Home - Bills - Bill - Authors - Dates - Keywords - Tags - Locations
| Measure | AB 1355 | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Authors |
Ward
Principle Coauthors: Aguiar-Curry Coauthors: Mark González Ortega Wiener |
|||||||||||||||||||||||||||||||||||||||||||||
| Subject | Location privacy. | |||||||||||||||||||||||||||||||||||||||||||||
| Relating To | relating to privacy. | |||||||||||||||||||||||||||||||||||||||||||||
| Title | An act to amend Sections 1798.100 and 1798.121 of, to add Section 1798.14.5 to, and to add Title 1.81.24 (commencing with Section 1798.90.75) to Part 4 of Division 3 of, the Civil Code, relating to privacy. | |||||||||||||||||||||||||||||||||||||||||||||
| Last Action Dt | 2025-05-01 | |||||||||||||||||||||||||||||||||||||||||||||
| State | Amended Assembly | |||||||||||||||||||||||||||||||||||||||||||||
| Status | In Committee Process | |||||||||||||||||||||||||||||||||||||||||||||
| Active? | Y | |||||||||||||||||||||||||||||||||||||||||||||
| Vote Required | Majority | |||||||||||||||||||||||||||||||||||||||||||||
| Appropriation | No | |||||||||||||||||||||||||||||||||||||||||||||
| Fiscal Committee | Yes | |||||||||||||||||||||||||||||||||||||||||||||
| Local Program | Yes | |||||||||||||||||||||||||||||||||||||||||||||
| Substantive Changes | None | |||||||||||||||||||||||||||||||||||||||||||||
| Urgency | No | |||||||||||||||||||||||||||||||||||||||||||||
| Tax Levy | No | |||||||||||||||||||||||||||||||||||||||||||||
| Leginfo Link | Bill | |||||||||||||||||||||||||||||||||||||||||||||
| Actions |
|
|||||||||||||||||||||||||||||||||||||||||||||
| Keywords |
|
|||||||||||||||||||||||||||||||||||||||||||||
| Tags |
|
|||||||||||||||||||||||||||||||||||||||||||||
| Versions |
|
|||||||||||||||||||||||||||||||||||||||||||||
| Last Version Text | <?xml version="1.0" ?> <ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd"> <ns0:Description> <ns0:Id>20250AB__135597AMD</ns0:Id> <ns0:VersionNum>97</ns0:VersionNum> <ns0:History> <ns0:Action> <ns0:ActionText>INTRODUCED</ns0:ActionText> <ns0:ActionDate>2025-02-21</ns0:ActionDate> </ns0:Action> <ns0:Action> <ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText> <ns0:ActionDate>2025-04-10</ns0:ActionDate> </ns0:Action> <ns0:Action> <ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText> <ns0:ActionDate>2025-05-01</ns0:ActionDate> </ns0:Action> <ns0:Action> <ns0:ActionText>CORRECTED</ns0:ActionText> <ns0:ActionDate>2025-05-02</ns0:ActionDate> </ns0:Action> </ns0:History> <ns0:LegislativeInfo> <ns0:SessionYear>2025</ns0:SessionYear> <ns0:SessionNum>0</ns0:SessionNum> <ns0:MeasureType>AB</ns0:MeasureType> <ns0:MeasureNum>1355</ns0:MeasureNum> <ns0:MeasureState>AMD</ns0:MeasureState> </ns0:LegislativeInfo> <ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Assembly Member Ward</ns0:AuthorText> <ns0:AuthorText authorType="PRINCIPAL_COAUTHOR_ORIGINATING">(Principal coauthor: Assembly Member Aguiar-Curry)</ns0:AuthorText> <ns0:AuthorText authorType="COAUTHOR_ORIGINATING">(Coauthors: Assembly Members Mark González and Ortega)</ns0:AuthorText> <ns0:AuthorText authorType="COAUTHOR_OPPOSITE">(Coauthor: Senator Wiener)</ns0:AuthorText> <ns0:Authors> <ns0:Legislator> <ns0:Contribution>LEAD_AUTHOR</ns0:Contribution> <ns0:House>ASSEMBLY</ns0:House> <ns0:Name>Ward</ns0:Name> </ns0:Legislator> <ns0:Legislator> <ns0:Contribution>PRINCIPAL_COAUTHOR</ns0:Contribution> <ns0:House>ASSEMBLY</ns0:House> <ns0:Name>Aguiar-Curry</ns0:Name> </ns0:Legislator> <ns0:Legislator> <ns0:Contribution>COAUTHOR</ns0:Contribution> <ns0:House>ASSEMBLY</ns0:House> <ns0:Name>Mark González</ns0:Name> </ns0:Legislator> <ns0:Legislator> <ns0:Contribution>COAUTHOR</ns0:Contribution> <ns0:House>ASSEMBLY</ns0:House> <ns0:Name>Ortega</ns0:Name> </ns0:Legislator> <ns0:Legislator> <ns0:Contribution>COAUTHOR</ns0:Contribution> <ns0:House>SENATE</ns0:House> <ns0:Name>Wiener</ns0:Name> </ns0:Legislator> </ns0:Authors> <ns0:Title> An act to amend Sections 1798.100 and 1798.121 of, to add Section 1798.14.5 to, and to add Title 1.81.24 (commencing with Section 1798.90.75) to Part 4 of Division 3 of, the Civil Code, relating to privacy. </ns0:Title> <ns0:RelatingClause>privacy</ns0:RelatingClause> <ns0:GeneralSubject> <ns0:Subject>Location privacy.</ns0:Subject> </ns0:GeneralSubject> <ns0:DigestText> <html:p> (1) <html:span class="EnSpace"/> Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use, as prescribed. Existing law defines “sensitive personal information” to mean, among other things, personal information that reveals a consumer’s precise geolocation. Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. </html:p> <html:p>This bill would prohibit a covered entity from collecting or processing the location information of an individual unless doing so is necessary to provide goods or services requested by that individual. The bill would impose various other restrictions on covered entities with regard to location information. The bill would define various terms for purposes of these provisions, including “location information” to mean information that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device, as specified.</html:p> <html:p>This bill would require a covered entity to prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. The bill would require a covered entity to maintain and make available to the data subject a location privacy policy that includes specified information on data usage and management and is subject to a specified notice procedure.</html:p> <html:p>This bill would make a covered entity that violates these provisions liable for actual or statutory damages and other specified relief. The bill would authorize the Attorney General or other public prosecutors to bring an action to recover a civil penalty against a covered entity that violates these provisions.</html:p> <html:p>This bill would require a business, as defined by the CCPA, to comply with the above-described provisions.</html:p> <html:p> (2) <html:span class="EnSpace"/> Existing law, the Information Practices Act of 1977, prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. </html:p> <html:p>This bill would prohibit a state or local agency, including an agency as defined under the Information Practices Act, from monetizing, as defined, location information. By imposing new requirements on local agencies, this bill would impose a state-mandated local program.</html:p> <html:p> (3) <html:span class="EnSpace"/> The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. </html:p> <html:p>This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.</html:p> <html:p> (4) <html:span class="EnSpace"/> The California Consumer Privacy Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified. </html:p> <html:p>This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.</html:p> </ns0:DigestText> <ns0:DigestKey> <ns0:VoteRequired>MAJORITY</ns0:VoteRequired> <ns0:Appropriation>NO</ns0:Appropriation> <ns0:FiscalCommittee>YES</ns0:FiscalCommittee> <ns0:LocalProgram>YES</ns0:LocalProgram> </ns0:DigestKey> <ns0:MeasureIndicators> <ns0:ImmediateEffect>NO</ns0:ImmediateEffect> <ns0:ImmediateEffectFlags> <ns0:Urgency>NO</ns0:Urgency> <ns0:TaxLevy>NO</ns0:TaxLevy> <ns0:Election>NO</ns0:Election> <ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses> <ns0:BudgetBill>NO</ns0:BudgetBill> <ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill> </ns0:ImmediateEffectFlags> </ns0:MeasureIndicators> </ns0:Description> <ns0:Bill id="bill"> <ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble> <ns0:BillSection id="id_11B49F6B-05D8-4365-9A31-B8A87CA4D9C9"> <ns0:Num>SECTION 1.</ns0:Num> <ns0:ActionLine action="IS_ADDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2F%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.14.5'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator"> Section 1798.14.5 is added to the <ns0:DocName>Civil Code</ns0:DocName> , to read: </ns0:ActionLine> <ns0:Fragment> <ns0:LawSection id="id_0820E263-4C15-4B64-8AB6-B36CD66F713D"> <ns0:Num>1798.14.5.</ns0:Num> <ns0:LawSectionVersion id="id_0DECD4FC-D65A-438F-8CB8-D5C7C3FA2726"> <ns0:Content> <html:p>Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75).</html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> </ns0:Fragment> </ns0:BillSection> <ns0:BillSection id="id_B1611BA6-1CF4-4324-8521-E4D0E5DE4BEF"> <ns0:Num>SEC. 2.</ns0:Num> <ns0:ActionLine action="IS_ADDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.24.'%5D)" ns3:label="fractionType: LAW_SPREAD||commencingWith: 1798.90.75" ns3:type="locator"> Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the <ns0:DocName>Civil Code</ns0:DocName> , to read: </ns0:ActionLine> <ns0:Fragment> <ns0:LawHeading id="id_1DF34601-DD83-4629-8736-80328FAB9C90" type="TITLE"> <ns0:Num>1.81.24.