Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-1760 California Consumer Privacy Act of 2018.(2019-2020)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 04/12/2019 09:00 PM
AB1760:v97#DOCUMENT

Amended  IN  Assembly  April 12, 2019
Amended  IN  Assembly  April 04, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill
No. 1760


Introduced by Assembly Member Wicks

February 22, 2019


An act to amend Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.175, 1798.185, 1798.190, 1798.192, and 1798.198 of, to amend the heading of Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of, to amend, repeal, and add Section 1798.180 of, to add Sections 1798.100a and 1798.103 to, and to repeal and add Section 1798.196 of, the Civil Code, relating to personal information.


LEGISLATIVE COUNSEL'S DIGEST


AB 1760, as amended, Wicks. California Consumer Privacy Act of 2018.
The California Consumer Privacy Act of 2018 grants, commencing on January 1, 2020, a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to request disclosure of, and have access to, the categories and specific pieces of information that a business collects about the consumer. The act grants a consumer a right to request a business to delete any personal information about the consumer collected by the business and requires a business to do so upon receipt of a verified request, except as specified. The act grants a consumer the right to opt-out of the sale of personal information. The act prohibits a business from discriminating because of the exercise of these rights, provided that this prohibition does not prevent a business from charging a different price or rate, or giving a different level of goods or services, if the difference is related to the value of the consumer’s data, as specified. The act prescribes definitions for these purposes, including “business purpose,” “personal information,” and “sell.” The act establishes a variety of exceptions to the obligations imposed on a business under these provisions.
The act authorizes a consumer whose personal information, as specified, is subject to theft or disclosure resulting from a business’s failure to implement and maintain reasonable security procedures to bring a civil action and prescribes various requirements in this regard. Existing law also authorizes the Attorney General to bring a civil action for a violation of the act and grants a business an opportunity to cure a violation within 30 days of notice. Existing law imposes other responsibilities on the Attorney General in connection with the act, including the creation of regulations and providing guidance on how to comply with the act.
This bill would revise and recast the California Consumer Privacy Act of 2018, which it would rename the Privacy for All Act of 2019. 2018. Among other things, the bill would prohibit a business from sharing a consumer’s personal information unless the consumer has authorized that sharing and would prescribe various business requirements in connection with this new “right to opt-in consent.” The bill would generally prohibit any discrimination against a consumer based on the exercise of the right to opt-in or other rights, including charging different prices for goods or services. The bill would require a business that collects personal information to limit its use and retention of personal information to what is reasonably necessary to provide a service or conduct an activity, as specified, subject to certain exceptions. The bill would broaden the duties of businesses regarding requirements connected with disclosure, access, and deletion of consumer information. The bill would redefine “business purpose,” “personal information,” “sell,” “research,” and other terms. The bill would eliminate certain exceptions to the obligations imposed on a business in connection with its provisions.

The bill would provide that any violation of the act is an injury in fact and would authorize a consumer to bring suit on this basis, as specified. The bill would authorize recovery of specified damages and attorney’s fees in these suits. The

This bill would expand the enforcement provisions currently granted to the Attorney General to apply to county district attorneys and city attorneys, among others, and would eliminate the opportunity of a business to cure a violation within 30 days. The bill would provide that the Privacy for All Act of 2019 California Consumer Privacy Act of 2018 would be operative January 1, 2021, and revise the preemption of local rules and regulations currently in effect as of that date to apply to provisions that are in conflict with the act. The bill would make a variety of other technical and conforming changes.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

This measure shall be known and cited as the “Privacy for All Act of 2019.”

SEC. 2.The heading of Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3 of the Civil Code is amended to read:
1.81.5.Privacy for All Act of 2019

SEC. 3.SECTION 1.

