1798.81.5.
(a) (1) It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.(2) For the purpose of this section, the terms “own” and “license” include personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term “maintain” includes personal information that a business maintains but does not own or license.
(b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(d) For purposes of this section, the following terms have the following meanings:
(1) “Personal information” means either of the following:
(A) An individual’s first name or first initial and the individual’s his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i) Social security number.
(ii) (i) Driver’s license number, California identification card number, Social security number, individual tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual. government issued employment identification number.
(ii) Driver’s license number or California identification card number.
(iii) Account number or number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(iv) Medical information.
(v) Health insurance information.
(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes. Geolocation information.
(vii) Genetic data. Biometric information.
(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.
(2) “Geolocation information” means location data generated by a consumer device capable of connecting to the Internet that directly identifies the precise physical location of the identified individual at particular times and that is compiled and retained. “Geolocation information” does not include the contents of a communication or information used solely for 911 emergency purposes.
(3) “Biometric information” means data generated by automatic measurements of an individual’s fingerprint, voice print, eye retinas or irises, identifying DNA information, or unique facial characteristics, which are used by the owner or licensee to uniquely authenticate an individual’s identity.
(2) (4) “Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional.
(3) (5) “Health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual’s insurance application and claims history, including any appeals records.
(4) (6) “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. public.
(5) “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.
(e) The provisions of this section do not apply to any of the following:
(1) A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
(2) A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.4 1.2 (commencing with Section 4050) of the Financial Code).
(3) A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).
(4) An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.
(5) A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.
(f) For purposes of this section, “reasonable security procedures and practices” as they pertain to the storage and transmission of personal information shall require the security of that information to the degree that any reasonably prudent business would provide. All of the following shall also apply:
(1) The business shall undertake reasonable efforts, appropriate to the nature of the information, to do the following:
(A) Identify reasonably foreseeable internal and external risks to the security of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the information.
(B) Establish, implement, and maintain safeguards reasonably designed to secure the personal information, including, but not limited to, protecting against unauthorized access, acquisition, destruction, use, modification, or disclosure of the information.
(C) Regularly assess the sufficiency of the safeguards required pursuant to subparagraph (B) to control reasonably foreseeable internal and external risks, and evaluate and adjust those safeguards in light of the assessment.
(2) The reasonableness of the security procedures and practices appropriate to the nature of the information shall be determined in light of all of the following:
(A) The type of personal information under the business’s control.
(B) The foreseeability of threats to the security of the information.
(C) The existence of widely accepted practices in administrative, technical, and physical safeguards for protecting personal information.
(D) The cost of implementing and regularly assessing the safeguards.
(E) The size of the business.