BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
SB 1348 (DeSaulnier)
As Amended April 8, 2014
Hearing Date: April 22, 2014
Fiscal: No
Urgency: No
TH
SUBJECT
Online Data Brokers: Sale of Personal Information
DESCRIPTION
This bill would require online data brokers to allow subject
individuals to review their personal information and request
that the information be permanently removed from an online data
broker's database. Upon receiving a request to have personal
information removed, an online data broker would be prohibited
from transferring the subject individual's personal information
to any other party, and would have to remove the information
from all websites under its ownership or control within 10 days.
This bill would also prohibit an online data broker from
charging a fee to a subject individual who elects to review or
remove his or her personal information from the broker's
database, and would also allow aggrieved individuals to recover
either actual or statutory damages ($1,000 per violation) for
violations of the bill's requirements.
BACKGROUND
The advent of inexpensive computer storage and the increased
power and sophistication of computer processing technology have
unleashed a revolution in data acquisition and analysis in just
about every field. "Algorithms that predict stock-price
movements have transformed Wall Street," and "[a]lgorithms that
chomp through our Web histories have transformed marketing."
(Peck, They're Watching You at Work (Dec. 2013) The Atlantic
(as of April 10, 2014).) "The range
and depth of information that's routinely captured about how we
behave" has also greatly increased in recent years. (Id.)
"Ordinary people at work and at home generate much of this data,
by sending e-mails, browsing the Internet, using social media,
working on crowd-sourced projects, and more," and according to
one estimate "more than 98 percent of the world's information is
now stored digitally, and the volume of that data has quadrupled
since 2007." (Id.) "By combining the power of modern computing
with the plentiful data of the digital era," data analytics
"promises to solve virtually any problem - crime, public health,
the evolution of grammar, the perils of dating - just by
crunching the numbers." (Marcus and Davis, Eight (No, Nine!)
Problems With Big Data (Apr. 6, 2104) New York Times
(as of April 10,
2014).)
The growth of data acquisition and analysis in the marketing
economy has been no less revolutionary. What was once limited
to customer lists and basic information contained in public
records (e.g. mailing addresses, property tax records, etc.) and
sales records (e.g. credit card purchase histories), companies
and marketing firms can now collect, analyze, package, and sell
precise information about individuals across a wide range of
data points. According to one analyst, with the help of new
technology, companies in the marketing economy are now able to:
collect and sell information to marketers on everything from
your marital status, whether you might be pregnant or have a
newborn, have cancer, are trying to lose weight, are gay or
straight, how much you make, what credit cards you use, your
lines of credit, where you live, what your house cost, what
kind of car you drive or if you might be looking to buy a new
one, your race, occupation, political leanings, education
level, have one or more children in college, have pets to what
your hobbies are and more - much more. (Armerding, Data
Brokers' Collection of Internet Activity Data Raises Privacy
Issues (Nov. 7, 2013) CSO Online
(as of April 10, 2014).)
Indeed, one marketing company claims that it "has, on average,
1,500 pieces of information on more than 200 million Americans."
�
SB 1348 (DeSaulnier)
PageC of?
(Kroft, The Data Brokers: Selling Your Personal Information
(Mar. 9, 2014) CBS News
(as of April 10, 2014).) The data marketing
economy has also swelled in economic impact, contributing as
much as $156 billion annually to the national economy, according
to a recent industry report. (See Deighton and Johnson, The
Value of Data: Consequences for Insight, Innovation, and
Efficiency in the U.S. Economy (2013).)
Some marketing companies and other participants in the data
industry, colloquially known as "data brokers," aggregate and
sell large volumes of information from their databases to third
parties over the internet without the direct knowledge or
consent of the individuals to whom the data pertains ("subject
individuals"). Several organizations have publicly raised
privacy concerns over the practice of buying and selling
personal information over the Internet without the subject
individual's knowledge or consent. One recent news article
describes the potentially sensitive nature of the personal
information offered for sale by online data brokers:
We were able to go online and find all sorts of companies
peddling sensitive personalized information. A Connecticut
data broker called "Statlistics" advertises lists of gay and
lesbian adults and "Response Solutions" -- people suffering
from bipolar disorder. "Paramount Lists" operates out of . .
