Bill Text

Bill Information


PDF |Add To My Favorites |Track Bill | print page

AB-1391 Unlawfully obtained data.(2021-2022)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 04/12/2021 09:00 PM
AB1391:v98#DOCUMENT

Amended  IN  Assembly  April 12, 2021

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 1391


Introduced by Assembly Member Chau

February 19, 2021


An act to add Section 1724 to the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 1391, as amended, Chau. Compromised Unlawfully obtained data.
Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.
This bill would make it unlawful for a person to sell, purchase, or utilize data, as defined, that the person knows or reasonably should know is compromised data. The bill would define the term “compromised data” to mean data that has been obtained or accessed pursuant to the commission of a crime. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1724 is added to the Civil Code, to read:

1724.
 (a) As used in this section, “compromised data” means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:
(1) “Authorized person” means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.
(2) “Data” has the same meaning as defined in Section 502 of the Penal Code.
(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.
(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.
(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.
(e) Liability under this section shall not limit or preclude liability under any other law.