 Section 1798.100a is added to the Civil Code, immediately preceeding Section 1798.100, to read:

1798.100a.
 The Legislature finds and declares that:
(a) In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the collection and the use, including the sale and sharing, of their personal information.
(b) Since California voters approved the right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, a California law intended to give Californians the “who, what, where, and when” of how businesses handle consumers’ personal information.
(c) At the same time, California is one of the world’s leaders in the development of new technologies and related industries. Yet the proliferation of personal information has limited Californians’ ability to properly protect and safeguard their privacy. It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.
(d) As the role of technology and data in the every daily lives of consumers increases, there is an increase in the amount of personal information collected and shared by businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.
(e) Many businesses collect personal information from California consumers. They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer’s personality, sleep habits, biometric and health information, financial information, precise geolocation information, and social networks, to name a few categories.
(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
(g) In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica. A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the internet. As a result, our desire for privacy controls and transparency in data practices is heightened.
(h) People desire privacy and more control over their information. California consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information. It is possible for businesses to both respect consumers’ privacy and provide a high level of transparency to their business practices.
(i) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:
(1) The right of Californians to know what personal information is being collected about them and how it is used.
(2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
(3) The right of Californians to say no to the sale or sharing of personal information.
(4) The right of Californians to access their personal information.
(5) The right of Californians to equal service and price, even if they exercise their privacy rights.

SEC. 4.SEC. 2.

 Section 1798.100 of the Civil Code is amended to read:

1798.100.
 (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.
(b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.
(c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.
(d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly disclose and deliver, free of charge to the consumer, the personal information required by this section. On a verifiable request to do so from the consumer, the business shall disclose the specific pieces of the consumer’s personal information in an electronic, portable, machine-readable, and readily-useable format or formats, that allow the consumer both to understand this information and to transmit it to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
(e) This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not shared, sold, or retained by the business, or to reidentify or otherwise link information that is not maintained as personal information.

SEC. 5.SEC. 3.

 Section 1798.103 is added to the Civil Code, to read:

1798.103.
 (a) A business that collects a consumer’s personal information shall limit its collection of personal information and sharing of that information with third parties only (1) as reasonably necessary to provide a service or conduct an activity that a consumer has requested, (2) as reasonably necessary for security or fraud prevention, or (3) as required to comply with a court-issued subpoena, warrant, or order.
(b) A business that collects a consumer’s personal information shall limit its use and retention of personal information to what is reasonably necessary to provide a service or conduct an activity that a consumer has requested or a directly related business purpose, provided, however, that personal information collected or retained solely for security or fraud prevention shall not be used for related business purposes.

SEC. 6.SEC. 4.

 Section 1798.105 of the Civil Code is amended to read:

1798.105.
 (a) A consumer shall have the right to request that a business delete any personal information about the consumer.
(b) A business that collects personal information about a consumer shall disclose, pursuant to the notice requirements of Section 1798.135, the consumer’s rights to request the deletion of the consumer’s personal information.
(c) A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
(d) A business or a service provider may delay compliance with a consumer’s request to delete the consumer’s personal information for so long as it is reasonably necessary for the business or service provider to maintain the consumer’s personal information in order to:
(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech and ensure the right of another consumer to exercise that consumer’s right of free speech.
(5) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

SEC. 7.SEC. 5.

 Section 1798.110 of the Civil Code is amended to read:

1798.110.
 (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or sharing personal information.
(4) The categories of third parties, and the specific third parties, with whom the business shares personal information.
(5) The specific pieces of personal information it has collected about that consumer.
(b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer.
(c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The categories of personal information it has collected about that consumer.
(2) The categories of sources from which the personal information is collected.
(3) The business or commercial purpose for collecting or sharing personal information.
(4) The categories of third parties, and the specific third parties, with whom the business shares personal information.
(5) The specific pieces of personal information the business has collected about that consumer.
(d) This section does not require a business to do the following:
(1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
(2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

SEC. 8.SEC. 6.

 Section 1798.115 of the Civil Code is amended to read:

1798.115.
 (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that shares it for a business or commercial purpose, disclose to that consumer:
(1) The categories of personal information that the business collected about the consumer.
(2) The categories of personal information that the business sold about the consumer, the categories of third parties, and the specific third parties, to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
(3) The categories of personal information that the business shared about the consumer for a business or commercial purpose.
(4) The specific pieces of personal information the business has shared or sold about that consumer.
(b) A business that sells personal information about a consumer, or that shares a consumer’s personal information for a business or commercial purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.
(c) A business that sells consumers’ personal information, or that shares consumers’ personal information for a business or commercial purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.
(2) The category or categories of consumers’ personal information it has shared for a business or commercial purpose, or if the business has not shared the consumers’ personal information for a business or commercial purpose, it shall disclose that fact.