. Erie, Pa., and offers lists of people with alcohol, sexual
and gambling addictions and people desperate to get out of
debt. A Chicago company, "Exact Data," is brokering the names
of people who had a sexually transmitted disease, as well as
lists of people who have purchased adult material and sex
toys. (Kroft, The Data Brokers: Selling Your Personal
Information (Mar. 9, 2014) CBS News
(as of April 10, 2014).)
This bill would require online data brokers that sell the
personal information of California residents over the Internet
to allow subject individuals to review personal information
pertaining to them that has been collected, assembled, or
maintained by the online data broker. The bill would also
require an online data broker to permanently remove a subject
individual's personal information from its database and all
Internet Web sites owned or controlled by it upon written
�
SB 1348 (DeSaulnier)
PageD of?
request, and would prohibit an online data broker from charging
a fee to a subject individual who requests to review or remove
his or her personal information. This bill would also allow an
aggrieved individual to recover actual or statutory damages and
attorney's fees and costs from an online data broker that
violates the bill's terms.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for an invasion of privacy and provides that in order to state a
claim for violation of the constitutional right to privacy, a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
Existing federal law , the Gramm-Leach-Bliley Act, permits
financial institutions to share nonpublic customer information
with non-affiliated third parties, unless the consumer "opts
out" of such disclosure. The Act requires privacy statements to
be disclosed by financial institutions and restricts their
ability to disclose non-public personal information about
consumers to third parties. (15 U.S.C. Sec. 6801, et seq.)
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Online Privacy Protection Act of 2003,
Bus. & Prof. Code Sec. 22575.)
Existing law requires a business with an established business
relationship with a customer that has, within the preceding
calendar year, disclosed specified personal information about
the customer to third parties for direct marketing purposes to,
after the receipt of a written request, disclose to the customer
�
SB 1348 (DeSaulnier)
PageE of?
free of charge the categories of personal information disclosed
to third parties for direct marketing purposes, the names and
addresses of all third parties that received the personal
information, and, if not reasonably discernable by the name,
examples of the products or services marketed by the third
parties. (Civ. Code Sec. 1798.83.)
This bill would provide that an online data broker that sells
personal information of any resident of California to a third
party shall permit a subject individual to review his or her
personal information that has been collected, assembled, or
maintained by the online data broker, either by submitting a
written request or by means of an electronic search through a
secure online system.
This bill would provide that unless prohibited by federal law,
an online data broker shall conspicuously post an opt-out notice
on its Internet Web site, which shall include specific
instructions for permanently removing personal information from
the online data broker's database, by making a written demand
requesting to have the information removed. This bill would
further provide that if a subject individual makes a written
demand to remove his or her personal information from an online
data broker's database, the online data broker shall permanently
remove the subject individual's personal information from its
database.
This bill would provide that, unless prohibited by federal law,
an online data broker that receives a written demand from a
subject individual shall remove the individual's personal
information from public display on the Internet within 10 days
of delivery of the written demand, and shall ensure that this
information is not reposted on the same Internet Web site, a
subsidiary site, or any other Internet Web site owned,
controlled, or maintained by the online data broker receiving
the written demand. This bill would further provide that after
receiving a subject individual's written demand, the online data
broker shall not transfer the subject individual's personal
information to any other person, business, or association
through any other medium.
This bill would state that it is unlawful for an online data
broker to solicit or accept the payment of a fee or other
consideration to review or permanently remove personal
information from the online data broker's database, and would
�
SB 1348 (DeSaulnier)
PageF of?
provide that each payment solicited or accepted in violation of
this bill constitutes a separate violation.
