Bill Full Text
Home
-
Bills
-
Bill
-
Authors
-
Dates
-
Locations
-
Analyses
-
Organizations
<?xml version="1.0" ?>
<ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd">
<ns0:Description>
<ns0:Id>20250AB__154299INT</ns0:Id>
<ns0:VersionNum>99</ns0:VersionNum>
<ns0:History>
<ns0:Action>
<ns0:ActionText>INTRODUCED</ns0:ActionText>
<ns0:ActionDate>2026-01-05</ns0:ActionDate>
</ns0:Action>
</ns0:History>
<ns0:LegislativeInfo>
<ns0:SessionYear>2025</ns0:SessionYear>
<ns0:SessionNum>0</ns0:SessionNum>
<ns0:MeasureType>AB</ns0:MeasureType>
<ns0:MeasureNum>1542</ns0:MeasureNum>
<ns0:MeasureState>INT</ns0:MeasureState>
</ns0:LegislativeInfo>
<ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Assembly Member Ward</ns0:AuthorText>
<ns0:Authors>
<ns0:Legislator>
<ns0:Contribution>LEAD_AUTHOR</ns0:Contribution>
<ns0:House>ASSEMBLY</ns0:House>
<ns0:Name>Ward</ns0:Name>
</ns0:Legislator>
</ns0:Authors>
<ns0:Title> An act to amend Sections 1798.100 and 1798.121 of the Civil Code, relating to privacy.</ns0:Title>
<ns0:RelatingClause>privacy</ns0:RelatingClause>
<ns0:GeneralSubject>
<ns0:Subject>Sensitive personal information.</ns0:Subject>
</ns0:GeneralSubject>
<ns0:DigestText>
<html:p>The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that collects sensitive personal information, as defined, about the consumer to limit its use, as prescribed. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.</html:p>
<html:p>This bill would, under the CCPA, prohibit a business, service provider, or contractor from selling or sharing sensitive personal information to a third party.</html:p>
<html:p>This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of
2020.</html:p>
</ns0:DigestText>
<ns0:DigestKey>
<ns0:VoteRequired>MAJORITY</ns0:VoteRequired>
<ns0:Appropriation>NO</ns0:Appropriation>
<ns0:FiscalCommittee>YES</ns0:FiscalCommittee>
<ns0:LocalProgram>NO</ns0:LocalProgram>
</ns0:DigestKey>
<ns0:MeasureIndicators>
<ns0:ImmediateEffect>NO</ns0:ImmediateEffect>
<ns0:ImmediateEffectFlags>
<ns0:Urgency>NO</ns0:Urgency>
<ns0:TaxLevy>NO</ns0:TaxLevy>
<ns0:Election>NO</ns0:Election>
<ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses>
<ns0:BudgetBill>NO</ns0:BudgetBill>
<ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill>
</ns0:ImmediateEffectFlags>
</ns0:MeasureIndicators>
</ns0:Description>
<ns0:Bill id="bill">
<ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble>
<ns0:BillSection id="id_941588AC-2A09-44AA-B634-05492961B920">
<ns0:Num>SECTION 1.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:type="locator" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.5.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.100.'%5D)" ns3:label="fractionType: LAW_SECTION">
Section 1798.100 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_0FE148F4-827F-4F26-B5CD-51ED6BEEE113">
<ns0:Num>1798.100.</ns0:Num>
<ns0:LawSectionVersion id="id_0AAADD05-0B54-49B7-AD40-9AD9BD54376A">
<ns0:Content>
<html:p>General Duties of Businesses that Collect Personal Information</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The length of time the business intends to retain each category of personal
information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the
purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or
contractor, that:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its
obligations under this title.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_1B57DECB-421B-46C0-98F3-2350172D8C70">
<ns0:Num>SEC. 2.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:type="locator" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.5.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.121.'%5D)" ns3:label="fractionType: LAW_SECTION">
Section 1798.121 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_A920F17B-A91D-4800-B9A1-C4F4DE92582B">
<ns0:Num>1798.121.</ns0:Num>
<ns0:LawSectionVersion id="id_2AFAEB65-84D6-49E2-99F6-F280545B98F4">
<ns0:Content>
<html:p>Consumers’ Sensitive Personal Information</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use that is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of
subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information, except as authorized by subdivision (a), shall
not, pursuant to paragraph (4) of subdivision (c) of Section 1798.135,
use or disclose the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) shall not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal
information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
A business, service provider, or contractor shall not sell or share sensitive personal information to a third party.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_BC321463-B26B-4C20-97CD-EDB3EE035437">
<ns0:Num>SEC. 3.</ns0:Num>
<ns0:Content>
<html:p>The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.</html:p>
</ns0:Content>
</ns0:BillSection>
</ns0:Bill>
</ns0:MeasureDoc>