SEC. 9.SEC. 7.

 Section 1798.120 of the Civil Code is amended to read:

1798.120.
 (a) A business shall not share a consumer’s personal information unless the consumer has affirmatively authorized the sharing. This right may be referred to as “the right to opt-in consent.”
(b) A business shall request a user’s opt-in consent separately from any other permission or consent, with the option to decline consent at least as prominent as the option to provide consent.
(c) If a consumer declines to provide their opt-in consent to the sharing of their personal information, the business shall refrain for at least 12 months before again requesting that the consumer provide their opt-in consent to the sharing of their personal information. The business may however make available a setting or other user control that the consumer may affirmatively access in order to consent to additional data sharing.
(d) A business that obtains a consumer’s opt-in consent to share their personal information pursuant to this section shall provide consumers the ability to withdraw such consent through a readily usable and automated means at any time.
(e) A business shall use any personal information collected from the consumer in connection with the withdrawal of opt-in consent solely for the purposes of complying with the request.
(f) If the business has actual knowledge that the consumer is less than 13 years of age, the consumer’s parent or guardian shall affirmatively authorize the sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.

SEC. 10.SEC. 8.

 Section 1798.125 of the Civil Code is amended to read:

1798.125.
 A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
(a) Denying goods or services to the consumer.
(b) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(c) Providing a different level or quality of goods or services to the consumer.
(d) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

SEC. 11.SEC. 9.

 Section 1798.130 of the Civil Code is amended to read:

1798.130.
 (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall:
(1) Make available, in a form that is reasonably accessible to consumers, to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address.
(2) Disclose and deliver, also in a form that is reasonably accessible to consumers, the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable consumer request.
(3) For purposes of subdivision (b) of Section 1798.110:
(A) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected.
(4) For purposes of subdivision (b) of Section 1798.115:
(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.
(B) Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).
(C) Identify by category or categories the personal information of the consumer that the business shared for a business or commercial purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was shared for a business or commercial purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information shared. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).
(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its internet website and update that information at least once every 12 months:
(A) A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.
(B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.
(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:
(i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.
(ii) A list of the categories of personal information it has shared about consumers for a business or commercial purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information shared, or if the business has not shared consumers’ personal information for a business or commercial purpose in the preceding 12 months, the business shall disclose that fact.
(6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.100, 1798.103, 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.
(7) Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification.
(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.
(c) The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.

SEC. 12.SEC. 10.

 Section 1798.135 of the Civil Code is amended to read:

1798.135.
 (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Share My Personal Information,” to an internet web page that enables a consumer, or a person authorized by the consumer, to withdraw opt-in consent to the sharing of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to share the consumer’s personal information.
(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Share My Personal Information” internet web page in:
(A) Its online privacy policy or policies if the business has an online privacy policy or policies.
(B) Any California-specific description of consumers’ privacy rights.
(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.
(4) For consumers who do not provide opt-in consent to the sharing of their personal information, refrain from sharing personal information collected by the business about the consumer.
(5) For a consumer who has not opted-in to the sharing of the consumer’s personal information, wait at least 12 months before requesting that the consumer authorize the sharing of the consumer’s personal information.
(6) Use any personal information collected from the consumer in connection with a consumer’s response to an opt-in request solely for the purposes of complying with the opt-in request.
(b) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.
(c) A consumer may authorize another person solely to opt-in to the sharing of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt-in request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.

SEC. 13.SEC. 11.

