SB 1348, as introduced, DeSaulnier. Online Data brokers: sale of personal information: notice.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy.
This bill would require an online data broker, as defined, that conducts business in California, and that sells to a 3rd party the personal information of any resident of California, to notify the individual to whom personal information pertains when the online data broker sells that information to a 3rd party, and to inform the individual of the content of the information sold and the identity of the purchaser.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
8(a) “Online data broker” means a person or business that
9conducts business in California, and that owns, licenses, compiles,
10or accesses computerized data that includes individuals’ personal
11information, for the purpose of selling the personal information
12upon the request of a third party.
13(b) “Personal information” means any information that identifies,
14relates to, describes, or is capable of being associated with, a
15particular individual, including, but not limited to, his or her name,
16signature, social security number, physical characteristics or
17description, address, telephone number, passport number, driver’s
18license or state identification card
number, insurance policy
19number, education, employment, employment history, bank account
20number, credit card number, debit card number, or any other
21financial information, medical information, or health insurance
22information. “Personal information” does not include publicly
23available information that is lawfully made available to the general
24public from federal, state, or local government records.
25(c) “Subject individual” means the person to whom personal
26information pertains.
(a) An online data broker that conducts business in
28California, and that sells to a third party the personal information
29of any resident of California, shall inform the subject individual
30of all of the following:
31(1) That the online data broker has sold the subject individual’s
32personal information to a third party.
33(2) The content of the personal information sold.
34(3) The identity of the third party to whom the online data broker
35sold the subject individual’s personal information.
36(b) The online data broker shall provide the information
37described in
paragraphs (1) to (3), inclusive, of subdivision (a) by
38forwarding the information to each e-mail address for the subject
P3 1individual to which the online data broker has access, at the same
2time that the online data broker provides the personal information
3to the third party. If the online data broker does not have access
4to any e-mail address for the subject individual, the online data
5broker shall mail a copy of the information to the most recent
6physical address for the subject individual to which the online data
7broker has access, within ___ working days after the online data
8broker provides the personal information to the third party.
O
99