Today's Law As Amended

PDF |Add To My Favorites | print page

AB-1202 Privacy: data brokers.(2019-2020)

As Amends the Law Today
As Amends the Law on Nov 18, 2019

 The Legislature finds and declares all of the following:
(a) In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. The amendment established a legal and enforceable right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.
(b) Since California voters approved the right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, Shine the Light, and as of last year, the California Consumer Privacy Act of 2018, which gives Californians the ability to better control the personal information that is collected and sold about them.
(c) While many different types of businesses collect data about consumers, a “data broker” is in the business of aggregating and selling data about consumers with whom the business does not have a direct relationship.
(d) A data broker collects many hundreds or thousands of data points about consumers from multiple sources, including: internet browsing history, online purchases, public records, location data, loyalty programs, and subscription information. The data broker then analyzes the data to assess content and packages the data for sale to a third party.
(e) Data brokers may provide information that can be beneficial to services that are offered in the modern economy, including credit reporting, background checks, government services, risk mitigation and fraud detection, banking, insurance, and ancestry research, as well as helping to make determinations about whether to provide these services.
(f) While data brokers may offer benefits, they also create risks that are associated with the widespread aggregation and sale of data about consumers, including risks related to the inability of consumers to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information.
(g) There are important differences between data brokers and businesses with whom consumers have a direct relationship. Consumers who have a direct relationship with traditional and e-commerce businesses, which could have formed in a variety of ways such as by visiting a business’ premises or internet website, or by affirmatively and intentionally interacting with a business’ online advertisements, may have some level of knowledge about and control over the collection of data by those businesses, including: the choice to use the business’ products or services, the ability to review and consider data collection policies, the ability to opt out of certain data collection practices, the ability to identify and contact customer representatives, and the knowledge necessary to complain to law enforcement.
(h) By contrast, consumers are generally not aware that data brokers possess their personal information, how to exercise their right to opt out, and whether they can have their information deleted, as provided by California law.
(i) People desire privacy and more control over their information. California residents should be able to exercise control over their personal information and be certain that there are safeguards against misuse of their personal information. It is possible for businesses both to respect consumers’ privacy and provide a high level of transparency regarding their business practices.
(j) Therefore, it is the intent of the Legislature to further Californians’ right to privacy by giving consumers an additional tool to help control the collection and sale of their personal information by requiring data brokers to register annually with the Attorney General and provide information about how consumers may opt out of the sale of their personal information.

SEC. 2.

 Title 1.81.48 (commencing with Section 1798.99.80) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.48. Data Broker Registration

 For purposes of this title:
(a) “Business” has the meaning provided in subdivision (c) of Section 1798.140.
(b) “Collect” and “collected” have the meaning provided in subdivision (e) of Section 1798.140.
(c) “Consumer” has the meaning provided in subdivision (g) of Section 1798.140.
(d) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(e) “Personal information” has the meaning provided in subdivision (o) of Section 1798.140.
(f) “Sale” or “sold” have the meaning provided in subdivision (t) of Section 1798.140.
(g) “Third party” has the meaning provided in subdivision (w) of Section 1798.140.
 (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the Attorney General pursuant to the requirements of this section.
(b) In registering with the Attorney General, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the Attorney General, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) (1) A data broker that fails to register as required by this section is subject to injunction and is liable for civil penalties, fees, and costs in an action brought in the name of the people of the State of California by the Attorney General as follows:
(A) A civil penalty of one hundred dollars ($100) for each day the data broker fails to register as required by this section.
(B) An amount equal to the fees that were due during the period it failed to register.
(C) Expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.
(2) Any penalties, fees, and expenses recovered in an action prosecuted under this section shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160, with the intent that they be used to fully offset costs incurred by the state courts and the Attorney General in connection with this title.
 The Attorney General shall create a page on its internet website where the information provided by data brokers under this title shall be accessible to the public.
 Nothing in this title shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)).