</ns0:Num> <ns0:LawHeadingVersion id="id_530D496A-E003-4A21-859B-B5935171FEBB"> <ns0:LawHeadingText>California Location Privacy Act</ns0:LawHeadingText> </ns0:LawHeadingVersion> <ns0:LawSection id="id_C52CDB6D-A125-4831-8A8A-5EF656A0A957"> <ns0:Num>1798.90.75.</ns0:Num> <ns0:LawSectionVersion id="id_EF253280-7C4F-4497-A31E-B531D70126E4"> <ns0:Content> <html:p> (a) <html:span class="EnSpace"/> This title shall be known, and may be cited, as the California Location Privacy Act. </html:p> <html:p> (b) <html:span class="EnSpace"/> For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings: </html:p> <html:p> (1) <html:span class="EnSpace"/> “Automated license plate recognition information,” or “ALPR information” means information or data collected through the use of an ALPR system. </html:p> <html:p> (2) <html:span class="EnSpace"/> “Automated license plate recognition system” or “ALPR system” means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data. </html:p> <html:p> (3) <html:span class="EnSpace"/> “Collect” means to obtain, infer, generate, create, receive, or access an individual’s location information. </html:p> <html:p> (4) <html:span class="EnSpace"/> “Covered entity” means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof. </html:p> <html:p> (5) <html:span class="EnSpace"/> “Disclose” means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means. </html:p> <html:p> (6) <html:span class="EnSpace"/> “Facial recognition technology” or “FRT” means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image. </html:p> <html:p> (7) <html:span class="EnSpace"/> “Individual” means a natural person located within the State of California. </html:p> <html:p> (8) <html:span class="EnSpace"/> “Location information” means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following: </html:p> <html:p> (A) <html:span class="EnSpace"/> An internet protocol address capable of revealing the physical or geographical location of an individual. </html:p> <html:p> (B) <html:span class="EnSpace"/> Global Positioning System (GPS) coordinates. </html:p> <html:p> (C) <html:span class="EnSpace"/> Cell-site location information. </html:p> <html:p> (D) <html:span class="EnSpace"/> Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time. </html:p> <html:p> (E) <html:span class="EnSpace"/> Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time. </html:p> <html:p> (F) <html:span class="EnSpace"/> A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time. </html:p> <html:p> (9) <html:span class="EnSpace"/> “Monetize” means to collect, process, or disclose an individual’s location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. “Monetize” shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code). </html:p> <html:p> (10) <html:span class="EnSpace"/> “Probe image” means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file. </html:p> <html:p> (11) <html:span class="EnSpace"/> “Process” means any operation or set of operations that are performed on location information whether or not by automated means. </html:p> <html:p> (12) <html:span class="EnSpace"/> “Sale” means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s location information by the covered entity to a third party for monetary or other valuable consideration. </html:p> <html:p> (13) <html:span class="EnSpace"/> “Service provider” means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity. </html:p> <html:p> (14) <html:span class="EnSpace"/> “Speed safety system” means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicle’s license plate. </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> <ns0:LawSection id="id_E76EA7EE-11C8-470D-BB2A-35A09D0D8119"> <ns0:Num>1798.90.76.</ns0:Num> <ns0:LawSectionVersion id="id_7AACF976-2A79-42BB-A17F-1DA7667CF381"> <ns0:Content> <html:p> (a) <html:span class="EnSpace"/> A covered entity shall not collect or process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual. </html:p> <html:p> (b) <html:span class="EnSpace"/> It is unlawful for a covered entity or service provider that collects or processes location information to do any of the following: </html:p> <html:p> (1) <html:span class="EnSpace"/> (A) <html:span class="EnSpace"/> Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual. </html:p> <html:p> (B) <html:span class="EnSpace"/> Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours. </html:p> <html:p> (2) <html:span class="EnSpace"/> Retain location information longer than necessary to provide the goods or services requested by the