 Section 1798.140 of the Civil Code is amended to read:

1798.140.
 For purposes of this title:
(a) “Aggregate information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate information” does not mean one or more individual consumer records that have been de­identified.
(b) “Biometric information” means a physiological, biological or behavioral characteristic, including deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other information, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data.
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from sharing consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(d) “Business purpose” means the use of personal information when reasonably necessary and proportionate to achieve one of the following purposes:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting and responding to security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided the personal information is not shared with another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing or providing services on behalf of the business or service provider, including maintaining or servicing accounts, billing or collecting for requested products or services, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, or to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
(e) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.
(f) “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
(g) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.
(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Takes reasonable measures to ensure that the data is deidentified.
(2) Has implemented technical safeguards that prevent reidentification of the consumer to whom the information may pertain.
(3) Has implemented business processes, including contractual limits on downstream recipients, that specifically prohibit reidentification of the information.
(4) Has implemented business processes to prevent inadvertent release of deidentified information.
(5) Makes no attempt to reidentify the information.
(i) “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, telephone number, or other applicable contact information, whereby consumers may submit a request under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.
(j) “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
(k) “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.
(l) “Homepage” means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.145, including, but not limited to, before downloading the application.
(m) “Infer” or “inference” means the derivation of information, data, assumptions, probabilities, or conclusions from facts, evidence, or another source of information or data.
(n) “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer, household, or device:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, MAC address, device serial number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information other than biometric information that is lawfully made available from federal, state, or local government records. “Personal information” does not include personal information that is deidentified or aggregated.
(3) References to a category or categories of personal information required to be disclosed pursuant to this title shall follow this definition.
(p) “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
(q) “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.
(r) “Research” means scientific and systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:
(1) Compatible with the business purpose for which the personal information was collected.
(2) Subsequently deidentified or in the aggregate, or both, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
(3) Made subject to technical safeguards to prevent reidentification of the consumer to whom the information may pertain.
(4) Subject to business processes that specifically prohibit reidentification of the information.
(5) Made subject to business processes to prevent inadvertent release of deidentified information.
(6) Protected from any reidentification attempts.
(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.
(8) Not be used for any commercial purpose.
(9) Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(s) “Sell” means sharing for monetary or other valuable consideration.
(t) (1) “Share” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party.
(2) For purposes of this title, a business does not share personal information when:
(A) The business uses, shares, or discloses an identifier for a consumer who has not opted-in to the sharing of the consumer’s personal information for the purposes of alerting third parties that the consumer has not opted-in to the sharing of the consumer’s personal information.
(B) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, share or use the personal information of the consumer except as necessary to perform the business purpose.
(C) The business transfers the personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Sections 1798.110 and 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
(u) “Service” or “services” means work, labor, and services, including services furnished in connection with the production, sale, or repair of goods.
(v) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business shares a consumer’s personal information for a business purpose pursuant to a written or electronic contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including a prohibition on retaining, using, or sharing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
(w) “Third party” means a person who is not any of the following:
(1) The business that collects personal information from consumers under this title.
(2) A person with whom the business shares a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
(A) Prohibits the person receiving the personal information from:
(i) Selling the personal information.
(ii) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
(B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
(x) “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; a unique identifier associated with website cookies, beacons or pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
(y) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

SEC. 14.SEC. 12.

 Section 1798.145 of the Civil Code is amended to read:

1798.145.
 (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:
(1) Comply with the requirements of federal, state, or local laws, or regulations.
(2) Comply with a court-issued subpoena, warrant, or order.
(3) Share information, if:
(A) The business, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires sharing of the information; or
(B) The information is shared with the National Center for Missing and Exploited Children in connection with a report submitted pursuant to Section 2258A of Title 18 of the United States Code.
(4) Exercise or defend legal claims.
(5) Collect or share a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sharing of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is shared. This paragraph shall not permit a business to collect and retain including on a device, personal information about a consumer collected when the consumer is in California and then share that personal information when the consumer and retained personal information is outside of California.
(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or shared pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
(f) This title shall not apply to personal information collected, processed, sold, or shared pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
(g) Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:
(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer and the Attorney General of the reason for refusing the request. In any investigation, the business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.
(h) A business that shares personal information with a service provider shall not be liable under this title for violations of this title by the service provider, provided that both of the following are true:
(1) The business did not have actual knowledge or reason to believe that the service provider committed those violations.
(2) The business made reasonable efforts to ensure compliance with this title by the service provider.
(i) A service provider shall not be liable for violations of this title by the business for which it provides services as set forth in this title, including by the failure of the business to notify the service provider of a deletion request as required in subdivision (c) of Section 1798.105.
(j) This title shall not be construed to require a business to collect or retain personal information about a consumer longer than it would be retained in the ordinary course of business or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.
(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

