Today's Law As Amended

PDF |Add To My Favorites |Track Bill | print page

AB-288 Consumer privacy: social media companies. (2019-2020)



SECTION 1.

 Title 1.81.24 (commencing with Section 1798.90.7) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.24. Social Media Privacy

1798.90.7.
 For the purposes of this title:
(a) “Personally identifiable information” does not include medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(b) “Social networking service” means an internet platform that does all of the following:
(1) Offers users an account hosted on the platform that requires a unique identifier and password.
(2) Allows users, through their account, to establish interpersonal connections with other user accounts on the platform.
(3) Allows users, through their account, to transmit electronic content between and among some or all of the user accounts to which they are interconnected. For purposes of this paragraph, “electronic content” includes, but is not limited to, videos, photographs, and messages.
(c) “Social networking service” does not mean any of the following:
(1) A media organization as defined by Section 1602 of Title 2 of the United States Code, as it read on April 1, 2019.
(2) A telecommunications carrier as defined in Section 153 of Title 47 of the United States Code, as it read on April 1, 2019.
(3) An institution regulated under the federal Gramm-Leach-Bliley Act (Public Law 106-102), as it read on April 1, 2019.
(4) An electronic place, including but not limited to, a store, internet website, or catalog where a seller sells or offers for sale tangible personal property, software applications, or taxable services for delivery in this state regardless of whether the tangible personal property, seller, or marketplace has a physical presence in the state.
(5) A retailer engaged in business in this state, as defined by subdivision (c) of Section 6203 of the Revenue and Taxation Code.
(6) An entity exempt from taxation under Section 501(c)(3) of the Internal Revenue Code.
(7) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in paragraph (1) of subdivision (a) of this section.
1798.90.75.
 (a) When a user of a social networking service deactivates or deletes the user’s account, the service shall provide the user the option of having the user’s personally identifiable information permanently removed from any database controlled by the service, from the service’s records, and to prohibit the service from selling that information to, or exchanging that information with, a third party in the future.
(b) A social networking service shall comply with a request made pursuant to subdivision (a) within a commercially reasonable time period.
(c) A social networking service shall not be required to comply with a request made pursuant to subdivision (a) if it is necessary for the business or service provider to maintain the consumer’s personal information for any of the following reasons:
(1) To complete the transaction for which the personal information was collected or provided a good or service requested by the consumer.
(2) To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
(3) To debug to identify and repair errors that impair existing intended functionality.
(4) To comply with the Electronic Communications Privacy Act (Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code).
(5) To engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of that research, if the research is conducted pursuant to the consumer’s informed consent.
1798.90.8.
 (a) Any consumer who suffers damages as a result of a violation of this title by any social networking service may bring an action in a court of appropriate jurisdiction against that service to recover the following:
(1) In the case of a negligent violation, actual damages, including court costs, loss of wages, attorney’s fees and, when applicable, pain and suffering.
(2) In the case of a willful violation:
(A) Actual damages, as set forth in paragraph (1).
(B) Punitive damages of not less than one hundred dollars ($100) nor more than ten thousand dollars ($10,000) for each violation as the court deems proper.
(C) Any other relief that the court deems proper.
(b) Injunctive relief shall be available to any consumer aggrieved by a violation or a threatened violation of this title whether or not the consumer seeks any other remedy.
(c) Any person who willfully violates any requirement imposed under this title may be liable for punitive damages in the case of a class action, in an amount that the court may allow. In determining the amount of award in any class action, the court shall consider among relevant factors the amount of any actual damages awarded, the frequency of the violations, the resources of the violator and the number of persons adversely affected.
(d) The prevailing plaintiffs in any action commenced under this section shall be entitled to recover court costs and reasonable attorney’s fees.
(e) If a plaintiff only seeks and obtains injunctive relief to compel compliance with this title, court costs and attorney’s fees shall be awarded pursuant to Section 1021.5 of the Code of Civil Procedure.
(f) Nothing in this section is intended to affect remedies available under Section 128.5 of the Code of Civil Procedure.