Today's Law As Amended


Bill PDF |Add To My Favorites | print page

AB-2677 Information Practices Act of 1977.(2021-2022)



As Amends the Law Today


SECTION 1.
 It is the intent of the Legislature to create a comprehensive privacy law to govern the personal information collected, used, and disclosed by local agencies to address the patchwork of opaque policies that differ between state and local entities in a manner that better protects personal information.

SEC. 2.

 Section 1798.3 of the Civil Code, as amended by Section 43 of Chapter 615 of the Statutes of 2021, is amended to read:

1798.3.
 As used in this chapter:
(a) The term “personal information” means any information that is maintained by an agency that identifies or describes an individual, including, but not limited to, the individual’s name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
(b) The term “agency” means every state office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include:
(1) The California Legislature.
(2) Any agency established under Article VI of the California Constitution.
(3) The State Compensation Insurance Fund, except as to any records that contain personal information about the employees of the State Compensation Insurance Fund.
(4) A local agency, as defined in Section 7920.510 of the Government Code.
(c) The term “disclose” means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
(d) The term “individual” means a natural person.
(e) The term “maintain” includes maintain, acquire, use, or disclose.
(f) The term “person” means any natural person, corporation, partnership, limited liability company, firm, or association.
(g) The term “record” means any file or grouping of information about an individual that is maintained by an agency by reference to an identifying particular such as the individual’s name, photograph, finger or voice print, or a number or symbol assigned to the individual.
(h) The term “system of records” means one or more records, which pertain to one or more individuals, which is maintained by any agency, from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
(i) The term “governmental entity,” except as used in Section 1798.26, means any branch of the federal government or of the local government.
(j) The term “commercial purpose” means any purpose that has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster.
(k) The term “regulatory agency” means the Department of Financial Protection and Innovation,  Business Oversight,  the Department of Insurance, the Bureau of Real Estate, and agencies of the United States or of any other state responsible for regulating financial institutions.
(l) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 3.

 Section 1798.3 is added to the Civil Code, to read:

1798.3.
 As used in this chapter:
(a) The term “personal information” means any information that is maintained by an agency that is reasonably capable of identifying or describing an individual, including, but not limited to, the individual’s name, social security number, physical description, address, telephone number, education, financial matters, and medical or employment history, and, if reasonably capable of identifying or describing an individual, genetic information, IP address, online browsing history, and location information. It includes statements made by, or attributed to, the individual.
(b) The term “agency” means every state office, officer, department, division, bureau, board, commission, or other state agency, except that the term agency shall not include:
(1) The California Legislature.
(2) Any agency established under Article VI of the California Constitution.
(3) The State Compensation Insurance Fund, except as to any records that contain personal information about the employees of the State Compensation Insurance Fund.
(4) A local agency, as defined in Section 7920.510 of the Government Code.
(c) The term “disclose” means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
(d) The term “individual” means a natural person.
(e) The term “maintain” includes maintain, acquire, use, or disclose.
(f) The term “person” means any natural person, corporation, partnership, limited liability company, firm, or association.
(g) The term “record” means any file or grouping of personal information that is maintained by an agency.
(h) The term “governmental entity,” except as used in Section 1798.26, means any branch of the federal government or of the local government.
(i) The term “commercial purpose” means any purpose that has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster.
(j) The term “regulatory agency” means the Department of Financial Protection and Innovation, the Department of Insurance, the Bureau of Real Estate, the Financial Industry Regulatory Authority, and agencies of the United States or of any other state responsible for regulating financial institutions.
(k) This section shall become operative on January 1, 2025.

SEC. 4.

 Section 1798.17 of the Civil Code is amended to read:

