Compare Versions


Add To My Favorites | print page

SB-328 Personal information: prohibited practices.(2007-2008)



Current Version: 04/09/07 - Amended Senate

Compare Versions information image


SB328:v98#DOCUMENT

Amended  IN  Senate  April 09, 2007

CALIFORNIA LEGISLATURE— 2007–2008 REGULAR SESSION

Senate Bill
No. 328


Introduced  by  Senator Corbett

February 16, 2007


An act to amend Sections 1798.80 and 1798.84 of, and to add Section 1798.83.5 to, the Civil Code, relating to personal information.


LEGISLATIVE COUNSEL'S DIGEST


SB 328, as amended, Corbett. Personal information: prohibited practices.
Existing law requires a business to ensure the privacy of a customer’s personal information, as defined, contained in records, as defined, by destroying, or arranging for the destruction of, the records. Existing law requires, subject to certain exceptions, a business that discloses a customer’s personal information, including information relating to income or purchases, to a 3rd party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed, except as specified. Existing law requires a person or business that owns or licenses computerized data that include personal information to disclose any breach of the security of its system, as specified. Existing law requires a business, other than one of specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. Any customer injured by a business’ violation of these provisions is entitled to recover damages, a civil penalty, attorney’s fees, injunctive relief, and other remedies.
This bill would include a telephone calling pattern record or list, as defined, in the definition of “personal information” for purposes of the above-described provisions. The bill would also prohibit any person, as defined, from, among other things, obtaining or attempting to obtain, or causing or attempting to cause the disclosure of, personal information about a customer or employee contained in the records of a business through specified methods, such as by making false, fictitious, or fraudulent statements or representations, with specified exceptions. The bill would provide civil remedies for the violation thereof, and would make related and conforming changes in that regard.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.80 of the Civil Code is amended to read:

1798.80.
 The following definitions apply to this title:
(a) “Business” means a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution organized, chartered, or holding a license or authorization certificate under the law of this state, any other state, the United States, or of any other country, or the parent or the subsidiary of a financial institution. The term includes an entity that destroys records.
(b) “Customer” means an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business.
(c) “Individual” means a natural person.
(d) “Person” means an individual, business association, partnership, limited partnership, corporation, limited liability company, trust, estate, cooperative association, or other entity.
(e) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, telephone calling pattern record or list, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information.
(f) “Records” means any material, regardless of the physical form, on which information is recorded or preserved by any means, including in written or spoken words, graphically depicted, printed, or electromagnetically transmitted. “Records” does not include publicly available directories containing information an individual has voluntarily consented to have publicly disseminated or listed, such as name, address, or telephone number.
(g) “Telephone calling pattern record or list” means information retained by a telephone company that relates to the telephone number dialed by the subscriber, or other person using the subscriber’s telephone with permission, or the incoming number of a call directed to the subscriber, or other data related to those calls typically contained on a subscriber telephone bill, including the time the call started and ended, the duration of the call, any charges applied, and any information described in subdivision (a) of Section 2891 of the Public Utilities Code whether the call was made from or to a telephone connected to the public switched telephone network, a cordless telephone, as defined in Section 632.6, a telephony device operating over the Internet utilizing voice-over Internet protocol, a satellite telephone, or commercially available interconnected mobile phone service that provides access to the public switched telephone network via a mobile communication device employing radiowave technology to transmit calls, including cellular radiotelephone, broadband Personal Communications Services, and digital Specialized Mobile Radio.

SEC. 2.

 Section 1798.83.5 is added to the Civil Code, to read:

1798.83.5.
 (a) A person shall not obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed, personal information about a customer or employee contained in the records of a business using any of the following methods:
(1) By making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a business.
(2) By making a false, fictitious, or fraudulent statement or representation to a customer of a business.
(3) By providing any document to an officer, employee, or agent of a business, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
(b) A person shall not request a person to obtain personal information about a customer or employee contained in the records of a business, knowing that the person will obtain, or attempt to obtain, the information in any manner described in subdivision (a).
(c) No provision of this section shall be construed to prevent any action by a law enforcement agency, or any officer, employee, or agent of that agency, to obtain personal information about a customer or employee contained in the records of a business, as permitted by law in connection with the performance of the official duties of the agency.
(d) No provision of this section shall be construed to prevent any business, or any officer, employee, or agent of that business, from obtaining personal information about a customer or employee contained in the records of the business, in the course of any of the following:
(1) Testing the security procedures or systems of the business, for maintaining the confidentiality of personal information about a customer or employee.
(2) Investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the business.
(3) Recovering personal information about a customer or employee of the business, which was obtained or received by another person in any manner described in subdivision (a) or (b).
(4) Analyzing its customer records for patterns of activity in an effort to identify fraud or identity theft.
(e) Any personal information that is obtained in violation of subdivision (a) or (b) shall be inadmissible as evidence in any judicial, administrative, legislative, or other proceeding, except when that information is offered as proof in an action for a violation of this title.
(f) No provision of this section shall be construed to prevent any person from obtaining personal information pursuant to a lawfully issued and noticed subpoena or court order.
(g) The rights and remedies of a customer or employee for a violation of this section are the remedies provided in Section 1798.84.

SEC. 3.

 Section 1798.84 of the Civil Code is amended to read:

1798.84.
 (a) Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation of Section 1798.83 or 1798.83.5, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83 or 1798.83.5.
(d) Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e) Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section 1798.83 or 1798.83.5 shall also be entitled to recover his or her reasonable attorney’s fees and costs.
(g) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
(h) The term “customer,” as used in this section, with respect to a violation of Section 1798.83.5 only, includes a customer or employee of a business.