This bill would provide that in addition to any other sanction,
penalty, or remedy provided by law, a subject individual may
bring a civil action in any court of competent jurisdiction
against any person in violation of this chapter for damages in
an amount equal to the greater of one thousand dollars ($1,000)
per violation or the actual damages suffered by the subject
individual as a result, along with costs, reasonable attorney's
fees, and any other legal or equitable relief.
This bill would provide that its provisions shall only apply to
personal information that is collected, assembled, or maintained
by an online data broker after January 1, 2015, but,
notwithstanding this limitation, shall also apply to information
collected, assembled, or maintained by an online data broker
prior to January 1, 2015, if the data broker collected,
assembled, or maintained the information in violation of any law
or regulation.
This bill would define the following terms:
"Online data broker" means a commercial entity that collects,
assembles, or maintains personal information concerning
individuals residing in California who are not customers or
employees of that entity, for the purposes of selling the
personal information over the Internet to a third party.
"Personal information" means any information that identifies,
relates to, describes, or is capable of being associated with,
a particular individual, including, but not limited to, his or
her name, signature, social security number, physical
characteristics or description, address, telephone number,
passport number, driver's license or state identification card
number, insurance policy number, education, employment,
employment history, bank account number, credit card number,
debit card number, or any other financial information, medical
information, or health insurance information. "Personal
information" does not include information that is lawfully
made available to the general public from federal, state, or
local government records.
"Subject individual" means the person to whom personal
information pertains.
COMMENT
�
SB 1348 (DeSaulnier)
PageG of?
1. Stated need for the bill
The author writes:
Current law requires [W]ebsites that collect private
information to disclose their privacy policy in a
conspicuously available place, as defined in Business &
Professions Code Section 222575. However, current law means
that consumers are implicitly agreeing to the terms of the
privacy policy simply by visiting the [W]ebsite, regardless of
whether they even visit the privacy policy page. Consumers do
not have the ability to modify or opt out of privacy policies.
Further, consumers do not have an awareness of what personal
information data brokers possess, sell or otherwise share with
third parties.
68 [percent] of US internet users feel that current laws are
not good enough in protecting people's privacy online, and
that 86 [percent] of users have taken steps online to remove
or mask their digital footprint. SB 1348 seeks to update the
California laws to reflect the consumer's right to personal
privacy in an evolving online landscape.
2. Fundamental Right to Privacy
This bill seeks to strengthen California consumers' ability to
exercise control over their digital footprint and to retain some
measure of privacy online. Staff notes that the right to
privacy is a fundamental right protected by Section 1 of Article
I of the California Constitution. This bill would build upon
that fundamental right by providing California residents with
tools to review, correct, and remove personal information from
databases and Web sites owned or controlled by online data
brokers that offer their personal information for sale. The
bill would also prohibit online data brokers from charging a fee
for permitting consumers to exercise control over their personal
information, and would allow an aggrieved individual to recover
actual or statutory damages and attorney's fees and costs from
an online data broker that violates the bill's terms.
Writing in support of the bill, Privacy Rights Clearinghouse
states:
Over the past several years, hundreds of consumers have
contacted the Privacy Rights Clearinghouse with their concerns
�
SB 1348 (DeSaulnier)
PageH of?
about online data brokers. These sites can be particularly
troublesome for victims of stalking and domestic violence, law
enforcement personnel, victims of identity theft, even urban
school teachers and social workers. Unfortunately, many
consumers find it difficult to effectively remove their
information from online data broker sites. Some of the issues
that consumers encounter include data brokers that do not
offer a method of opting out, that offer an opt out for only a
limited time, requiring renewal[,] or that charge a fee to
suppress information from their databases. Many data brokers
require individuals to provide a significant amount of
personal information to opt out, which individuals fear will
be used to enlarge their data profile. Sometimes, personal
information that has been removed from a database is re-posted
online at a later date when the company downloads a new batch
of information.