1798.17.
 Each agency shall provide on or with any form used to collect personal information from individuals the notice specified in this section. When contact with the individual is of a regularly recurring nature, an initial notice followed by a periodic notice of not more than one-year intervals shall satisfy this requirement. This requirement is also satisfied by notification to individuals of the availability of the notice in annual tax-related pamphlets or booklets provided for them. The notice shall include all of the following:
(a) The name of the agency and the division within the agency that is requesting the information.
(b) The title, business address, and telephone number of the agency official who is responsible for the system of records and who shall, upon request, inform an individual regarding the location of his or her records and the categories of any persons who use the information in those records.
(c) The authority, whether granted by statute, regulation, or executive order which authorizes the maintenance of the information.
(d) With respect to each item of information, whether submission of such information is mandatory or voluntary.
(e) The consequences, if any, of not providing all or any part of the requested information.
(f) The principal purpose or purposes within the agency for which the information is to be used.
(g) Any known or foreseeable disclosures which may be made of the information pursuant to subdivision (e) or (f) of Section 1798.24.
(h) The individual’s right of access to records containing personal information which are maintained by the agency.
This section does not apply to any enforcement document issued by an employee of a law enforcement agency in the performance of his or her duties wherein the violator is provided an exact copy of the document, or to accident reports whereby the parties of interest may obtain a copy of the report pursuant to Section 20012 of the Vehicle Code.
The notice required by this section does not apply to agency requirements for an individual to provide his or her name, identifying number, photograph, address, or similar identifying information, if this information is used only for the purpose of identification and communication with the individual by the agency, except that requirements for an individual’s social security number shall conform with the provisions of the Federal Privacy Act of 1974 (Public Law 93-579).
This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 5.

 Section 1798.17 is added to the Civil Code, to read:

1798.17.
 Each agency shall provide on or with any form used to collect personal information from individuals the notice specified in this section. When contact with the individual is of a regularly recurring nature, an initial notice followed by a periodic notice of not more than one-year intervals shall satisfy this requirement. This requirement is also satisfied by notification to individuals of the availability of the notice in annual tax-related pamphlets or booklets provided for them. The notice shall include all of the following:
(a) The name of the agency and the division within the agency that is requesting the information.
(b) The title, business address, and telephone number of the agency official who is responsible for the records and who shall, upon request, inform an individual regarding the location of the individual’s records and the categories of any persons who use the information in those records.
(c) The authority, whether granted by statute, regulation, or executive order which authorizes the maintenance of the information.
(d) With respect to each item of information, whether submission of such information is mandatory or voluntary.
(e) The consequences, if any, of not providing all or any part of the requested information.
(f) The purpose or purposes within the agency for which the information is to be used.
(g) Any known or foreseeable disclosures which may be made of the information pursuant to subdivision (e) or (f) of Section 1798.24.
(h) The individual’s right of access to records containing personal information which are maintained by the agency.
This section does not apply to any enforcement document issued by an employee of a law enforcement agency in the performance of the employee’s duties wherein the violator is provided an exact copy of the document, or to accident reports whereby the parties of interest may obtain a copy of the report pursuant to Section 20012 of the Vehicle Code.
The notice required by this section does not apply to agency requirements for an individual to provide the individual’s name, identifying number, photograph, address, or similar identifying information, if this information is used only for the purpose of identification and communication with the individual by the agency, except that requirements for an individual’s social security number shall conform with the provisions of the Federal Privacy Act of 1974 (Public Law 93-579).
This section shall become operative on January 1, 2025.

SEC. 6.

 Section 1798.20 of the Civil Code is amended to read:

1798.20.
 (a)  Each agency shall establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each such person with respect to such rules and the requirements of this chapter, including any other rules and procedures adopted pursuant to this chapter and the remedies and penalties for noncompliance.
(b) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 7.

 Section 1798.20 is added to the Civil Code, to read:

1798.20.
 (a) Consistent with applicable provisions of the State Administrative Manual and the State Information Management Manual, each agency shall establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each such person with respect to such rules and the requirements of this chapter, including any other rules and procedures adopted pursuant to this chapter and the remedies and penalties for noncompliance.
(b) An agency shall not use records containing personal information for any purpose or purposes other than the purpose or purposes for which that personal information was collected or generated, except as required by federal law, or as authorized or required by state law.
(c) This section shall become operative on January 1, 2025.

SEC. 8.

 Section 1798.24 of the Civil Code is amended to read:

1798.24.
 An agency shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that have has  custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired.
(e) To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity if required by state or federal law.
(g) Pursuant to the California Public Records Act (Division 10 (Chapter 3.5  (commencing with Section 7920.000) of  6250) of Division 7 of  Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that will not identify any individual.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at the individual’s last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or the director’s designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.
(o) To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.
(p) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.
(q) To an adopted person and disclosure is limited to general background information pertaining to the adopted person’s biological parents, if the information does not include or reveal the identity of the biological parents.
(r) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person’s biological parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the biological parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.
(s) To a committee of the Legislature or to a Member of the Legislature, or the member’s staff if authorized in writing by the member, if the member has permission to obtain the information from the individual to whom it pertains or if the member provides reasonable assurance that the member is acting on behalf of the individual.
(t) (1) To the University of California, a nonprofit educational institution, an established nonprofit research institution performing health or social services research, the Cradle-to-Career Data System, for purposes consistent with the creation and execution of the Cradle-to-Career Data System Act pursuant to Article 2 (commencing with Section 10860) of Chapter 8.5 of Part 7 of Division 1 of Title 1 of the Education Code, or, in the case of education-related data, another nonprofit entity, conducting scientific research, if the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (5) and (6). The approval shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS shall enter into a written agreement with the Office of Cradle-to-Career Data, as defined in Section 10862 of the Education Code, to assist the managing entity of that office in its role as the institutional review board for the Cradle-to-Career Data System.
(3) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(4) Reasonable costs to the agency associated with the agency’s process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency’s costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(5) The CPHS may enter into written agreements to enable other institutional review boards to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision are satisfied.
(6) Pursuant to paragraph (5), the CPHS shall enter into a written agreement with the institutional review board established pursuant to former Section 49079.6 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision and the act specified in subdivision (a) of Section 49079.5 of the Education Code are satisfied.
(u) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.
(v) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.
(w) For the sole purpose of participation in interstate data sharing of prescription drug monitoring program information pursuant to the California Uniform Controlled Substances Act (Division 10 (commencing with Section 11000) of the Health and Safety Code), if disclosure is limited to prescription drug monitoring program information.
This article does not require the disclosure of personal information to the individual to whom the information pertains if that information may otherwise be withheld as set forth in Section 1798.40.
This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 9.

 Section 1798.24 is added to the Civil Code, to read:

1798.24.
 An agency shall not disclose any personal information in a manner that links or reasonably could link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and furthers the purpose for which the information was acquired.
(e) To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use furthers the purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency to another law enforcement or regulatory agency, a use furthers the purpose if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity if required by state or federal law.
(g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that cannot identify any individual, and the written assurance includes a statement that the person will not attempt to reidentify the information.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at the individual’s last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or the director’s designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.
(o) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.
(p) To an adopted person and disclosure is limited to general background information pertaining to the adopted person’s biological parents, if the information does not include or reveal the identity of the biological parents.
(q) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person’s biological parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the biological parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.
(r) To a committee of the Legislature or to a Member of the Legislature, or the Member’s staff if authorized in writing by the Member if the Member has permission to obtain the information from the individual to whom it pertains or if the Member provides reasonable assurance that the Member is acting on behalf of the individual.
(s) (1) To the University of California, a nonprofit educational institution, an established nonprofit research institution performing health or social services research, or the Cradle-to-Career Data System for purposes consistent with the creation and execution of the Cradle-to-Career Data System Act pursuant to Article 2 (commencing with Section 10860) of Chapter 8.5 of Part 7 of Division 1 of Title 1 of the Education Code, or, in the case of education-related data, another nonprofit entity, conducting scientific research, if the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (5) and (6). The approval shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonably anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS shall enter into a written agreement with the Office of Cradle-to-Career Data, as defined in Section 10862 of the Education Code, to assist the managing entity of that office in its role as the institutional review board for the Cradle-to-Career Data System.
(3) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(4) Reasonable costs to the agency associated with the agency’s process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency’s costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(5) (A) The CPHS may enter into written agreements with other entities to enable other institutional review boards or privacy boards to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision are satisfied.
(B) For purposes of this paragraph, “privacy board” means a committee charged with reviewing research requests involving the use of personal information that meets all of the following criteria:
(i) Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy rights.
(ii) Includes at least one member who is not affiliated with the entity requesting the personal information nor the agency from which the personal information is being requested, and is not related to any person who is affiliated with any such entities.
(iii) Does not have any member participating in a review of any project in which the member has a conflict of interest.
(6) Pursuant to paragraph (5), the CPHS shall enter into a written agreement with the institutional review board established pursuant to former Section 49079.6 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision and the act specified in subdivision (a) of Section 49079.5 of the Education Code are satisfied.
(t) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.
(u) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.
(v) For the sole purpose of participation in interstate data sharing of prescription drug monitoring program information pursuant to the California Uniform Controlled Substances Act (Division 10 (commencing with Section 11000) of the Health and Safety Code), if disclosure is limited to prescription drug monitoring program information.
This article does not require the disclosure of personal information to the individual to whom the information pertains if that information may otherwise be withheld as set forth in Section 1798.40.
This section shall become operative on January 1, 2025.

