Today's Law As Amended


Bill PDF |Add To My Favorites | print page

SB-299 Personal information: minors: internet website: connected devices.(2019-2020)



As Amends the Law Today


SECTION 1.

 Section 22581.1 is added to the Business and Professions Code, to read:

22581.1.
 (a) An operator of an internet website, online service, online application, or mobile application directed to minors, or an operator of an internet website, online service, online application, or mobile application that has actual knowledge that a minor is using its internet website, online service, online application, or mobile application, shall not use the personal information of a minor to direct content to the minor, or a group of individuals who are similar to the minor, based upon the minor’s actual or perceived race, ethnicity, religion, physical or mental disability, medical condition, gender identity, gender expression, sexual orientation, sex, or socioeconomic background, or any other factor used as a proxy for identifying any of those characteristics.
(b) For purposes of this section, “internet website,” “minor,” and “operator” have the same meaning as defined in Section 22580.

SEC. 2.

 Section 22581.2 is added to the Business and Professions Code, to read:

22581.2.
 (a) A manufacturer of a connected device directed towards minors shall prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard that details all of the following regarding whether, what, and how personal information of a minor is:
(1) Collected from the connected device.
(2) Transmitted from the connected device.
(3) Retained on the connected device.
(4) Retained by the manufacturer of the connected device.
(5) Used by the manufacturer or affiliated persons.
(6) Protected.
(b) The privacy dashboard required by subdivision (a) shall inform the use of all of the following:
(1) The extent to which the connected device meets the highest cybersecurity and data security standards, including if and how one is able to obtain security patches.
(2) The extent to which the connected device does both of the following:
(A) Gives a parent or guardian meaningful control over the information of the minor and of the parent or guardian.
(B) Gives the minor meaningful control over their own information.
(3) The extent to which the device minimizes the collection, retention, and use of information from a minor.
(4) Where and how the privacy policy can be viewed or obtained.
(5) The type of personal information that the connected device may collect.
(6) The minimum length of time during which the connected device will receive security patches and software updates.
(7) Whether the connected device can be used without being connected to the internet.
(c) For purposes of this section, “connected device” has the same meaning as in Section 1798.91.05 of the Civil Code.
(d) This section shall become operative on January 1, 2021.