BILL NUMBER: SB 129 CHAPTERED 09/30/00 CHAPTER 984 FILED WITH SECRETARY OF STATE SEPTEMBER 30, 2000 APPROVED BY GOVERNOR SEPTEMBER 29, 2000 PASSED THE SENATE AUGUST 31, 2000 PASSED THE ASSEMBLY AUGUST 31, 2000 CONFERENCE REPORT NO. 1 PROPOSED IN CONFERENCE AUGUST 28, 2000 AMENDED IN ASSEMBLY AUGUST 26, 1999 AMENDED IN ASSEMBLY AUGUST 16, 1999 AMENDED IN ASSEMBLY JULY 8, 1999 AMENDED IN SENATE MARCH 17, 1999 INTRODUCED BY Senator Peace DECEMBER 22, 1998 An act to add Article 7 (commencing with Section 350) to Chapter 4 of Division 1 of the Business and Professions Code, and to add Section 11019.9 to the Government Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 129, Peace. Personal information: collection and disclosure. Existing law, the Public Records Act, governs public access to records maintained by state and local public agencies, as specified. Existing law, the Information Practices Act of 1977, requires state and local agencies, among other things, to maintain in its records only that personal information, as defined, which is relevant and necessary to its governmental purpose; to maintain its sources of information; to maintain accurate, relevant, and complete records; to disclose personal information only under specified circumstances; to maintain records regarding the disclosure of personal information and to allow individuals access to those records pertaining to them, except as specified, to provide for the amendment of those records. The act also establishes civil remedies for its enforcement. Existing law also prohibits bookkeeping services from disclosing records containing personal information or information regarding a business entity without express written consent, and prohibits video rental services from disclosing personal information without express written consent, except as specified; and provides for civil actions to enforce these provisions. Existing law also regulates the activities of consumer credit reporting agencies, users of consumer credit reports, and furnishers of consumer credit information, and establishes civil remedies for enforcement. This bill would establish within the Department of Consumer Affairs the Office of Privacy Protection, the purpose of which would be to protect the privacy of individuals' personal information by identifying consumer problems and facilitating development of fair information practices, as specified. The bill would require the office to inform the public of potential options for protecting the privacy of, and avoiding the misuse of, personal information, as specified, and to make recommendations to organizations for privacy policies, as specified, among other things. The bill would require each state department or state agency to designate a position therein, the duties of which would include, but not be limited to, responsibility for the privacy policy within the department or agency. The bill would require the Director of the Department of Consumer Affairs, commencing in January 2003, to report to the Legislature on an annual basis, as specified. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Article 7 (commencing with Section 350) is added to Chapter 4 of Division 1 of the Business and Professions Code, to read: Article 7. Personal Information and Privacy Protection 350. (a) There is hereby created in the Department of Consumer Affairs an Office of Privacy Protection under the direction of the Director of the Department of Consumer Affairs and the Secretary of the State and Consumer Services Agency. The office's purpose shall be protecting the privacy of individuals' personal information in a manner consistent with the California Constitution by identifying consumer problems in the privacy area and facilitating development of fair information practices in adherence with the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code). (b) The office shall inform the public of potential options for protecting the privacy of, and avoiding the misuse of, personal information. (c) The office shall make recommendations to organizations for privacy policies and practices that promote and protect the interests of California consumers. (d) The office may promote voluntary and mutually agreed upon nonbinding arbitration and mediation of privacy related disputes where appropriate. (e) The Director of the Department of Consumer Affairs shall do all of the following: (1) Receive complaints from individuals concerning any persons' obtaining, compiling, maintaining, using, disclosing or disposing of personal information in a manner that may be potentially unlawful or violate a stated privacy policy relating to that individual, and provide advice, information, and referral where available. (2) Provide information to consumers on effective ways of handling complaints that involve violations of privacy related laws, including identity theft and identity fraud. Where appropriate local, state, or federal agencies are available to assist consumers with those complaints, the director shall refer those complaints to those agencies. (3) Develop information and educational programs and materials to foster public understanding and recognition of the purposes of this article. (4) Investigate and assist in the prosecution of identity theft and other privacy related crimes, and, as necessary, coordinate with local, state, and federal law enforcement agencies in the investigation of similar crimes. (5) Assist and coordinate in the training of local, state, and federal law enforcement agencies regarding identity theft and other privacy related crimes, as appropriate. (6) The authority of the office, the director, or the secretary, to adopt regulations under this article shall be limited exclusively to those regulations necessary and appropriate to implement subdivisions (b), (c), (d), and (e). 351. Commencing in 2003, the director shall report to the Legislature on an annual basis, on or before January 31, detailing the activities engaged in by the department under this article. 352. (a) Subject to subdivision (b), the department shall commence activities under this article no later than January 1, 2002. (b) The provisions of this article shall only be operative for those years in which there is an appropriation from the General Fund in the Budget Act to fund the activities required by this article. SEC. 2. Section 11019.9 is added to the Government Code, to read: 11019.9. Each state department and state agency shall enact and maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code), that includes, but is not limited to, the following principles: (a) Personally indentifiable information is only obtained through lawful means. (b) The purposes for which personally identifiable data are collected are specified at or prior to the time of collection, and any subsequent use is limited to the fulfillment of purposes not inconsistent with those purposes previously specified. (c) Personal data shall not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the subject of the data, or as authorized by law or regulation. (d) Personal data collected must be relevant to the purpose for which it is collected. (e) The general means by which personal data is protected against loss, unauthorized access, use modification or disclosure shall be posted, unless such disclosure of general means would compromise legitimate state department or state agency objectives or law enforcement purposes. (f) Each state department or state agency shall designate a position within the department or agency, the duties of which shall include, but not be limited to, responsibility for the privacy policy within that department or agency.