SB 1348, as amended, DeSaulnier. Data brokers: sale of personal information.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site or online service and to comply with that policy.
Unlessbegin delete prohibited by federal or state law,end deletebegin insert
required or authorized by federal or state law to share the personal information with a 3rd party or prohibited by federal or state law from providing access to the personal information,end insert this bill would require a data broker, as defined, that sells or offers for sale to a 3rd party the personal information of any resident of California, tobegin insert (1)end insert permit a subject individual, as defined, to review his or her personal informationbegin delete, as specified. The bill would require a data broker, unless prohibited by federal or state law, toend deletebegin insert and (2)end insert conspicuously post an opt-out notice on its Internet Web site that would include specific and easily understood instructions forbegin delete permanently removing personal information from the online data broker’s database by making a demand requesting that his or her personal information not be shared with or sold to third parties.end deletebegin insert
the subject individual to make a demand on the data broker’s Internet Web site that his or her personal information not be shared with or sold to a 3rd party.end insert The bill would require a data broker that receives a demand from a subject individual pursuant to these provisionsbegin delete, unless prohibited by federal or state law,end delete to cease sharing or selling that information withbegin delete third partiesend deletebegin insert a 3rd partyend insert as soon as is reasonably possible, and thereafter to only retain as much personal information as is reasonably necessary to comply with the subject individual’s demand.
This bill would also make it unlawful for a data broker to solicit or accept the payment of a fee or
other consideration to review or permanently remove personal information from the data broker’s databasebegin delete, andend deletebegin insert. The billend insert would authorize a subject individual to bring a civil action against any person in violation of these provisionsbegin insert for specified damagesend insert.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.3 (commencing with Section 22590)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
The following definitions apply to this chapter:
P3 1(a) “Conspicuously post,” with respect to an opt-out notice,
2means to post through any of the following:
3(1) An Internet Web page on which the actual opt-out notice is
4posted if the Internet Web page is the homepage or first significant
5page after entering the Internet Web site.
6(2) An icon that hyperlinks to an Internet Web page on which
7the actual opt-out notice is posted, if the icon is located on the
8homepage or the first significant page after entering the Internet
9Web site, and if the icon contains the term “opt out” or
“opt-out.”
10The icon shall also use a color that contrasts with the background
11color of the Internet Web page or is otherwise distinguishable.
12(3) A text link that hyperlinks to an Internet Web page on which
13the actual opt-out notice is posted, if the text link is located on the
14homepage or first significant page after entering the Internet Web
15site, and if the text link does one of the following:
16(A) Includes the term “opt out” or “opt-out.”
17(B) Is written in capital letters equal to or greater in size than
18the surrounding text.
19(C) Is written in larger type than the surrounding text, or in
20contrasting type, font, or color to the surrounding text of the same
21
size, or set off from the surrounding text of the same size by
22symbols or other marks that call attention to the language.
23(4) Any other functional hyperlink that is so displayed that a
24reasonable person would notice it and understand it to be a
25hyperlink to the actual opt-out notice.
26(b) (1) “Data broker” means a commercial entity that collects,
27assembles, or maintains personal information concerning
28individuals residing in California who are not customers or
29employees of that entitybegin insert or who had no previous contact with that
30entity prior to contacting the entity pursuant to Section 22591end insert, for
31the purposes of selling or offering for sale, or other consideration,
32
the personal information to a third party.
33(2) “Data broker” does not include any of the following:
34(A) A commercial entity that sells personal information to the
35subject individual or his or her representative.
36(B) A commercial entity engaging in the activities of a
37“consumer reporting agency” pursuant to the Fair Credit Reporting
38Act (15 U.S.C. Sec. 1681 et seq.)
39(C) A commercial entity engaging in the activities of a
40“consumer credit reporting agency” pursuant to the Consumer
P4 1Credit Reporting Agencies Act Title 1.6 (commencing with Section
21785.1) of Part 4 of Division 3 of the Civil Code.
3(D) A commercial entity selling or providing for sale personal
4information to other commercial or nonprofit entities or
5government agencies that will use the information for purposes
6permitted to be used or disclosed pursuant to any applicable
7provision of Title V of the Gramm-Leach-Bliley Act (15 U.S.C.
8Sec. 6801 et seq.), including purposes such as identity confirmation
9and fraud prevention.
10(E) A person or entity enumerated in subdivision (b) of Section
112 of Article I of the California Constitution or Section 1070 of the
12Evidence Code that publishes or broadcasts information obtained
13or prepared in gathering, receiving, or processing of information
14for the purpose of communicating information to the public.
15(c) “Personal information” means any information that identifies,
16relates to, describes, or is capable of being associated with, a
17particular individual, including, but not limited to, his or her name,
18signature, social security number, physical characteristics or
19description, address, telephone number, passport number, driver’s
20license or state identification card number, insurance policy
21number, education, employment, employment history, bank account
22number, credit card number, debit card number, or any other
23financial information, medical information, or health insurance
24information. “Personal information” does not include information
25that is lawfully made available to the general public from federal,
26state, or local government records.
27(d) “Subject individual” means the person to whom personal
28information
pertains.
begin deleteUnless prohibited by federal or state law, end deletebegin insertUnless the
30data broker is required or authorized by federal or state law to
31share the personal information with a third partyend insertbegin insert or is prohibited
32by federal or state law from providing access to the personal
33information, end inserta data broker that sells or offers for sale the personal
34information of any resident of California to a third party shall do
35both of the following:
36(a) Permit a subject individual to review
his or her personal
37information that has been collected, assembled, or maintained by
38the data broker by submitting an electronic demand through a
39secure online system.
P5 1(b) (1) begin deleteThe data broker shall conspicuously end deletebegin insertConspicuously end insertpost
2an opt-out notice on its Internet Web site, which shall include
3specific and easily understood instructions for the subject individual
4to make a demand on thebegin insert data broker’send insert Internet Web site that his
5or her personal information not be shared with or sold tobegin insert aend insert
third
6begin delete partiesend deletebegin insert partyend insert.
7(2) If a subject individual makes a demand on thebegin insert data broker’send insert
8 Internet Web site that his or her personal information not be shared
9with or sold to begin inserta end insertthirdbegin delete partiesend deletebegin insert partyend insert, the data broker shall cease
10sharing or selling that information withbegin insert
aend insert thirdbegin delete partiesend deletebegin insert partyend insert as
11soon as is reasonably possible, and in no event later thanbegin delete 10end deletebegin insert 30end insert
12 days after receipt of the notice, and the data broker shall thereafter
13retain only as much personal information as is reasonably necessary
14to comply with the subject individual's demand.
15(3) After receiving a subject individual’s demand, the data
16broker shall not transfer the subject individual’s personal
17information to any other person, business, or associationbegin delete through .
18any other mediumend delete
19(4) Any information collected by a data broker to confirm the
20identity of a subject individual who has made a demand to remove
21his or her personal information from a database pursuant to this
22chapter shall be deleted after the identity of the subject individual
23has been confirmed and shall not be used for any other purpose.
(a) It is unlawful for a data broker to solicit or accept
25the payment of a fee or other consideration to review or
26permanently remove personal information from the data broker’s
27database.
28(b) Each payment solicited or accepted in violation of this
29section constitutes a separate violation.
In addition to any other sanction, penalty, or remedy
31provided by law, a subject individual may bring a civil action in
32any court of competent jurisdiction against any person in violation
33of this chapter for damages in an amount equal to the greater of
34one thousand dollars ($1,000) per violation or the actual damages
35suffered by the subject individual as a result, along with costs,
36reasonable attorney’s fees, and any other legal or equitable relief.
O
94