3. Free Speech
The First Amendment to the U.S. Constitution and Article 1,
Section 2 of the California Constitution protect the right of
every person to "freely speak, write and publish his or her
sentiments on all subjects, being responsible for the abuse of
this right." (Cal. Const. art. 1, Sec. 2.) The U.S. Supreme
Court has held that "the creation and dissemination of
information are speech within the meaning of the First Amendment
. . . Facts, after all, are the beginning point for much of the
speech that is most essential to advance human knowledge and to
conduct human affairs." (Sorrell v. IMS Health Inc. (2011) 131
S. Ct. 2653, 2667 [citations omitted].) Personal information
collected, aggregated, maintained, and ultimately sold by online
data brokers could arguably be viewed as "facts" for the purpose
�
SB 1348 (DeSaulnier)
PageI of?
of the First Amendment's free speech clause.<1> However, this
does not mean that the restrictions imposed by this bill are
likely to run afoul of an online data broker's presumptive right
to engage in constitutionally protected speech.
In commercial speech cases - those involving "expression related
solely to the economic interests of the speaker and its
audience" - the Supreme Court has developed a four-part test for
determining when the government may regulate speech commensurate
with the First Amendment. (Cent. Hudson Gas & Elec. Corp. v.
Public Serv. Comm'n (1980) 447 U.S. 557, 561.)
At the outset, we must determine whether the expression is
protected by the First Amendment. For commercial speech to
come within that provision, it at least must concern lawful
activity and not be misleading. Next, we ask whether the
asserted governmental interest is substantial. If both
inquiries yield positive answers, we must determine whether
the regulation directly advances the governmental interest
asserted, and whether it is not more extensive than is
necessary to serve that interest. (Id., 447 U.S. 557, 566.)
Applied to the bill at hand, it is clear that the State has a
substantial governmental interest in regulating the
---------------------------
<1> But see Sorrell v. IMS Health Inc. (2011) 131 S. Ct. 2653,
2675, 2685 (Breyer, J., dissenting):
Since ordinary regulatory programs can affect speech,
particularly commercial speech, in myriad ways, to apply a
"heightened" First Amendment standard of review whenever such
a program burdens speech would transfer from legislatures to
judges the primary power to weigh ends and to choose means,
threatening to distort or undermine legitimate legislative
objectives.
. . .
The Court reaches its conclusion [in Sorrell] . . . without
taking full account of the regulatory context, the nature of
the speech effects, the values these First Amendment
categories seek to promote, and prior precedent. At best the
Court opens a Pandora's Box of First Amendment challenges to
many ordinary regulatory practices that may only incidentally
affect a commercial message. At worst, it reawakens Lochner's
pre-New Deal threat of substituting judicial for democratic
decisionmaking where ordinary economic regulation is at issue.
�
SB 1348 (DeSaulnier)
PageJ of?
dissemination of personal information about California
residents. As noted above, privacy is a fundamental right in
the State of California, and the unrestricted distribution of
personal information by online data brokers threatens the
integrity of this fundamental right. While it is ultimately an
issue for the courts, staff notes that this bill appears to be
narrowly tailored to advance the State's fundamental interest in
preserving the right of privacy of its citizens. By granting
subject individuals a certain modicum of control over the
personal information held by online data brokers, this bill
would allow subject individuals to act to preserve their
fundamental right to privacy. This bill includes a number of
conditions to ensure that its restrictions go no further than
necessary to preserve this fundamental right, including limiting
its scope only to personal information offered for sale in the
marketplace, and only to personal information that pertains to
the subject individual.
4. Correcting Erroneous Data
Staff notes that this bill would allow subject individuals to
review personal information held by online data brokers, and
would give these individuals the option to have their personal
information removed from a broker's Web site and database. The
bill is silent, however, on the ability of subject individuals
to correct their personal information. Several observers note
that the personal information held by online data brokers may be
wildly inaccurate. Julia Angwin, an investigative reporter,
received access to review data held by certain brokers
pertaining to her and made the following observation:
What was shocking about it was that it ranged from incredibly
precise - every single address I'd ever lived at including the
number on my dorm room in college, which I couldn't even
remember . . . to very imprecise, inaccurate things . . . that
were not at all true - that I was a single mother . . . with
no college education living in a place I didn't live. (If You
Think You're Anonymous Online, Think Again (Feb. 24, 2014) NPR
(as
of April 11, 2014).)
