SB 1348, as amended, DeSaulnier. Online data brokers: sale of personal information: notice.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site or online service and to comply with that policy.
This bill would
require an online data broker, as defined, that sells to a 3rd party the personal information of any resident of California, to allowbegin delete an individualend deletebegin insert a subject individual, as defined,end insert to review his or her personal information, either pursuant to a written request or by means of an electronic search through a secure online system. The bill would require an online data brokerbegin insert, unless prohibited by federal law,end insert to conspicuously post an opt-out notice on its Internet Web site, as specified, that would provide specific instructions for permanently removing personal information from the online data broker’s database by making a written demand requesting to have the information permanently removed. The bill would require
an online data broker that receives a written demand frombegin delete anend deletebegin insert a subjectend insert individual pursuant to these provisionsbegin insert, unless prohibited by federal law,end insert to remove thebegin insert subjectend insert individual’s personal information from public display on the Internet within 10 days of delivery of the written demand, and to take specified additional steps to ensure that the information is not reposted.
begin insert This bill would also make it unlawful for an online data broker to solicit or accept the payment of a fee or other consideration to review or permanently remove personal information from the online data broker’s database, and would authorize a subject individual to bring a civil action against any person in violation of these provisions. The bill’s provisions would apply only to information collected, assembled, or maintained by an online data broker on and after January 1, 2015, except under designated circumstances.end insert
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
8(a) “Conspicuously post,” with respect to an opt-out notice,
9means to post through any of the following:
10(1) An Internet Web page on which the actual opt-out notice is
11posted if the Internet Web page is the homepage or first significant
12page after entering the Internet Web site.
13(2) An icon that hyperlinks to an Internet Web page on which
14the actual opt-out notice is posted, if the icon is located on the
15homepage or the first significant page after entering the Internet
16Web site, and if the icon contains the term “opt out” or “opt-out.”
P3 1The icon shall also use a color that contrasts with
the background
2color of the Internet Web page or is otherwise distinguishable.
3(3) A text link that hyperlinks to an Internet Web page on which
4the actual opt-out notice is posted, if the text link is located on the
5homepage or first significant page after entering the Internet Web
6site, and if the text link does one of the following:
7(A) Includes the term “opt out” or “opt-out.”
8(B) Is written in capital letters equal to or greater in size than
9the surrounding text.
10(C) Is written in larger type than the surrounding text, or in
11contrasting type, font, or color to the surrounding text of the same
12size, or set off from the surrounding text of the same size by
13symbols or other marks that call attention to the language.
14(4) Any other functional hyperlink that is so displayed that a
15reasonable person would notice itbegin insert and understand it to hyperlink
16to the actual opt-out noticeend insert.
17(b) “Online data broker” means a commercial entity that collects,
18assembles, or maintains personal information concerning
19individuals residing in California who are not customers or
20employees of that entity, for the purposes of selling the personal
21informationbegin delete or providing a third party with access to the begin insert over the Internet to a third partyend insert.
22informationend delete
23(c) “Personal
information” means any information that identifies,
24relates to, describes, or is capable of being associated with, a
25particular individual, including, but not limited to, his or her name,
26signature, social security number, physical characteristics or
27description, address, telephone number, passport number, driver’s
28license or state identification card number, insurance policy
29number, education, employment, employment history, bank account
30number, credit card number, debit card number, or any other
31financial information, medical information, or health insurance
32information. “Personal information” does not includebegin delete publicly information that is lawfully made available to the general
33availableend delete
34public from federal, state, or local government records.
35(d) “Publicly post” or “publicly display” means to intentionally
36communicate or otherwise make available to the general
public.
37(e) “Subject individual” means the person to whom personal
38information pertains.
P4 1(f) “Written” means documentation in writing, and includes
2facsimile, telegraphic, and other forms of electronic
3communication.
An online data broker that sellsbegin delete or provides to a third personal information of any resident of Californiabegin insert to a
6party theend delete
7third partyend insert, shall permitbegin delete anend deletebegin insert a subjectend insert individual to review his or
8her personal information that has been collected, assembled, or
9
maintained by the online data broker, either by submitting a written
10request or by means of an electronic search through a secure online
11system.
(a) (1) begin deleteAn end deletebegin insertUnless prohibited by federal law, an end insertonline
14data broker shall conspicuously post an opt-out notice on its
15Internet Web site, which shall include specific instructions for
16permanently removing personal information from the online data
17broker’s database, by making a written demand requesting to have
18the information removed.
19(2) Ifbegin delete anend deletebegin insert a subjectend insert individual makes a written demand to remove
20his or her personal information from an online data broker’s
21database pursuant to this subdivision, the online data broker shall
22permanently removebegin delete anend deletebegin insert the subjectend insert individual’s personal
23information from its database, in accordance with subdivision (b).
24(b) (1) begin deleteAn end deletebegin insertUnless prohibited by federal law, an end insertonline
data
25broker that receives a written demand frombegin delete anend deletebegin insert a subjectend insert individual
26pursuant to this section shall remove thebegin insert subjectend insert individual’s
27personal information from public display on the Internet within
2810 days of delivery of the written demand, and shallbegin delete continue toend delete
29 ensure that this information is not reposted on the same Internet
30Web site, a subsidiary site, or any other Internet Web sitebegin insert owned,
31controlled, orend insert
maintained by the online data broker receiving the
32written demand.
33(2) After receivingbegin delete theend deletebegin insert a subjectend insert individual’s written demand,
34the online data broker shall not transferbegin delete anend deletebegin insert the subjectend insert individual’s
35personal information to any other person, business, or association
36through any other medium.
(a) It is unlawful for an online data broker to solicit
38or accept the payment of a fee or other consideration to review or
39permanently remove personal information from the online data
40broker’s database.
P5 1(b) Each payment solicited or accepted in violation of this
2section constitutes a separate violation.
In addition to any other sanction, penalty, or remedy
4provided by law, a subject individual may bring a civil action in
5any court of competent jurisdiction against any person in violation
6of this chapter for damages in an amount equal to the greater of
7one thousand dollars ($1,000) per violation or the actual damages
8suffered by the subject individual as a result, along with costs,
9reasonable attorney’s fees, and any other legal or equitable relief.
(a) This chapter shall only apply to personal
11information that is collected, assembled, or maintained by an
12online data broker after January 1, 2015.
13(b) Notwithstanding subdivision (a), this chapter shall apply to
14information collected, assembled, or maintained by an online data
15broker prior to January 1, 2015, if the data broker collected,
16assembled, or maintained the information in violation of any law
17or regulation.
O
97