BILL NUMBER: SB 129 CHAPTERED
BILL TEXT
CHAPTER 984
FILED WITH SECRETARY OF STATE SEPTEMBER 30, 2000
APPROVED BY GOVERNOR SEPTEMBER 29, 2000
PASSED THE SENATE AUGUST 31, 2000
PASSED THE ASSEMBLY AUGUST 31, 2000
CONFERENCE REPORT NO. 1
PROPOSED IN CONFERENCE AUGUST 28, 2000
AMENDED IN ASSEMBLY AUGUST 26, 1999
AMENDED IN ASSEMBLY AUGUST 16, 1999
AMENDED IN ASSEMBLY JULY 8, 1999
AMENDED IN SENATE MARCH 17, 1999
INTRODUCED BY Senator Peace
DECEMBER 22, 1998
An act to add Article 7 (commencing with Section 350) to Chapter 4
of Division 1 of the Business and Professions Code, and to add
Section 11019.9 to the Government Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 129, Peace. Personal information: collection and disclosure.
Existing law, the Public Records Act, governs public access to
records maintained by state and local public agencies, as specified.
Existing law, the Information Practices Act of 1977, requires
state and local agencies, among other things, to maintain in its
records only that personal information, as defined, which is relevant
and necessary to its governmental purpose; to maintain its sources
of information; to maintain accurate, relevant, and complete records;
to disclose personal information only under specified circumstances;
to maintain records regarding the disclosure of personal information
and to allow individuals access to those records pertaining to them,
except as specified, to provide for the amendment of those records.
The act also establishes civil remedies for its enforcement.
Existing law also prohibits bookkeeping services from disclosing
records containing personal information or information regarding a
business entity without express written consent, and prohibits video
rental services from disclosing personal information without express
written consent, except as specified; and provides for civil actions
to enforce these provisions.
Existing law also regulates the activities of consumer credit
reporting agencies, users of consumer credit reports, and furnishers
of consumer credit information, and establishes civil remedies for
enforcement.
This bill would establish within the Department of Consumer
Affairs the Office of Privacy Protection, the purpose of which would
be to protect the privacy of individuals' personal information by
identifying consumer problems and facilitating development of fair
information practices, as specified. The bill would require the
office to inform the public of potential options for protecting the
privacy of, and avoiding the misuse of, personal information, as
specified, and to make recommendations to organizations for privacy
policies, as specified, among other things. The bill would require
each state department or state agency to designate a position
therein, the duties of which would include, but not be limited to,
responsibility for the privacy policy within the department or
agency. The bill would require the Director of the Department of
Consumer Affairs, commencing in January 2003, to report to the
Legislature on an annual basis, as specified.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Article 7 (commencing with Section 350) is added to
Chapter 4 of Division 1 of the Business and Professions Code, to
read:
Article 7. Personal Information and Privacy Protection
350. (a) There is hereby created in the Department of Consumer
Affairs an Office of Privacy Protection under the direction of the
Director of the Department of Consumer Affairs and the Secretary of
the State and Consumer Services Agency. The office's purpose shall
be protecting the privacy of individuals' personal information in a
manner consistent with the California Constitution by identifying
consumer problems in the privacy area and facilitating development of
fair information practices in adherence with the Information
Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of
Part 4 of Division 3 of the Civil Code).
(b) The office shall inform the public of potential options for
protecting the privacy of, and avoiding the misuse of, personal
information.
(c) The office shall make recommendations to organizations for
privacy policies and practices that promote and protect the interests
of California consumers.
(d) The office may promote voluntary and mutually agreed upon
nonbinding arbitration and mediation of privacy related disputes
where appropriate.
(e) The Director of the Department of Consumer Affairs shall do
all of the following:
(1) Receive complaints from individuals concerning any persons'
obtaining, compiling, maintaining, using, disclosing or disposing of
personal information in a manner that may be potentially unlawful or
violate a stated privacy policy relating to that individual, and
provide advice, information, and referral where available.
(2) Provide information to consumers on effective ways of handling
complaints that involve violations of privacy related laws,
including identity theft and identity fraud. Where appropriate
local, state, or federal agencies are available to assist consumers
with those complaints, the director shall refer those complaints to
those agencies.
(3) Develop information and educational programs and materials to
foster public understanding and recognition of the purposes of this
article.
(4) Investigate and assist in the prosecution of identity theft
and other privacy related crimes, and, as necessary, coordinate with
local, state, and federal law enforcement agencies in the
investigation of similar crimes.
(5) Assist and coordinate in the training of local, state, and
federal law enforcement agencies regarding identity theft and other
privacy related crimes, as appropriate.
(6) The authority of the office, the director, or the secretary,
to adopt regulations under this article shall be limited exclusively
to those regulations necessary and appropriate to implement
subdivisions (b), (c), (d), and (e).
351. Commencing in 2003, the director shall report to the
Legislature on an annual basis, on or before January 31, detailing
the activities engaged in by the department under this article.
352. (a) Subject to subdivision (b), the department shall
commence activities under this article no later than January 1, 2002.
(b) The provisions of this article shall only be operative for
those years in which there is an appropriation from the General Fund
in the Budget Act to fund the activities required by this article.
SEC. 2. Section 11019.9 is added to the Government Code, to read:
11019.9. Each state department and state agency shall enact and
maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977 (Title 1.8 (commencing with Section
1798) of Part 4 of Division 3 of the Civil Code), that includes, but
is not limited to, the following principles:
(a) Personally indentifiable information is only obtained through
lawful means.
(b) The purposes for which personally identifiable data are
collected are specified at or prior to the time of collection, and
any subsequent use is limited to the fulfillment of purposes not
inconsistent with those purposes previously specified.
(c) Personal data shall not be disclosed, made available, or
otherwise used for purposes other than those specified, except with
the consent of the subject of the data, or as authorized by law or
regulation.
(d) Personal data collected must be relevant to the purpose for
which it is collected.
(e) The general means by which personal data is protected against
loss, unauthorized access, use modification or disclosure shall be
posted, unless such disclosure of general means would compromise
legitimate state department or state agency objectives or law
enforcement purposes.
(f) Each state department or state agency shall designate a
position within the department or agency, the duties of which shall
include, but not be limited to, responsibility for the privacy policy
within that department or agency.