete hasend deletebegin insert
retainsend insert a customer’s personal information, as defined,begin insert or discloses that information to a 3rd party,end insert to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer. This bill would require that a business subject to these provisions choose one of several specified options to provide the customer with a designated address for use in making a request for copies of information under these provisions.
(3) Existing law also requires a business that is required to comply with these provisions to provide information to customers regarding its privacy policy and to provide a designated means of preventing disclosure of personal information.
This bill would require a business that is required to comply with these provisions to provide specified notice to the customer of its privacy policies.
(4) Existing law provides that a customer who sustains injury as a result of a violation of these provisions is entitled to specified remedies, including civil penalties.
This bill would also provide that a violation of these provisions is deemed to constitute an injury to the customer for purposes of seeking remedies available under law.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
This act shall be known and may be cited as the Right to Know Act of 2013.
end insertThe Legislature hereby finds and declares all of the
4following:
5(a) The right to privacy is a personal and fundamental right
6protected by Section 1 of Article I of the California Constitution
7and by the United States Constitution. All individuals have a right
8of privacy in information pertaining to them.
P3 1(b) This state has previously recognized the importance of
2providing Californians with transparency about how their personal
3information has been shared by businesses by enacting Section
41798.83 of the Civil Code into law in 2003 and finding and
5declaring the following:
6“For free market forces to have a role in shaping the privacy
7practices of
California businesses and for ‘opt-in’ and ‘opt-out’
8remedies to be effective, Californians must be more than vaguely
9informed that a business might share personal information with
10third parties. Consumers must, for these reasons and pursuant to
11Section 1 of Article 1 of the California Constitution, be better
12informed about what kinds of personal information are purchased
13by businesses for direct marketing purposes. With these specifics,
14consumers can knowledgeably choose to opt-in or opt-out or
15choose among businesses that disclose information to third parties
16for direct marketing purposes on the basis of how protective the
17business is of consumers’ privacy.”
18(c) Since Section 1798.83 of the Civil Code was first enacted
19in 2003, technology has advanced exponentially and business
20practices have changed dramatically.
21(d) Businesses are now collecting types of personal information
22not included in the original law and sharing and selling it in ways
23not
contemplated or properly covered by the current law.
24(e) Some Web sites are installing up to 100 tracking tools when
25consumers visit Web pages and sending very personal information
26such as age, gender, race, income, health concerns, and recent
27purchases to third-party advertising and marketing companies.
28(f) Third-party data broker companies are buying, selling, and
29trading personal information obtained from mobile phones,
30financial institutions, social media sites, and other online and
31brick and mortar companies.
32(g) Some mobile applications are sharing personal information,
33such as location information, unique phone identification numbers,
34and age, gender, and other personal details with third-party
35companies.
36(h) Californians need to know the ways that their personal
37information is being collected by companies and then shared or
38sold to third parties in order to properly protect their privacy,
39
personal safety, and financial security.
Section 1798.83 of the Civil Code is repealed.
Section 1798.83 is added to the Civil Code, to read:
(a) (1) A business thatbegin delete hasend deletebegin insert retainsend insert a customer’s
6personal information shall make available to the customer free of
7charge access to, or copies of, all of the customer’s personal
8informationbegin delete heldend deletebegin insert retainedend insert by the business.
9(2) A business thatbegin delete hasend deletebegin insert
disclosesend insert a customer’s personal
10informationbegin delete and discloses that personal informationend delete to a third party
11shall make the following information available to the customer
12free of charge:
13(A) Allbegin insert end insertbegin insertcategories of the customer’send insert personal information that
14begin delete wasend deletebegin insert wereend insert disclosed, including the categories set forth in paragraph
15(1) of subdivisionbegin delete (e)end deletebegin insert
(d)end insert.
16(B) The names and contact information of all of the third parties
17that receivedbegin insert the customer’send insert
personal information from the
18business, including the third party’s designated request address or
19addresses if available.