SEC. 15.Section 1798.150 of the Civil Code is amended to read:
1798.150.

(a)Any violation of this title constitutes an injury in fact, and any consumer may bring a lawsuit in a court of competent jurisdiction.

(b)Any consumer whose personal information is subject to an unauthorized access and exfiltration, theft, or disclosure may bring a lawsuit in a court of competent jurisdiction.

(c)A consumer who prevails in such a lawsuit shall obtain the following remedies:

(1)To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(2)Injunctive or declaratory relief.

(3)Reasonable attorney fees and costs.

(4)Any other relief the court deems proper.

(d)In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

SEC. 16.SEC. 13.

 Section 1798.155 of the Civil Code is amended to read:

1798.155.
 (a) The Attorney General, a county district attorney, a city attorney, or a county counsel may bring a civil action, in the name of the of the people of the State of California, against any business, service provider, or other person that violated this title.
(b) Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought as permitted in subdivision (a).
(c) Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts or law enforcement in connection with this title.

SEC. 17.SEC. 14.

 Section 1798.175 of the Civil Code is amended to read:

1798.175.
 This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection, sharing, and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

SEC. 18.SEC. 15.

 Section 1798.180 of the Civil Code is amended to read:

1798.180.
 (a) This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.
(b) This section shall remain in effect only until January 1, 2021, and as of that date is repealed.

SEC. 19.SEC. 16.

 Section 1798.180 is added to the Civil Code, to read:

1798.180.
 (a) This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.
(b) This section shall become operative January 1, 2021.

SEC. 20.SEC. 17.

 Section 1798.185 of the Civil Code is amended to read:

1798.185.
 (a) On or before July 1, 2021, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:
(1) Updating as needed additional categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (o) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.
(2) Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130.
(3) Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.
(4) Establishing rules and procedures for the following:
(A) To facilitate and govern the submission of a request by a consumer to opt-in to the sharing of personal information pursuant to paragraph (1) of subdivision (a) of Section 1798.135.
(B) To govern business compliance with a consumer’s opt-in request.
(C) For the development and use of a recognizable and uniform opt-in logo or button by all businesses to promote consumer awareness of the opportunity to opt-in to the sharing of personal information.
(5) Adjusting the monetary threshold in subparagraph (A) of paragraph (1) of subdivision (c) of Section 1798.140 in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
(6) Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of this title and as needed thereafter.
(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.
(b) The Attorney General may update the foregoing regulations, and adopt additional regulations, as necessary to further the purposes of this title.
(c) The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2021, whichever is sooner.

SEC. 21.SEC. 18.

 Section 1798.190 of the Civil Code is amended to read:

1798.190.
 If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including, but not limited to, the sharing of information by a business to a third party in order to avoid the definition of share, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

SEC. 22.SEC. 19.

 Section 1798.192 of the Civil Code is amended to read:

1798.192.
 Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt-in to a business’s sharing of the consumer’s personal information, or authorizing a business to share the consumer’s personal information after previously declining to opt-in.

SEC. 23.SEC. 20.

 Section 1798.196 of the Civil Code is repealed.

SEC. 24.SEC. 21.

 Section 1798.196 is added to the Civil Code, to read:

1798.196.
 This title has no effect on the scope of records available under the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).

SEC. 25.SEC. 22.

 Section 1798.198 of the Civil Code is amended to read:

1798.198.
 Except as provided in Section 1798.199, this title shall be operative January 1, 2021.

SEC. 26.SEC. 23.

 The provisions of this act are severable. If any provision of this act or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.