Although many individuals may simply want data brokers to delete
their personal information, some may actually want to correct
inaccurate data in order to enjoy the marketing advantages this
�
SB 1348 (DeSaulnier)
PageK of?
industry offers to consumers, including "lower prices, free
online content, advertising that is much more relevant to
individuals, quicker and easier transactions, niche products you
might not otherwise be able to find and what you want when you
want it." (Armerding, Data Brokers' Collection of Internet
Activity Data Raises Privacy Issues (Nov. 7, 2013) CSO Online
(as of April 10, 2014)
[quotation marks omitted].)
To allow subject individuals an opportunity to correct
inaccurate data, the author offers the following amendment:
Author's Amendment :
On page 4, strike line 11 and insert: "system; and (b)
permit a subject individual to correct his or her personal
information that has been collected, assembled, or
maintained by the online data broker, either by submitting
a written request or by correcting the information by means
of a secure online system."
5. Proving Identity to Review or Opt Out
Among other things, this bill would expressly permit subject
individuals to both review and have their personal information
removed from an online data broker's database and all Web sites
under the broker's ownership or control. Some commentators note
that certain data brokers require individuals "who want[] to
view their own data to provide identification through sensitive
personal information including part of a Social Security number,
a copy of their driver's license, [and/or] a current utility
bill or a check." (Armerding, Data Brokers' Collection of
Internet Activity Data Raises Privacy Issues (Nov. 7, 2013) CSO
Online (as of April 10, 2014).) This is particularly concerning
to some consumers because the authentication information these
brokers require is "also used by criminals for identity theft."
(Id.) Further, consumers have no guarantee that a broker will
delete the submitted information once their identity is
confirmed and won't use it to further enhance the collection of
personal information in their database or on their Web site.
To address reservations about submitting further personal
information to online data brokers as part of a data review or
�
SB 1348 (DeSaulnier)
PageL of?
opt out process, the author offers the following amendment:
Author's Amendment :
On page 4, between lines 36 and 37, insert: "(3) Any
additional information collected by an online data broker to
confirm the identity of a subject individual who has made a
written request to remove his or her personal information from
a database pursuant to this title shall be deleted after the
identity of the subject individual has been confirmed and
shall not be used for any other purpose."
6. Regulatory Takings
The Federal Constitution provides that "private property [shall
not] be taken for public use, without just compensation" (U.S.
Const. Amend. V.), and the California Constitution similarly
provides that private property "may be taken or damaged for
public use only when just compensation, ascertained by a jury
unless waived, has first been paid to, or into court for, the
owner" (Cal. Const. art. I, Sec. 19(a).). In Ruckelshaus v.
Monsanto (1984) 467 U.S. 986, a leading federal court case on
regulatory takings, the U.S. Supreme Court held that the
disclosure of certain trade secret data submitted by a pesticide
manufacturer to third parties by the Environmental Protection
Agency (EPA) was a "taking" of property without just
compensation under the Fifth Amendment. Generally, whether a
taking can be said to have occurred is "an ad hoc, factual
inquiry." (Ruckelshaus, 467 U.S. at 1005 [citation omitted].)
In the context of evaluating a takings claim concerning
commercial data (like trade secrets), the Supreme Court has
articulated three factors for consideration: (1) the character
of the governmental action, (2) its economic impact, and (3) its
interference with reasonable investment-backed expectations.
(See Ruckelshaus, 467 U.S. at 1005 [citation omitted].)
Staff notes that the law concerning ownership of and control
over personal information is not fully settled in California.
Consumers may be able to assert ownership and control rights
over personal information in certain circumstances based on
their direct and intimate connection to it, but in other
situations online data brokers may be able to assert a right of
ownership or control to this data because they either expended
resources to gather it or purchased it on the open market. If
an online data broker is able to prove that it has a property
�
SB 1348 (DeSaulnier)
PageM of?
right in someone else's personal information, a state law that
conveys a right of ownership or control over that information to
another person (e.g. the subject individual) could potentially
effect a taking of private property.