individual. </html:p> <html:p> (3) <html:span class="EnSpace"/> Sell, rent, trade, or lease location information to third parties. </html:p> <html:p> (4) <html:span class="EnSpace"/> Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual. </html:p> <html:p> (5) <html:span class="EnSpace"/> Disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains. </html:p> <html:p> (c) <html:span class="EnSpace"/> It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with California’s laws, including, but not limited to: </html:p> <html:p> (1) <html:span class="EnSpace"/> The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code). </html:p> <html:p> (2) <html:span class="EnSpace"/> A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure. </html:p> <html:p> (d) <html:span class="EnSpace"/> It is unlawful for a state or local agency to monetize location information. </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> <ns0:LawSection id="id_9DDF48C3-E5F9-4F5A-8518-31D23EFD528F"> <ns0:Num>1798.90.77.</ns0:Num> <ns0:LawSectionVersion id="id_21CECA42-7BF4-4B9F-9A02-D7417102EBF9"> <ns0:Content> <html:p> (a) <html:span class="EnSpace"/> A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. </html:p> <html:p> (b) <html:span class="EnSpace"/> A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following: </html:p> <html:p> (1) <html:span class="EnSpace"/> The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information. </html:p> <html:p> (2) <html:span class="EnSpace"/> The type of location information collected, including the precision of the data. </html:p> <html:p> (3) <html:span class="EnSpace"/> The identities of service providers with which the covered entity contracts with respect to location data. </html:p> <html:p> (4) <html:span class="EnSpace"/> Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed. </html:p> <html:p> (5) <html:span class="EnSpace"/> The data management and data security policies governing location information. </html:p> <html:p> (6) <html:span class="EnSpace"/> The retention schedule and guidelines for permanently deleting location information. </html:p> <html:p> (c) <html:span class="EnSpace"/> A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy. </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> <ns0:LawSection id="id_CEA9BF67-AF32-45D6-B8B9-7FD838EE7D39"> <ns0:Num>1798.90.78.</ns0:Num> <ns0:LawSectionVersion id="id_D6818165-6EA4-42A7-A2E2-DF1C543FE6F8"> <ns0:Content> <html:p> (a) <html:span class="EnSpace"/> The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein. </html:p> <html:p> (b) <html:span class="EnSpace"/> A person who violates this title, or aids, incites, or conspires in a violation, is liable for each violation in a claim brought by an injured party for actual damages or statutory damages of twenty-five thousand dollars ($25,000), whichever is greater. The court may additionally award any of the following to a prevailing plaintiff: </html:p> <html:p> (1) <html:span class="EnSpace"/> Exemplary damages. </html:p> <html:p> (2) <html:span class="EnSpace"/> Injunctive relief. </html:p> <html:p> (3) <html:span class="EnSpace"/> Reasonable attorney’s fees and costs. </html:p> <html:p> (c) <html:span class="EnSpace"/> Any of the following public entities may bring a civil action against a covered entity for a violation of this title to recover a civil penalty of twenty-five thousand dollars ($25,000): </html:p> <html:p> (1) <html:span class="EnSpace"/> The Attorney General in the name of the people of the State of California. </html:p> <html:p> (2) <html:span class="EnSpace"/> A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred. </html:p> <html:p> (d) <html:span class="EnSpace"/> An action under this section shall be commenced within three years of the alleged violation of this title. </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> <ns0:LawSection id="id_7684BB0C-0F3C-46ED-B5F5-73ADF3C03674"> <ns0:Num>1798.90.79.</ns0:Num> <ns0:LawSectionVersion id="id_ABEC7B05-2B23-4250-8BDD-4458C95B4CFE"> <ns0:Content> <html:p>This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy.</html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> </ns0:LawHeading> </ns0:Fragment> </ns0:BillSection> <ns0:BillSection id="id_C27B761E-8175-4F58-B3C9-5667441CA5D6"> <ns0:Num>SEC. 3.</ns0:Num> <ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.5.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.100.