SEC. 10.

 Section 1798.24b of the Civil Code is amended to read:

1798.24b.
 (a) Notwithstanding Section 1798.24, except subdivision (v) thereof, information shall be disclosed to the protection and advocacy agency designated by the Governor in this state pursuant to federal law to protect and advocate for the rights of people with disabilities, as described in Division 4.7 (commencing with Section 4900) of the Welfare and Institutions Code.
(b) Information that shall be disclosed pursuant to this section includes all of the following information:
(1) Name.
(2) Address.
(3) Telephone number.
(4) Any other information necessary to identify that person whose consent is necessary for either of the following purposes:
(A) To enable the protection and advocacy agency to exercise its authority and investigate incidents of abuse or neglect of people with disabilities.
(B) To obtain access to records pursuant to Section 4903 of the Welfare and Institutions Code.
(c) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 11.

 Section 1798.24b is added to the Civil Code, to read:

1798.24b.
 (a) Notwithstanding Section 1798.24, except subdivision (u) thereof, information shall be disclosed to the protection and advocacy agency designated by the Governor in this state pursuant to federal law to protect and advocate for the rights of people with disabilities, as described in Division 4.7 (commencing with Section 4900) of the Welfare and Institutions Code.
(b) Information that shall be disclosed pursuant to this section includes all of the following information:
(1) Name.
(2) Address.
(3) Telephone number.
(4) Any other information necessary to identify that person whose consent is necessary for either of the following purposes:
(A) To enable the protection and advocacy agency to exercise its authority and investigate incidents of abuse or neglect of people with disabilities.
(B) To obtain access to records pursuant to Section 4903 of the Welfare and Institutions Code.
(c) This section shall become operative on January 1, 2025.

SEC. 12.

 Section 1798.25 of the Civil Code is amended to read:

1798.25.
 (a) Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (i), (k), (l), (o), or (p) of Section 1798.24. This accounting shall also be required for disclosures made pursuant to subdivision (e) or (f) of Section 1798.24 unless notice of the type of disclosure has been provided pursuant to Sections 1798.9 and 1798.10. The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made. For the purpose of an accounting of a disclosure made under subdivision (o) of Section 1798.24, it shall be sufficient for a law enforcement or regulatory agency to record the date of disclosure, the law enforcement or regulatory agency requesting the disclosure, and whether the purpose of the disclosure is for an investigation of unlawful activity under the jurisdiction of the requesting agency, or for licensing, certification, or regulatory purposes by that agency.
(b) Routine disclosures of information pertaining to crimes, offenders, and suspected offenders to law enforcement or regulatory agencies of federal, state, and local government shall be deemed to be disclosures pursuant to subdivision (e) of Section 1798.24 for the purpose of meeting this requirement.
(c) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 13.

 Section 1798.25 is added to the Civil Code, to read:

1798.25.
 (a) Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (e), (f), (i), (k), (l), or (o) of Section 1798.24. The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made.
(b) This section shall become operative on January 1, 2025.

SEC. 14.

 Section 1798.26 of the Civil Code is amended to read:

1798.26.
 (a)  (1)  With respect to the sale of information concerning the registration of any vehicle or the sale of information from the files of drivers’ licenses, the Department of Motor Vehicles shall, by regulation, establish administrative procedures under which any person making a request for information shall be required to identify himself or herself and state the reason for making the request. These procedures shall provide for the verification of the name and address of the person making a request for the information and the department may require the person to produce the information as it determines is necessary in order to ensure that the name and address of the person are his or her true name and address. These procedures may provide for a 10-day delay in the release of the requested information. These procedures shall also provide for notification to the person to whom the information primarily relates, as to what information was provided and to whom it was provided. The department shall, by regulation, establish a reasonable period of time for which a record of all the foregoing shall be maintained.
(2)  The procedures required by this subdivision do not apply to any governmental entity, any person who has applied for and has been issued a requester code by the department, or any court of competent jurisdiction.
(b) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 15.