However, even if a reviewing court were to find that an online
data broker could have a property interest in the personal
information of another, this bill has been drafted so as to
eliminate the possibility that its provisions could effect a
taking. By its terms, the bill would only apply to personal
information that is collected, assembled, or maintained by an
online data broker after January 1, 2015, and personal
information collected, assembled, or maintained by an online
data broker prior to January 1, 2015, if the information was
collected, assembled, or maintained in violation of any law or
regulation. These limitations effectively negate the
possibility that this bill could effect a regulatory taking. An
individual cannot have a reasonable investment-backed
expectation in purchasing or assembling data that they
prospectively know will be subject to the control of another,
nor can an individual have a reasonable investment-backed
expectation in data that was obtained illegally. Consequently,
it is unlikely that this bill would result in the taking of
property under the criteria articulated by the Supreme Court in
Ruckelshaus.
7. Conflict with Federal or State Law
Several federal statutes regulate the collection, assembly,
maintenance, and dissemination of consumer data that would fall
within this bill's definition of "personal information." For
example, the Fair Credit Reporting Act (15 U.S.C. Sec. 1681, et
seq.), which regulates how consumer reporting agencies use
personal and financial information, contains detailed provisions
addressing when consumer data can be accessed and for what
purposes, as well as procedures for reviewing, correcting, and
deleting personal information. In order to avoid a conflict
with existing federal law, this bill expressly provides in each
of its operative sections that its terms apply "unless
prohibited by federal law."
Staff notes that California law similarly has several statutes
that regulate the collection and dissemination of consumer data
that would likely fall within this bill's definition of personal
information. For example, California's Financial Information
�
SB 1348 (DeSaulnier)
PageN of?
Privacy Act (Fin. Code Sec. 4050, et seq.) prohibits the
disclosure of certain nonpublic personal information, including
financial information, to third parties without the explicit
prior consent of the consumer to whom the information relates.
In order to avoid a conflict with this and other existing state
law prohibiting the collection and dissemination of personal
information, and to further avoid potential conflicts with
federal law, the author offers the following amendments:
Author's Amendments :
On page 4, line 5, strike existing text and replace with:
"22591. Unless prohibited by federal or state law, an online
data broker that sells or offers for sale the"
On page 4, line 13, after "federal" insert "or state"
On page 4, line 24, after "federal" insert "or state"
8. Retention of Data for Law Enforcement
In certain situations, an online data broker may be prohibited
from removing the personal identifying information of a subject
individual when that information is part of a law enforcement
action. For example, under the Stored Communications Act of
1986 (18 U.S.C. Sec. 2701, et seq.), a valid subpoena issued in
connection with an official criminal investigation or an order
from a court of competent jurisdiction may compel an online data
broker to preserve or disclose personal identifying information
to law enforcement authorities irrespective of the subject
individual's request that such information be removed from the
broker's database or Web site. This bill does not run afoul of
federal or state data retention requirements because it
explicitly provides that an online data broker is not required
to modify or remove a subject individual's personal information
from its database or Web sites if to do so would violate federal
or state law.
9. Opposition to Prior Version of this Bill
Staff notes that the California Association of Licensed
Investigators (CALI) submitted a letter of opposition to a prior
�
SB 1348 (DeSaulnier)
PageO of?
version of this bill. CALI expressed concern that a
notification requirement contained in the prior version could
"prevent effective investigations that are critical to safety of
individuals at their homes and in their workplaces, as well as
the ability of businesses to fight workers' compensation fraud
and combat counterfeit products, among other important
investigations." While CALI has yet to indicate whether they
remain opposed to this bill, staff notes that the notification
provision to which they objected has been removed, and it
appears that recent amendments to the bill effectively address
the concerns raised in their letter.
