Compare Versions


Bill PDF |Add To My Favorites | print page

AB-288 Consumer privacy: social media companies. (2019-2020)



Current Version: 03/19/19 - Amended Assembly

Compare Versions information image


AB288:v98#DOCUMENT

Amended  IN  Assembly  March 19, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill
No. 288


Introduced by Assembly Member Cunningham
(Coauthors: Assembly Members Chen, Gallagher, Lackey, and Mayes)

January 28, 2019


An act to add Title 1.81.24 (commencing with Section 1798.90.7) to Part 4 of Division 3 of the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 288, as amended, Cunningham. Consumer privacy: social media companies.
The California Constitution provides for a right of privacy. Existing law prescribes a variety of consumer privacy protections, including those arising from particular business transactions. The California Consumer Privacy Act of 2018, operative January 1, 2020, grants consumers various rights with regard to personal information collected by a business, as defined, including the right to know what is collected and the right to have that information deleted.
This bill would require a social media company, networking service, as defined, to provide users that close their accounts the option to have the user’s personally identifiable information permanently removed from the company’s database and records and excluded from sale. to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to specified exceptions. The bill would require a social media company to honor such a request within a commercially reasonable time. The bill would authorize specified relief for a consumer for a violation of these provisions.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Title 1.81.24 (commencing with Section 1798.90.7) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.24. Social Media Privacy

1798.90.7.
 For the purposes of this title:
(a) “Personally identifiable information” does not include medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(b) “Social networking service” means an internet platform that does all of the following:
(1) Offers users an account hosted on the platform that requires a unique identifier and password.
(2) Allows users, through their account, to establish interpersonal connections with other user accounts on the platform.
(3) Allows users, through their account, to transmit electronic content between and among some or all of the user accounts to which they are interconnected. For purposes of this paragraph, “electronic content” includes, but is not limited to, videos, photographs, and messages.
(c) “Social networking service” does not mean any of the following:
(1) A media organization as defined by Section 1602 of Title 2 of the United States Code, as it read on April 1, 2019.
(2) A telecommunications carrier as defined in Section 153 of Title 47 of the United States Code, as it read on April 1, 2019.
(3) An institution regulated under the federal Gramm-Leach-Bliley Act (Public Law 106-102), as it read on April 1, 2019.
(4) An electronic place, including but not limited to, a store, internet website, or catalog where a seller sells or offers for sale tangible personal property, software applications, or taxable services for delivery in this state regardless of whether the tangible personal property, seller, or marketplace has a physical presence in the state.
(5) A retailer engaged in business in this state, as defined by subdivision (c) of Section 6203 of the Revenue and Taxation Code.
(6) An entity exempt from taxation under Section 501(c)(3) of the Internal Revenue Code.
(7) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in paragraph (1) of subdivision (a) of this section.

1798.90.75.
 (a) When a user of a social networking service deactivates or deletes the user’s account, the service shall provide the user the option of having the user’s personally identifiable information permanently removed from any database controlled by the service, from the service’s records, and to prohibit the service from selling that information to, or exchanging that information with, a third party in the future.
(b) A social networking service shall comply with a request made pursuant to subdivision (a) within a commercially reasonable time period.
(c) A social networking service shall not be required to comply with a request made pursuant to subdivision (a) if it is necessary for the business or service provider to maintain the consumer’s personal information for any of the following reasons:
(1) To complete the transaction for which the personal information was collected or provided a good or service requested by the consumer.
(2) To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.
(3) To debug to identify and repair errors that impair existing intended functionality.
(4) To comply with the Electronic Communications Privacy Act (Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code).
(5) To engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws when the business’ deletion of the information is likely to render impossible or seriously impair the achievement of that research, if the research is conducted pursuant to the consumer’s informed consent.

1798.90.7.

(a)For the purposes of this title, “social media company” means a company who provides electronic services or accounts, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or internet website profiles or locations.

(b)When a user of the services of a social media company decides to close the user’s account, the company shall provide the user the option of having the user’s personally identifiable information permanently removed from the company’s database and records and excluded from sale. If the user elects to have the user’s personally identifiable information permanently removed and excluded from sale, the social media shall do so. The social media company shall honor that request within a reasonable time.

1798.90.8.
 (a) Any consumer who suffers damages as a result of a violation of this title by any social media company networking service may bring an action in a court of appropriate jurisdiction against that company service to recover the following:
(1) In the case of a negligent violation, actual damages, including court costs, loss of wages, attorney’s fees and, when applicable, pain and suffering.
(2) In the case of a willful violation:
(A) Actual damages, as set forth in paragraph (1).
(B) Punitive damages of not less than one hundred dollars ($100) nor more than ten thousand dollars ($10,000) for each violation as the court deems proper.
(C) Any other relief that the court deems proper.
(b) Injunctive relief shall be available to any consumer aggrieved by a violation or a threatened violation of this title whether or not the consumer seeks any other remedy.
(c) Any person who willfully violates any requirement imposed under this title may be liable for punitive damages in the case of a class action, in an amount that the court may allow. In determining the amount of award in any class action, the court shall consider among relevant factors the amount of any actual damages awarded, the frequency of the violations, the resources of the violator and the number of persons adversely affected.
(d) The prevailing plaintiffs in any action commenced under this section shall be entitled to recover court costs and reasonable attorney’s fees.
(e) If a plaintiff only seeks and obtains injunctive relief to compel compliance with this title, court costs and attorney’s fees shall be awarded pursuant to Section 1021.5 of the Code of Civil Procedure.
(f) Nothing in this section is intended to affect remedies available under Section 128.5 of the Code of Civil Procedure.