20(b) A business required to comply with subdivision (a) shall
21make the required information available by one or more of the
22following means:
23(1) By providing a designated request address and, upon receipt
24of a request under this section to the designated request address,
25providing the customer within 30 daysbegin insert withend insert the required
26information for all disclosures occurring in the prior 12 months,
27provided that:
28(A) If the business has an online privacy policy, that policy
29includes a
description of a customer’s rights pursuant to this section
30accompanied by one or more designated request addresses. A
31business with multiple online privacy policies must includebegin delete a begin insert this informationend insert in the policy of each product or service
32descriptionend delete
33that collects personal information that may be disclosed to a third
34party.
35(B) The business ensures that all persons responsible for
36handling customer inquiries about the business’ privacy practices
37or the business’ compliance with this section are informed of all
38designated request addresses.
39(C) The business provides information pertaining to the specific
40customer
if that information is reasonably available to the business,
P5 1and provides information in standardized format if information
2pertaining to the specific customer is not reasonably available.
3(2) For information required to be provided by paragraph (2)
4of subdivision (a), by providing the customer with notice including
5the required information prior to or immediately following a
6disclosure.
7(3) By providing the customer the disclosure required by Section
86803 of Title 15 of the United States Code, but only if the
9disclosure also complies with this section.
10(c) begin insert(1)end insertbegin insert end insert A business is not obligated to provide more than one
11notice under paragraph (2) of subdivision (b) to the same customer
12in a 12-month period about the disclosure of the same personal
13information to the same third party and is not obligated under
14paragraph (1) of subdivision (b) to respond to a request by the
15same customer more than once within a given 12-month period.
16(2) A business is not obligated to provide information to the
17customer pursuant to subdivision (a) if the business cannot
18reasonably verify that the individual making the request is the
19customer.
20(d) A violation of this section by a business subject to these
21provisions is deemed to constitute an injury to a customer.
34 22(e)
end delete
23begin insert(d)end insert For purposes of this section, the following terms have the
24following meanings:
25(1) “Categories of personal information” includes, but is not
26limited to, the following:
27(A) Identity information including, but not limited to, real name,
28alias, nickname, and user name.
29(B) Address information, including, but not limited to, postal
30address or e-mail.
31(C) Telephone number.
32(D) Account name.
33(E) Social security number or other government-issued
34identification number, including, but not limited to, social security
35number, driver’s license number, identification card number, and
36passport number.
37(F) Birthdate or age.
38(G) Physical characteristic information, including, but not
39limited to, height and weight.
P6 1(H) Sexual information, including, but not limited to, sexual
2orientation, sex, gender status, gender identity, and gender
3expression.
4(I) Race or ethnicity.
5(J) Religious affiliation or activity.
6(K) Political affiliation or activity.
7(L) Professional or employment-related information.
8(M) Educational information.
9(N) Medical information, including, but not limited to, medical
10conditions or drugs, therapies, mental health, or medical products
11or equipment used.
12(O) Financial information, including, but not limited to, credit,
13debit, or account numbers, account balances, payment history, or
14information related to assets, liabilities, or general creditworthiness.
15(P) Commercial information, including, but not limited to,
16records of property, products or services provided, obtained, or
17considered,
or other purchasing or consuming histories or
18tendencies.
19(Q) Location information.
20(R) Internet or mobile activity information, including, but not
21limited to, Internet Protocol addresses or information concerning
22the access or use of any Internet or mobile-based site or service.
23(S) Content, including text, photographs, audio or video
24recordings, or other material generated by or provided by the
25customer.
26(T) Any of the above categories of information as they pertain
27to the children of the customer.
28(2) (A) “Customer” means an individual who is a resident of
29California who
provides personal information to a business, with
30or without an exchange of consideration, in the course of
31purchasing, viewing, accessing, renting, leasing, or otherwise using
32real or personal property, or any interest therein, or obtaining a
33product or service from the business including advertising or any
34other content.
35(B) An individual is also the customer of a business if that
36business obtained the personal information of that individual from
37any other business.
