BILL NUMBER: SB 1348 AMENDED
BILL TEXT
AMENDED IN SENATE APRIL 8, 2014
AMENDED IN SENATE MARCH 26, 2014
INTRODUCED BY Senator DeSaulnier
FEBRUARY 21, 2014
An act to add Chapter 22.3 (commencing with Section 22590)
toDivision to Division 8 of the
Business and Professions Code, relating to personal information.
LEGISLATIVE COUNSEL'S DIGEST
SB 1348, as amended, DeSaulnier. Online data brokers: sale of
personal information: notice.
Existing law protects the privacy of personal information,
including customer records, and requires a business that owns or
licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices
appropriate to the nature of the information, in order to protect the
personal information from unauthorized access, destruction, use,
modification, or disclosure.
Existing law requires an operator of a commercial Internet Web
site or online service that collects personally identifiable
information through the Internet about consumers residing in
California who use or visit its commercial Internet Web site or
online service to conspicuously post its privacy policy on its
Internet Web site or online service and to comply with that policy.
This bill would require an online data broker, as defined, that
sells to a 3rd party the personal information of any resident of
California, to allow an individual a subject
individual, as defined, to review his or her personal
information, either pursuant to a written request or by means of an
electronic search through a secure online system. The bill would
require an online data broker , unless prohibited by federal
law, to conspicuously post an opt-out notice on its Internet
Web site, as specified, that would provide specific instructions for
permanently removing personal information from the online data broker'
s database by making a written demand requesting to have the
information permanently removed. The bill would require an online
data broker that receives a written demand from an
a subject individual pursuant to these provisions ,
unless prohibited by federal law, to remove the subject
individual's personal information from public display on the
Internet within 10 days of delivery of the written demand, and to
take specified additional steps to ensure that the information is not
reposted.
This bill would also make it unlawful for an online data
broker to solicit or accept the payment of a fee or other
consideration to review or permanently remove personal information
from the online data broker's database, and would authorize a subject
individual to bring a civil action against any person in violation
of these provisions. The bill's provisions would apply only to
information collected, assembled, or maintained by an online data
broker on and after January 1, 2015, except under designated
circumstances.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Chapter 22.3 (commencing with Section 22590) is added
to Division 8 of the Business and Professions Code, to read:
CHAPTER 22.3. ONLINE DATA BROKERS
22590. The following definitions apply to this chapter:
(a) "Conspicuously post," with respect to an opt-out notice, means
to post through any of the following:
(1) An Internet Web page on which the actual opt-out notice is
posted if the Internet Web page is the homepage or first significant
page after entering the Internet Web site.
(2) An icon that hyperlinks to an Internet Web page on which the
actual opt-out notice is posted, if the icon is located on the
homepage or the first significant page after entering the Internet
Web site, and if the icon contains the term "opt out" or "opt-out."
The icon shall also use a color that contrasts with the background
color of the Internet Web page or is otherwise distinguishable.
(3) A text link that hyperlinks to an Internet Web page on which
the actual opt-out notice is posted, if the text link is located on
the homepage or first significant page after entering the Internet
Web site, and if the text link does one of the following:
(A) Includes the term "opt out" or "opt-out."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it and understand it to hyperlink
to the actual opt-out notice .
(b) "Online data broker" means a commercial entity that collects,
assembles, or maintains personal information concerning individuals
residing in California who are not customers or employees of that
entity, for the purposes of selling the personal information
or providing a third party with access to the information
over the Internet to a third party .
(c) "Personal information" means any information that identifies,
relates to, describes, or is capable of being associated with, a
particular individual, including, but not limited to, his or her
name, signature, social security number, physical characteristics or
description, address, telephone number, passport number, driver's
license or state identification card number, insurance policy number,
education, employment, employment history, bank account number,
credit card number, debit card number, or any other financial
information, medical information, or health insurance information.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, state, or local government records.
(d) "Publicly post" or "publicly display" means to intentionally
communicate or otherwise make available to the general public.
(e) "Subject individual" means the person to whom personal
information pertains.
(f) "Written" means documentation in writing, and includes
facsimile, telegraphic, and other forms of electronic communication.
22592. 22591. An online data broker
that sells or provides to a third party the
personal information of any resident of California to a third
party , shall permit an a subject
individual to review his or her personal information that has been
collected, assembled, or maintained by the online data broker, either
by submitting a written request or by means of an electronic search
through a secure online system.
22594. 22592. (a) (1) An
Unless prohibited by federal law, an online data
broker shall conspicuously post an opt-out notice on its Internet
Web site, which shall include specific instructions for permanently
removing personal information from the online data broker's database,
by making a written demand requesting to have the information
removed.
(2) If an a subject individual makes
a written demand to remove his or her personal information from an
online data broker's database pursuant to this subdivision, the
online data broker shall permanently remove an
the subject individual's personal information from its
database, in accordance with subdivision (b).
(b) (1) An Unless prohibited by federal
law, an online data broker that receives a written demand from
an a subject individual pursuant to
this section shall remove the subject individual's
personal information from public display on the Internet within 10
days of delivery of the written demand, and shall continue
to ensure that this information is not reposted on the same
Internet Web site, a subsidiary site, or any other Internet Web site
owned, controlled, or maintained by the online data
broker receiving the written demand.
(2) After receiving the a subject
individual's written demand, the online data broker shall not
transfer an the subject individual's
personal information to any other person, business, or association
through any other medium.
22593. (a) It is unlawful for an online data broker to solicit or
accept the payment of a fee or other consideration to review or
permanently remove personal information from the online data broker's
database.
(b) Each payment solicited or accepted in violation of this
section constitutes a separate violation.
22594. In addition to any other sanction, penalty, or remedy
provided by law, a subject individual may bring a civil action in any
court of competent jurisdiction against any person in violation of
this chapter for damages in an amount equal to the greater of one
thousand dollars ($1,000) per violation or the actual damages
suffered by the subject individual as a result, along with costs,
reasonable attorney's fees, and any other legal or equitable relief.
22595. (a) This chapter shall only apply to personal information
that is collected, assembled, or maintained by an online data broker
after January 1, 2015.
(b) Notwithstanding subdivision (a), this chapter shall apply to
information collected, assembled, or maintained by an online data
broker prior to January 1, 2015, if the data broker collected,
assembled, or maintained the information in violation of any law or
regulation.