SB 1348, as amended, DeSaulnier. Online data brokers: sale of personal information: notice.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site or online service and to comply with that policy.
This
end delete
begin insertUnless prohibited by federal or state law, thisend insert bill would require an online data broker, as defined, that sellsbegin insert or offers for saleend insert to a 3rd party the personal information of any resident of California, tobegin delete allowend deletebegin insert permitend insert a subject individual, as defined, tobegin insert (1)end insert review his or her personal informationbegin delete, either pursuant to a written request or by means of an electronic search through a secure online system.end deletebegin insert
and (2)end insertbegin insert correct his or her personal information, as specified.end insert The bill would require an online data broker, unless prohibited by federalbegin insert or stateend insert law, to conspicuously post an opt-out notice on its Internet Web sitebegin delete, as specified,end delete that wouldbegin delete provideend deletebegin insert includeend insert specific instructions for permanently removing personal information from the online data broker’s database by making a written demand requesting to have the information permanently removed. The bill would require an online data broker
that receives a written demand from a subject individual pursuant to these provisions, unless prohibited by federalbegin insert
or stateend insert law, to remove the subject individual’s personal information from public display on the Internet within 10 days of delivery of the written demand, and to take specified additional steps to ensure that the information is not reposted.
This bill would also make it unlawful for an online data broker to solicit or accept the payment of a fee or other consideration to review or permanently remove personal information from the online data broker’s database, and would authorize a subject individual to bring a civil action against any person in violation of these provisions. The bill’s provisions would apply only to information collected, assembled, or maintained by an online data broker on and after January 1, 2015, except under designated circumstances.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
8(a) “Conspicuously post,” with respect to an opt-out notice,
9means to post through any of the following:
P3 1(1) An Internet Web page on which the actual opt-out notice is
2posted if the Internet Web page is the homepage or first significant
3page after entering the Internet Web site.
4(2) An icon that hyperlinks to an Internet Web page on which
5the actual opt-out notice is posted, if the icon is located on the
6homepage or the first significant page after entering the Internet
7Web site, and if the icon contains the term “opt out” or
“opt-out.”
8The icon shall also use a color that contrasts with the background
9color of the Internet Web page or is otherwise distinguishable.
10(3) A text link that hyperlinks to an Internet Web page on which
11the actual opt-out notice is posted, if the text link is located on the
12homepage or first significant page after entering the Internet Web
13site, and if the text link does one of the following:
14(A) Includes the term “opt out” or “opt-out.”
15(B) Is written in capital letters equal to or greater in size than
16the surrounding text.
17(C) Is written in larger type than the surrounding text, or in
18contrasting type, font, or color to the surrounding text of the same
19size,
or set off from the surrounding text of the same size by
20symbols or other marks that call attention to the language.
21(4) Any other functional hyperlink that is so displayed that a
22reasonable person would notice it and understand it to hyperlink
23to the actual opt-out notice.
24(b) “Online data broker” means a commercial entity that collects,
25assembles, or maintains personal information concerning
26individuals residing in California who are not customers or
27employees of that entity, for the purposes of sellingbegin insert or offering for
28saleend insert the personal information over the Internet to a third party.
29(c) “Personal information” means any
information that identifies,
30relates to, describes, or is capable of being associated with, a
31particular individual, including, but not limited to, his or her name,
32signature, social security number, physical characteristics or
33description, address, telephone number, passport number, driver’s
34license or state identification card number, insurance policy
35number, education, employment, employment history, bank account
36number, credit card number, debit card number, or any other
37financial information, medical information, or health insurance
38information. “Personal information” does not include information
39that is lawfully made available to the general public from federal,
40state, or local government records.
P4 1(d) “Publicly post” or “publicly display” means to intentionally
2communicate or otherwise make available to the general public.
3(e) “Subject individual” means the person to whom personal
4information pertains.
5(f) “Written” means documentation in writing, and includes
6facsimile, telegraphic, and other forms of electronic
7communication.
begin deleteAn online data broker that sells end deletebegin insertUnless prohibited by
9federal or state law, an online data broker that sells or offers for
10sale theend insert personal information of any resident of California to a
11third party, shallbegin delete permitend deletebegin insert do both of the following:end insert
12begin insert
(a)end insertbegin insert end insertbegin insertPermitend insert
a subject individual to review his or her personal
13information that has been collected, assembled, or
maintained by
14the online data broker, either by submitting a written request or
15by means of an electronic search through a secure online system.
16(b) Permit a subject individual to correct his or her personal
17information that has been collected, assembled, or maintained by
18the online data broker, either by submitting a written request or
19by correcting the information by means of a secure online system.
(a) (1) Unless prohibited by federalbegin insert or stateend insert law, an
21online data broker shall conspicuously post an opt-out notice on
22its Internet Web site, which shall include specific instructions for
23permanently removing personal information from the online data
24broker’s databasebegin delete,end delete by making a written demand requesting to have
25the information removed.
26(2) If a subject individual makes a written demand to remove
27his or her personal information from an online data broker’s
28database pursuant
to this subdivision, the online data broker shall
29permanently remove the subject individual’s personal information
30from its database, in accordance with subdivision (b).
31(b) (1) Unless prohibited by federalbegin insert or stateend insert law, an online data
32broker that receives a written demand from a subject individual
33pursuant to this section shall remove the subject individual’s
34personal information from public display on the Internet within
3510 days of delivery of the written demand, and shall ensure that
36this information is not reposted on the same Internet Web site, a
37subsidiary site, or any other Internet Web site owned, controlled,
38or maintained by the online data broker receiving the written
39demand.
P5 1(2) After receiving a subject individual’s written demand, the
2online data broker shall not transfer the subject individual’s
3personal information to any other person, business, or association
4through any other medium.
5(3) Any additional information collected by an online data
6broker to confirm the identity of a subject individual who has made
7a written request to remove his or her personal information from
8a database pursuant to this chapter shall be deleted after the
9identity of the subject individual has been confirmed and shall not
10be used for any other purpose.
(a) It is unlawful for an online data broker to solicit or
12accept the payment of a fee or other consideration to review or
13permanently remove personal information from the online data
14broker’s database.
15(b) Each payment solicited or accepted in violation of this
16section constitutes a separate violation.
In addition to any other sanction, penalty, or remedy
18provided by law, a subject individual may bring a civil action in
19any court of competent jurisdiction against any person in violation
20of this chapter for damages in an amount equal to the greater of
21one thousand dollars ($1,000) per violation or the actual damages
22suffered by the subject individual as a result, along with costs,
23reasonable attorney’s fees, and any other legal or equitable relief.
(a) This chapter shall only apply to personal
25information that is collected, assembled, or maintained by an online
26data broker after January 1, 2015.
27(b) Notwithstanding subdivision (a), this chapter shall apply to
28information collected, assembled, or maintained by an online data
29broker prior to January 1, 2015, if the data broker collected,
30assembled, or maintained the information in violation of any law
31or regulation.
O
96