Bill Text

PDF |Add To My Favorites |Track Bill | print page

SB-299 Personal information: minors: internet website: connected devices.(2019-2020)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 03/28/2019 09:00 PM
SB299:v98#DOCUMENT

Amended  IN  Senate  March 28, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Senate Bill
No. 299


Introduced by Senator Jackson

February 14, 2019


An act to amend Section 1798.81.5 of the Civil Code, add Sections 22581.1 and 22581.2 to the Business and Professions Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 299, as amended, Jackson. Personal information. information: minors: internet website: connected devices.
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

This bill would make nonsubstantive changes to those provisions.

Existing federal law requires an operator of an internet website or online service directed to a child, as defined, or an operator of an internet website or online service that has actual knowledge that it is collecting personal information from a child to provide notice of what information is being collected and how that information is being used, and to give the parents of the child the opportunity to refuse to permit the operator’s further collection of information from the child.
Existing law prohibits an operator of an internet website, online service, online application, or mobile application, as specified, from marketing or advertising specified types of products or services to a minor. Existing law prohibits an operator from knowingly using, disclosing, compiling, or allowing a third party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services.
This bill would prohibit an operator of an internet website, online service, online application, or mobile application directed to minors, or an operator of an internet website, online service, online application, or mobile application that has actual knowledge that a minor is using its internet website, online service, online application, or mobile application, from using the personal information of a minor to direct content to the minor, or a group of individuals who are similar to the minor, based upon the minor’s actual or perceived race, ethnicity, religion, physical or mental disability, medical condition, gender identity, gender expression, sexual orientation, sex, or socioeconomic background, or any other factor used as a proxy for identifying any of those characteristics.
Existing law, beginning on January 1, 2020, requires a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
This bill, beginning on January 1, 2021, would require a manufacturer of a connected device directed towards minors to prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard that details whether, what, and how personal information of a minor is collected, transmitted, retained, used, and protected, as specified.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 22581.1 is added to the Business and Professions Code, to read:

22581.1.
 (a) An operator of an internet website, online service, online application, or mobile application directed to minors, or an operator of an internet website, online service, online application, or mobile application that has actual knowledge that a minor is using its internet website, online service, online application, or mobile application, shall not use the personal information of a minor to direct content to the minor, or a group of individuals who are similar to the minor, based upon the minor’s actual or perceived race, ethnicity, religion, physical or mental disability, medical condition, gender identity, gender expression, sexual orientation, sex, or socioeconomic background, or any other factor used as a proxy for identifying any of those characteristics.
(b) For purposes of this section, “internet website,” “minor,” and “operator” have the same meaning as defined in Section 22580.

SEC. 2.

 Section 22581.2 is added to the Business and Professions Code, to read:

22581.2.
 (a) A manufacturer of a connected device directed towards minors shall prominently display on the packaging for the connected device a standardized and easy-to-understand privacy dashboard that details all of the following regarding whether, what, and how personal information of a minor is:
(1) Collected from the connected device.
(2) Transmitted from the connected device.
(3) Retained on the connected device.
(4) Retained by the manufacturer of the connected device.
(5) Used by the manufacturer or affiliated persons.
(6) Protected.
(b) The privacy dashboard required by subdivision (a) shall inform the use of all of the following:
(1) The extent to which the connected device meets the highest cybersecurity and data security standards, including if and how one is able to obtain security patches.
(2) The extent to which the connected device does both of the following:
(A) Gives a parent or guardian meaningful control over the information of the minor and of the parent or guardian.
(B) Gives the minor meaningful control over their own information.
(3) The extent to which the device minimizes the collection, retention, and use of information from a minor.
(4) Where and how the privacy policy can be viewed or obtained.
(5) The type of personal information that the connected device may collect.
(6) The minimum length of time during which the connected device will receive security patches and software updates.
(7) Whether the connected device can be used without being connected to the internet.
(c) For purposes of this section, “connected device” has the same meaning as in Section 1798.91.05 of the Civil Code.
(d) This section shall become operative on January 1, 2021.

SECTION 1.Section 1798.81.5 of the Civil Code is amended to read:
1798.81.5.

(a)(1)It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.

(2)For the purpose of this section, the terms “own” and “license” include personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term “maintain” includes personal information that a business maintains but does not own or license.

(b)A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(c)A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

(d)For purposes of this section, the following terms have the following meanings:

(1)“Personal information” means either of the following:

(A) An individual’s first name or first initial and their last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i)Social security number.

(ii)Driver’s license number or California identification card number.

(iii)Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv)Medical information.

(v)Health insurance information.

(B)A username or email address in combination with a password or security question and answer that would permit access to an online account.

(2)“Medical information” means any individually identifiable information, in electronic or physical form, regarding the individual’s medical history or medical treatment or diagnosis by a health care professional.

(3)“Health insurance information” means an individual’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.

(4)“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

(e)This section does not apply to any of the following:

(1)A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).

(2)A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code).

(3)A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).

(4)An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.

(5)A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.