| Last Version Text |
<?xml version="1.0" ?>
<ns0:MeasureDoc xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://lc.ca.gov/legalservices/schemas/caml.1#" xmlns:ns3="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.0" xsi:schemaLocation="http://lc.ca.gov/legalservices/schemas/caml.1# xca.1.xsd">
<ns0:Description>
<ns0:Id>20250AB__036497AMD</ns0:Id>
<ns0:VersionNum>97</ns0:VersionNum>
<ns0:History>
<ns0:Action>
<ns0:ActionText>INTRODUCED</ns0:ActionText>
<ns0:ActionDate>2025-02-03</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText>
<ns0:ActionDate>2025-03-13</ns0:ActionDate>
</ns0:Action>
<ns0:Action>
<ns0:ActionText>AMENDED_ASSEMBLY</ns0:ActionText>
<ns0:ActionDate>2025-03-24</ns0:ActionDate>
</ns0:Action>
</ns0:History>
<ns0:LegislativeInfo>
<ns0:SessionYear>2025</ns0:SessionYear>
<ns0:SessionNum>0</ns0:SessionNum>
<ns0:MeasureType>AB</ns0:MeasureType>
<ns0:MeasureNum>364</ns0:MeasureNum>
<ns0:MeasureState>AMD</ns0:MeasureState>
</ns0:LegislativeInfo>
<ns0:AuthorText authorType="LEAD_AUTHOR">Introduced by Assembly Member DeMaio</ns0:AuthorText>
<ns0:Authors>
<ns0:Legislator>
<ns0:Contribution>LEAD_AUTHOR</ns0:Contribution>
<ns0:House>ASSEMBLY</ns0:House>
<ns0:Name>DeMaio</ns0:Name>
</ns0:Legislator>
</ns0:Authors>
<ns0:Title> An act to amend Section 1798.100 of, and to add Section 1798.122 to, the Civil Code, relating to privacy.</ns0:Title>
<ns0:RelatingClause>privacy</ns0:RelatingClause>
<ns0:GeneralSubject>
<ns0:Subject>Personal information: maintenance.</ns0:Subject>
</ns0:GeneralSubject>
<ns0:DigestText>
<html:p> The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information, as specified. The CCPA requires a business that controls the collection of a consumer’s personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to,
and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.</html:p>
<html:p>This bill would enact the Stop Foreign Governments from Accessing Californians’ Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumer’s personal information outside of the United States. The bill would prohibit a business from maintaining a consumer’s personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumer’s personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial
information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.</html:p>
<html:p>This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.</html:p>
</ns0:DigestText>
<ns0:DigestKey>
<ns0:VoteRequired>MAJORITY</ns0:VoteRequired>
<ns0:Appropriation>NO</ns0:Appropriation>
<ns0:FiscalCommittee>YES</ns0:FiscalCommittee>
<ns0:LocalProgram>NO</ns0:LocalProgram>
</ns0:DigestKey>
<ns0:MeasureIndicators>
<ns0:ImmediateEffect>NO</ns0:ImmediateEffect>
<ns0:ImmediateEffectFlags>
<ns0:Urgency>NO</ns0:Urgency>
<ns0:TaxLevy>NO</ns0:TaxLevy>
<ns0:Election>NO</ns0:Election>
<ns0:UsualCurrentExpenses>NO</ns0:UsualCurrentExpenses>
<ns0:BudgetBill>NO</ns0:BudgetBill>
<ns0:Prop25TrailerBill>NO</ns0:Prop25TrailerBill>
</ns0:ImmediateEffectFlags>
</ns0:MeasureIndicators>
</ns0:Description>
<ns0:Bill id="bill">
<ns0:Preamble>The people of the State of California do enact as follows:</ns0:Preamble>
<ns0:BillSection id="id_2024BAD6-34C3-416F-98DF-FEAE8E43E1BA">
<ns0:Num>SECTION 1.</ns0:Num>
<ns0:Content>
<html:p>This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians’ Sensitive Personal Information Act.</html:p>
</ns0:Content>
</ns0:BillSection>
<ns0:BillSection id="id_6955D362-016E-4CB5-B747-D8600894ACA3">
<ns0:Num>SEC. 2.</ns0:Num>
<ns0:ActionLine action="IS_AMENDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2Fcaml%3ALawHeading%5B%40type%3D'DIVISION'%20and%20caml%3ANum%3D'3.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'PART'%20and%20caml%3ANum%3D'4.'%5D%2Fcaml%3ALawHeading%5B%40type%3D'TITLE'%20and%20caml%3ANum%3D'1.81.5.'%5D%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.100.'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 1798.100 of the
<ns0:DocName>Civil Code</ns0:DocName>
is amended to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_F2701BB7-E5F4-4B25-8B2F-B7BF69219657">
<ns0:Num>1798.100.</ns0:Num>
<ns0:LawSectionVersion id="id_DF589653-91BF-4B1F-9FDA-3CBD06379C6D">
<ns0:Content>
<html:p>General Duties of Businesses that Collect Personal Information</html:p>
<html:p>
(a)
<html:span class="EnSpace"/>
A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform a consumer of all of the following:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The categories of personal information to be
collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive
personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
If the business intends to maintain the consumer’s personal information outside of the
United States.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal
information is sold, in a clear and conspicuous manner at the location.