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator"> Section 1798.100 of the <ns0:DocName>Civil Code</ns0:DocName> is amended to read: </ns0:ActionLine> <ns0:Fragment> <ns0:LawSection id="id_E12F4D38-756C-4B4F-AF0B-930CF3E97CB2"> <ns0:Num>1798.100.</ns0:Num> <ns0:LawSectionVersion id="id_F14F36DC-CF55-443D-BDD1-2F9DB3212CED"> <ns0:Content> <html:p>General Duties of Businesses that Collect Personal Information</html:p> <html:p> (a) <html:span class="EnSpace"/> A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of the following: </html:p> <html:p> (1) <html:span class="EnSpace"/> The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section. </html:p> <html:p> (2) <html:span class="EnSpace"/> If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section. </html:p> <html:p> (3) <html:span class="EnSpace"/> The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. </html:p> <html:p> (b) <html:span class="EnSpace"/> A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location. </html:p> <html:p> (c) <html:span class="EnSpace"/> A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes. </html:p> <html:p> (d) <html:span class="EnSpace"/> A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that: </html:p> <html:p> (1) <html:span class="EnSpace"/> Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes. </html:p> <html:p> (2) <html:span class="EnSpace"/> Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title. </html:p> <html:p> (3) <html:span class="EnSpace"/> Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title. </html:p> <html:p> (4) <html:span class="EnSpace"/> Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title. </html:p> <html:p> (5) <html:span class="EnSpace"/> Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. </html:p> <html:p> (e) <html:span class="EnSpace"/> (1) <html:span class="EnSpace"/> A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5. </html:p> <html:p> (2) <html:span class="EnSpace"/> A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75). </html:p> <html:p> (f) <html:span class="EnSpace"/> Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185. </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> </ns0:Fragment> </ns0:BillSection> <ns0:BillSection id="id_C9D92CDF-91B5-4456-BED0-6FE82DBA9FCB"> <ns0:Num>SEC. 4.</ns0:Num> <ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.5.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.121.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator"> Section 1798.121 of the <ns0:DocName>Civil Code</ns0:DocName> is amended to read: </ns0:ActionLine> <ns0:Fragment> <ns0:LawSection id="id_F17E797D-FA7D-4DC9-9538-CFE15DDBA382"> <ns0:Num>1798.121.</ns0:Num> <ns0:LawSectionVersion id="id_E59B07C4-DA9F-4699-9B8F-CFED2291512C"> <ns0:Content> <html:p>Consumers’ Right to Limit Use and Disclosure of Sensitive Personal Information</html:p> <html:p> (a) <html:span class="EnSpace"/> A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information. </html:p> <html:p> (b) <html:span class="EnSpace"/> A business that has received direction from a consumer not to use or disclose the consumer’s sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer’s sensitive personal information for any other purpose after its receipt of the consumer’s direction unless the consumer subsequently provides consent for the use or disclosure of the consumer’s sensitive personal information for additional purposes. </html:p> <html:p> (c) <html:span class="EnSpace"/> A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business. </html:p> <html:p> (d) <html:span class="EnSpace"/> Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100. </html:p> <html:p> (e) <html:span class="EnSpace"/> This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). </html:p> </ns0:Content> </ns0:LawSectionVersion> </ns0:LawSection> </ns0:Fragment> </ns0:BillSection> <ns0:BillSection id="id_47F105FD-B727-48F3-8F6E-994D872EFBFF"> <ns0:Num>SEC. 5.</ns0:Num> <ns0:Content> <html:p>If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.</html:p> </ns0:Content> </ns0:BillSection> <ns0:BillSection id="id_B7DE0E15-41CD-4EE2-8C30-39499A30DFCA"> <ns0:Num>SEC. 6.</ns0:Num> <ns0:Content> <html:p>The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.</html:p> </ns0:Content> </ns0:BillSection> <ns0:Correction> CORRECTIONS:</ns0:Correction> <ns0:Correction> Heading—Line 3.</ns0:Correction> </ns0:Bill> </ns0:MeasureDoc> |
|||||||||||||||||||||||||||||||||||||||||||||
| Last Version Text Digest | (1) |