SB 1348,
as amended, DeSaulnier. Onlinebegin delete Dataend deletebegin insert dataend insert brokers: sale of personal information: notice.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercialbegin insert Internetend insert Web site or online service to conspicuously post its privacy policy on itsbegin insert Internetend insert Web site or online service and to comply with that policy.
This bill would require an online data broker, as defined,begin delete that conducts business in California, andend delete that sells to a 3rd party the personal information of any resident of California, tobegin delete notify the individual to whom personal information pertains when the online data broker sells that information to a 3rd party, and to inform the individual of the content of the information sold and the identity of the purchaser.end deletebegin insert allow an individual to review his or her personal information, either pursuant to a written request or by means of an electronic search through a secure online system. The bill would require an online data
broker to conspicuously post an opt-out notice on its Internet Web site, as specified, that would provide specific instructions for permanently removing personal information from the online data broker’s database by making a written demand requesting to have the information permanently removed. The bill would require an online data broker that receives a written demand from an individual pursuant to these provisions to remove the individual’s personal information from public display on the Internet within 10 days of delivery of the written demand, and to take specified additional steps to ensure that the information is not reposted.end insert
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
begin insert
9(a) “Conspicuously post,” with respect to an opt-out notice,
10means to post through any of the following:
11(1) An Internet Web page on which the actual opt-out notice is
12posted if the Internet Web page is the homepage or first significant
13page after entering the Internet Web site.
14(2) An icon that hyperlinks to an Internet Web page on which
15the actual opt-out notice is posted, if the icon is located on the
16homepage or the first significant page after entering the Internet
17Web site, and if the icon contains the term “opt out” or “opt-out.”
18The icon shall also use a color that contrasts with the background
19color of the
Internet Web page or is otherwise distinguishable.
20(3) A text link that hyperlinks to an Internet Web page on which
21the actual opt-out notice is posted, if the text link is located on the
P3 1homepage or first significant page after entering the Internet Web
2site, and if the text link does one of the following:
3(A) Includes the term “opt out” or “opt-out.”
end insertbegin insert
4(B) Is written in capital letters equal to or greater in size than
5the surrounding text.
6(C) Is written in larger type than the surrounding text, or in
7contrasting type, font, or color to the surrounding text of the same
8size, or set off from the surrounding text of the same size by symbols
9or other marks that call attention to the language.
10(4) Any other functional hyperlink that is so displayed that a
11reasonable person would notice it.
12(a)
end delete
13begin insert(b)end insert “Online data broker” means abegin delete person or business that begin insert
commercial entity that collects,
14conducts business in California, and that owns, licenses, compiles,
15or accesses computerized data that includes individuals’ personal
16information, for the purpose of selling the personal information
17upon the request of a third partyend delete
18assembles, or maintains personal information concerning
19individuals residing in California who are not customers or
20employees of that entity, for the purposes of selling the personal
21information or providing a third party with access to the
22informationend insert.
23(b)
end delete
24begin insert(c)end insert “Personal information” means any information that identifies,
25relates to, describes, or is capable of being associated with, a
26particular individual, including, but not limited to, his or her name,
27signature, social security number, physical characteristics or
28description, address, telephone
number, passport number, driver’s
29license or state identification card number, insurance policy
30number, education, employment, employment history, bank account
31number, credit card number, debit card number, or any other
32financial information, medical information, or health insurance
33information. “Personal information” does not include publicly
34available information that is lawfully made available to the general
35public from federal, state, or local government records.
36(d) “Publicly post” or “publicly display” means to intentionally
37communicate or otherwise make available to the general public.
38(c)
end delete
39begin insert(e)end insert “Subject individual” means the person to whom personal
40information pertains.
(a) An online data broker that conducts business in
2California, and that sells to a third party the personal information
3of any resident of California, shall inform the subject individual
4of all of the following:
5(1) That the online data broker has sold the subject individual’s
6personal information to a third party.
7(2) The content of the personal information sold.
8(3) The identity of the third party to whom the online data broker
9sold the subject individual’s personal information.
10(b) The online data broker shall provide the information
11described in
paragraphs (1) to (3), inclusive, of subdivision (a) by
12forwarding the information to each e-mail address for the subject
13individual to which the online data broker has access, at the same
14time that the online data broker provides the personal information
15to the third party. If the online data broker does not have access
16to any e-mail address for the subject individual, the online data
17broker shall mail a copy of the information to the most recent
18physical address for the subject individual to which the online data
19broker has access, within ___ working days after the online data
20broker provides the personal information to the third party.
An online data broker that sells or provides to a third
22party the personal information of any resident of California, shall
23permit an individual to review his or her personal information
24that has been collected, assembled, or maintained by the online
25data broker, either by submitting a written request or by means of
26an electronic search through a secure online system.
(a) (1) An online data broker shall conspicuously post
28an opt-out notice on its Internet Web site, which shall include
29specific instructions for permanently removing personal
30information from the online data broker’s database, by making a
31written demand requesting to have the information removed.
32(2) If an individual makes a written demand to remove his or
33her personal information from an online data broker’s database
34pursuant to this subdivision, the online data broker shall
35permanently remove an individual’s personal information from
36its database, in accordance with subdivision (b).
37(b) (1) An online data broker that receives a
written demand
38from an individual pursuant to this section shall remove the
39individual’s personal information from public display on the
40Internet within 10 days of delivery of the written demand, and shall
P5 1continue to ensure that this information is not reposted on the
2same Internet Web site, a subsidiary site, or any other Internet
3Web site maintained by the online data broker receiving the written
4demand.
5(2) After receiving the individual’s written demand, the online
6data broker shall not transfer an individual’s personal information
7to any other person, business, or association through any other
8medium.
O
98