</html:p>
<html:p>
(c)
<html:span class="EnSpace"/>
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
</html:p>
<html:p>
(d)
<html:span class="EnSpace"/>
A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service
provider, or contractor, that:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.
</html:p>
<html:p>
(4)
<html:span class="EnSpace"/>
Requires the third party, service provider, or
contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.
</html:p>
<html:p>
(5)
<html:span class="EnSpace"/>
Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
</html:p>
<html:p>
(e)
<html:span class="EnSpace"/>
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
</html:p>
<html:p>
(f)
<html:span class="EnSpace"/>
Nothing in this section shall require a business to disclose trade secrets, as
specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_DC3A16BF-380C-4DBD-8C29-EA222296A129">
<ns0:Num>SEC. 3.</ns0:Num>
<ns0:ActionLine action="IS_ADDED" ns3:href="urn:caml:codes:CIV:caml#xpointer(%2Fcaml%3ALawDoc%2Fcaml%3ACode%2F%2Fcaml%3ALawSection%5Bcaml%3ANum%3D'1798.122'%5D)" ns3:label="fractionType: LAW_SECTION" ns3:type="locator">
Section 1798.122 is added to the
<ns0:DocName>Civil Code</ns0:DocName>
, to read:
</ns0:ActionLine>
<ns0:Fragment>
<ns0:LawSection id="id_626EF062-C82D-44EC-A6ED-12DE80568C8A">
<ns0:Num>1798.122.</ns0:Num>
<ns0:LawSectionVersion id="id_7FEBC02D-2BB4-41C5-A852-EF5A53232345">
<ns0:Content>
<html:p>
(a)
<html:span class="EnSpace"/>
A business shall not maintain a consumer’s personal information outside of the United States unless all of the following are true:
</html:p>
<html:p>
(1)
<html:span class="EnSpace"/>
The business has informed the consumer of potential risks associated with the business maintaining the consumer’s personal information outside of the United States.
</html:p>
<html:p>
(2)
<html:span class="EnSpace"/>
The consumer explicitly consented to the business maintaining the consumer’s personal information outside of the United States.
</html:p>
<html:p>
(3)
<html:span class="EnSpace"/>
The personal information is not health care information, financial information, or geolocation data.
</html:p>
<html:p>
(b)
<html:span class="EnSpace"/>
A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
</html:p>
</ns0:Content>
</ns0:LawSectionVersion>
</ns0:LawSection>
</ns0:Fragment>
</ns0:BillSection>
<ns0:BillSection id="id_51525285-90AB-4FF8-AAD2-658EFDC3BB6B">
<ns0:Num>SEC. 4.</ns0:Num>
<ns0:Content>
<html:p>The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.</html:p>
</ns0:Content>
</ns0:BillSection>
</ns0:Bill>
</ns0:MeasureDoc>
|
| Last Version Text Digest |
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer’s personal information, as specified. The CCPA requires a business that controls the collection of a consumer’s personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. This bill would enact the Stop Foreign Governments from Accessing Californians’ Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumer’s personal information outside of the United States. The bill would prohibit a business from maintaining a consumer’s personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumer’s personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government. This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. |