10. Clarifying Amendments
The author offers the following clarifying amendments:
On page 3, line 20, after the word "selling" add "or offering
for sale"
On page 4, line 7, strike the word "shall" and insert "shall:
(a)"
Support : Privacy Rights Clearinghouse
Opposition : California Association of Licensed Investigators
HISTORY
Source : Author
Related Pending Legislation :
SB 501 (Corbett, 2014) would require a social networking
Internet Web site to remove specified personal identifying
information of any registered user that is accessible online
within 96 hours after the registered user's request and would
also require removal of personal information in that same manner
regarding a user under 18 years of age upon request by the
user's parent or legal guardian. This bill is in the Assembly
Committee on Arts, Entertainment, Sports, Tourism, and Internet
Media.
SB 1027 (Hill, 2014) would prohibit the solicitation or
acceptance of a fee to remove, correct, or modify a booking
�
SB 1348 (DeSaulnier)
PageP of?
photograph posted online. This bill would exempt a public
entity from that prohibition, and would provide that an
individual who brings an action for a violation may recover
damages, costs, and reasonable attorney's fees. This bill
passed out of the Senate Judiciary Committee on a vote of 7-0.
SB 1177 (Steinberg, 2014) would prohibit an operator of an
Internet Web site, online service, online application, or mobile
application with actual knowledge that the site, service, or
application is used for K-12 school purposes and was designed
and marketed for K-12 school purposes from using, sharing,
disclosing, or compiling personal information about a K-12
student for commercial purposes. This bill is in the Senate
Judiciary Committee.
Prior Legislation :
AB 257 (Hall, 2013) would have required that privacy policies
identify the uses and retention periods for each category of
personally identifiable information collected by the operator of
a Web site or online service, as well as describe the process
the operator maintains for allowing an individual consumer to
review and request changes to any of his or her personally
identifiable information. The bill would also have required the
operator of a Web site or online service to use reasonable
security safeguards to protect personally identifiable
information from unauthorized access, use, disclosure,
modification, or destruction, and to describe these safeguards
in its privacy policy. This bill died in the Assembly Judiciary
Committee.
SB 568 (Steinberg, Ch. 336, Stats. 2013) requires the operator
of an Internet Web site, online service, online application, or
mobile application to permit a minor, who is a registered user
of the operator's Internet Web site, online service, online
application, or mobile application, to remove, or to request and
obtain removal of, content or information posted on the
operator's Internet Web site, service, or application by the
minor, unless the content or information was posted by a 3rd
party, any other provision of state or federal law requires the
operator or 3rd party to maintain the content or information, or
the operator anonymizes the content or information.
AB 1291 (Lowenthal, 2013) would have required any business that
retains a customer's personal information, as defined, or
�
SB 1348 (DeSaulnier)
PageQ of?
discloses that information to a third party, to provide at no
charge, within 30 days of the customer's specified request, a
copy of that information to the customer as well as the names
and contact information for all third parties with which the
business has shared the information during the previous 12
months, regardless of any business relationship with the
customer. This bill died in the Assembly Judiciary Committee.
SB 761 (Lowenthal, 2012) would have required the Attorney
General to adopt regulations that would require online
businesses to provide California consumers with a method for the
consumer to opt out of the collection or use of his or her
information by the business. This bill died in the Senate
Appropriations Committee.
SB 550 (Speier, 2005) would have prohibited an Internet service
provider or electronic mail service provider from making
available to any other person or provider, without prior written
consent, specified information relating to a consumer, including
the contents of any e-mail sent or received, personal e-mail
patterns, credit or other personal financial information,
services purchased, and demographic information, as specified.
The bill would have authorized a consumer injured by a violation
of these provisions to institute a civil action to recover
damages. This bill was gutted and amended in the Assembly to
address a different subject.
SB 27 (Figueroa, Ch. 505, Stats. 2003) requires businesses that
disclose a customer's personal information, as specified, to a
third party for direct marketing purposes to provide the
customer, within 30 days after the customer's request, in
writing or by e-mail the names and addresses of the recipients
of that information and specified details regarding the
information disclosed.
**************