38(3) “Designated request address” means a mailing address,
39e-mail address, Web page, toll-free telephone number, or other
40applicable contact information, whereby customers may request
P7 1or obtain the information required to be provided under subdivision
2(a).
3(4) (A) “Disclose” means to disclose, release, share, transfer,
4disseminate, make available, or otherwise communicate orally, in
5writing, or by electronic or any other means to any third party as
6defined in this section.
7(B) “Disclose” does not include:
8(i) Disclosure of personal information by a business to a third
9party pursuant to a written contract authorizing the third party to
10utilize the personal information to perform services on behalf of
11the business, including maintaining or servicing accounts,
12providing customer service, processing or fulfilling orders and
13transactions, verifying customer information, processing payments,
14providing financing, or similar services, but only if (I) the contract
15prohibits the third party from using the personal
information for
16any reason other than performing the specified service(s) on behalf
17of the business and from disclosing any such personal information
18to additional third parties and (II) the business effectively enforces
19these prohibitions.
20(ii) Disclosure of personal information by a business to a third
21party based on a good-faith belief that disclosure is required to
22comply with applicable law, regulation, legal process, or court
23order.
24(iii) Disclosure of personal information by a business to a third
25party that is reasonably necessary to address fraud, security, or
26technical issues; to protect the disclosing business’s rights or
27property; or to protect customers or the public from illegal activities
28as required or permitted by law.
29(iv) Disclosure of personal information by a business to a third
30party that is otherwise lawfully available to the general public,
31provided that the business did not direct the third party to the
32personal information.
33(5) “Personal information” means:
34(A) Any information that identifies or references a particular
35individual or electronic device, including, but not limited to, a real
36name, alias, postal address, telephone number, electronic mail
37address, Internet Protocol address, account name, social security
38number, driver’s license number, passport number, or any other
39identifier intended or able to be uniquely associated with a
40particular individual or device.
P8 1(B) Any information that relates to or describes an
individual,
2including, but not limited to, any information specifically listed
3in subdivision (e) of Section 1798.80 of the Civil Code, and
4including inferences or conclusions drawn from other information,
5if such information is disclosed in connection with any identifying
6or referencing information as defined in subparagraph (A) above.
7(6) (A) “Retains” means to store or otherwise hold information,
8whether the information is collected or obtained directly from the
9subject of the information or from any third party.
10(B) “Retains” does not include information that is stored or
11otherwise held solely for one or more of the following
purposes,
12so long as the information is deleted as soon as it is no longer
13needed for those purposes:
14(i) To perform a service or complete a transaction initiated by
15or on behalf of the customer, including maintaining or servicing
16accounts, providing customer service, processing or fulfilling
17orders and transactions, verifying customer information,
18processing payments, providing financing, or similar services.
19(ii) To address fraud, security, or technical issues; to protect
20the disclosing business’ rights or property; or to protect customers
21or the public from illegal activities as required or permitted by
22law.
23(iii) To comply with applicable law or regulation or with a court
24order or other legal process where the business has a good-faith
25belief that the law, regulation, court order, or legal process
26requires the
information to be stored or held.
19 27(6)
end delete
28begin insert(7)end insert “Third party” or “third parties” means one or more of the
29following:
30(A) A business that is a separate legal entity from the business
31that has disclosed personal information.
32(B) A business that does not share common ownership or
33common corporate control with the business that has disclosed
34personal information.
35(C) A business that does not share a
brand name or common
36branding with the business that has disclosed personal information
37such that the affiliate relationship is clear to the customer.
29 38(f)
end delete
39begin insert(e)end insert The provisions of this section are severable. If any provision
40of this section or its application is held invalid, that invalidity shall
P9 1not affect other provisions or applications that can be given effect
2without the invalid provision or application.
3(f) A violation of this section constitutes an injury to a customer.
4
A civil action to recover penalties pursuant to Section 1798.84
5may be brought by a customer, the Attorney General, a district
6attorney, a city attorney, or a city prosecutor, in a court of
7competent jurisdiction.
O
98