 Section 1798.26 is added to the Civil Code, to read:

1798.26.
 (a) (1) With respect to the sale of information concerning the registration of any vehicle or the sale of information from the files of drivers’ licenses, the Department of Motor Vehicles shall, by regulation, establish administrative procedures under which any person making a request for information shall be required to identify themselves and state the reason for making the request. These procedures shall provide for the verification of the name and address of the person making a request for the information and the department may require the person to produce the information as it determines is necessary in order to ensure that the name and address of the person are their true name and address. These procedures may provide for a 10-day delay in the release of the requested information. These procedures shall also provide for notification to the person to whom the information relates, as to what information was provided and to whom it was provided. The department shall, by regulation, establish a reasonable period of time for which a record of all the foregoing shall be maintained.
(2) The procedures required by this subdivision do not apply to any governmental entity, any person who has applied for and has been issued a requester code by the department, or any court of competent jurisdiction.
(b) This section shall become operative on January 1, 2025.

SEC. 16.

 Section 1798.27 of the Civil Code is amended to read:

1798.27.
 (a)  Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made, or until the record is destroyed, whichever is shorter.
(b)  Nothing in this section shall be construed to require retention of the original documents for a three-year period, providing that the agency can otherwise comply with the requirements of this section.
(c) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 17.

 Section 1798.27 is added to the Civil Code, to read:

1798.27.
 (a) Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made.
(b) Nothing in this section shall be construed to require retention of the original documents for a three-year period, providing that the agency can otherwise comply with the requirements of this section.
(c) This section shall become operative on January 1, 2025.

SEC. 18.

 Section 1798.55 of the Civil Code is amended to read:

1798.55.
 (a)  The intentional violation of any provision of this chapter or of any rules or regulations adopted thereunder, by an officer or employee of any agency shall constitute a cause for discipline, including termination of employment.
(b) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 19.

 Section 1798.55 is added to the Civil Code, to read:

1798.55.
 (a) The intentional or negligent violation of any provision of this chapter or of any rules or regulations adopted thereunder, by an officer or employee of any agency shall constitute a cause for discipline, up to and including termination of employment.
(b) This section shall become operative on January 1, 2025.

SEC. 20.

 Section 1798.57 of the Civil Code is amended to read:

1798.57.
 (a)  Except for disclosures which are otherwise required or permitted by law, the intentional disclosure of medical, psychiatric, or psychological information in violation of the disclosure provisions of this chapter is punishable as a misdemeanor if the wrongful disclosure results in economic loss or personal injury to the individual to whom the information pertains.
(b) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 21.

 Section 1798.57 is added to the Civil Code, to read:

1798.57.
 (a) Except for disclosures which are otherwise required or permitted by law, the intentional disclosure of medical, psychiatric, or psychological information that is known or should be known to be in violation of the disclosure provisions of this chapter is punishable as a misdemeanor.
(b) This section shall become operative on January 1, 2025.

SEC. 22.

 Section 1798.68 of the Civil Code is amended to read:

1798.68.
 (a) Information which is permitted to be disclosed under the provisions of subdivision (e), (f), or (o), of Section 1798.24 shall be provided when requested by a district attorney.
A district attorney may petition a court of competent jurisdiction to require disclosure of information when an agency fails or refuses to provide the requested information within 10 working days of a request. The court may require the agency to permit inspection unless the public interest or good cause in withholding such records clearly outweighs the public interest in disclosure.
(b) Disclosure of information to a district attorney under the provisions of this chapter shall effect no change in the status of the records under any other provision of law.
(c) This section shall remain in effect only until January 1, 2025, and as of that date is repealed.

SEC. 23.

 Section 1798.68 is added to the Civil Code, to read:

1798.68.
 (a) Information which is permitted to be disclosed under the provisions of subdivision (e) or (f) of Section 1798.24 shall be provided when requested by a district attorney.
A district attorney may petition a court of competent jurisdiction to require disclosure of information when an agency fails or refuses to provide the requested information within 10 working days of a request. The court may require the agency to permit inspection unless the public interest or good cause in withholding such records clearly outweighs the public interest in disclosure.
(b) Disclosure of information to a district attorney under the provisions of this chapter shall effect no change in the status of the records under any other provision of law.
(c) This section shall become operative on January 1, 2025.
SEC. 24.
 The Legislature finds and declares that Sections 3 and 9 of this act, which add Sections 1798.3 and 1798.24 to the Civil Code, impose a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
By modernizing provisions of the Information Practices Act of 1977 to address the effects of advances in information technology on the scope and sensitivity of personal information collected, maintained, and disseminated by state agencies, this act balances the right to access information concerning the conduct of the people’s business with the individual right to privacy.
SEC. 25.
 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.