1798.90.
(a) This title shall be known and may be cited as the Reader Privacy Act.
(b) For purposes of this section:
(1) “Book” means paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or finite number of
volumes, excluding serial publications such as a magazine or newspaper.
(2) “Book service” means a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books. “Book service” does not include a store that sells a variety of consumer products when the book service sales do not exceed 2 percent of the store’s total annual gross sales of consumer products sold in the United States.
(3) “Government entity” means any state or local agency, including, but not limited to, a law enforcement entity or any other investigative entity, agency, department, division, bureau, board, or commission, or any individual acting or purporting to act for or on behalf of a state or local agency.
(4) “Law enforcement entity” means a district attorney, a district attorney’s office, a municipal
police department, a sheriff’s department, a county probation department, a county social services agency, the Department of Justice, the Department of Corrections and Rehabilitation, the Department of Corrections and Rehabilitation Division of Juvenile Facilities, the Department of the California Highway Patrol, the police department of a campus of a community college, the University of California, or the California State University, or any other department or agency of the state authorized to investigate or prosecute the commission of a crime.
(5) “Personal information” means all of the following:
(A) Any information that identifies, relates to, describes, or is associated with a particular user, including, but not limited to, the information specifically listed in Section 1798.80.
(B) A unique identifier or
Internet Protocol address, when that identifier or address is used to identify, relate to, describe, or be associated with a particular user or book, in whole or in partial form.
(C) Any information that relates to, or is capable of being associated with, a particular user’s access to or use of a book service or a book, in whole or in partial form.
(6) “Provider” means any commercial entity offering a book service to the public.
(7) “User” means any person or entity that uses a book service.
(c) A provider shall not knowingly disclose to any government entity, or be compelled to disclose to any person, private entity, or government entity, any personal information of a user, except under any of the following circumstances:
(1) A provider shall disclose personal information of a user to a law enforcement entity only pursuant to a court order issued by a duly authorized court with jurisdiction over an offense that is under investigation and only if all of the following conditions are met:
(A) The court issuing the order finds that probable cause exists to believe the personal information requested is relevant evidence to the investigation of an offense and any of the grounds in Section 1524 of the Penal Code is satisfied.
(B) The court issuing the order finds that the law enforcement entity seeking disclosure has a compelling interest in obtaining the personal information sought.
(C) The court issuing the order finds that the personal information sought cannot be obtained by
the law enforcement entity seeking disclosure through less intrusive means.
(D) Prior to issuance of the court order, the law enforcement entity seeking disclosure provides, in a timely manner, the provider with reasonable notice of the proceeding to allow the provider the opportunity to appear and contest issuance of the order.
(E) The law enforcement entity seeking disclosure has informed the provider that it has given notice of the court order to the user contemporaneously with the execution of the order, unless there is a judicial determination of a strong showing of necessity to delay that notification for a reasonable period of time, not to exceed 90 days.
(2) (A) A provider shall disclose personal information of a user to any of the following only if all of the conditions listed in
subparagraph (B) are satisfied:
(i) A government entity, other than a law enforcement entity, pursuant to a court order issued by a court having jurisdiction over an offense under investigation by that government entity.
(ii) A government entity, other than a law enforcement entity, or a person or private entity pursuant to a court order in a pending action brought by the government entity or by the person or private entity.
(B) A provider shall disclose personal information of a user pursuant to subparagraph (A) only if all of the following conditions are satisfied:
(i) The court issuing the order finds that the person or entity seeking disclosure has a compelling interest in obtaining the personal information sought.
(ii) The court issuing the order finds that the personal information sought cannot be obtained by the person or entity seeking disclosure through less intrusive means.
(iii) Prior to issuance of the court order, the person or entity seeking disclosure provides, in a timely manner, the provider with reasonable notice of the proceeding to allow the provider the opportunity to appear and contest the issuance of the court order.
(iv) The provider refrains from disclosing any personal information pursuant to the court order until it provides, in a timely manner, notice to the user about the issuance of the order and the ability to appear and quash the order, and the user has been given a minimum of 35 days prior to disclosure of the information within which to appear and quash the order.
(3) A provider shall disclose the personal information of a user to any person, private entity, or government entity if the user has given his or her informed, affirmative consent to the specific disclosure for a particular purpose.
(4) A provider may disclose personal information of a user to a government entity, if the government entity asserts, and the provider in good faith believes, that there is an imminent danger of death or serious physical injury requiring the immediate disclosure of the requested personal information and there is insufficient time to obtain a court order. The government entity seeking the disclosure shall provide the provider with a written statement setting forth the facts giving rise to the emergency upon request or no later than 48 hours after seeking disclosure.
(5) A provider may disclose
personal information of a user to a government entity if the provider in good faith believes that the personal information is evidence directly related and relevant to a crime against the provider or that user.
(d) (1) Any court issuing a court order requiring the disclosure of personal information of a user shall impose appropriate safeguards against the unauthorized disclosure of personal information by the provider and by the person, private entity, or government entity seeking disclosure pursuant to the order.
(2) The court may, in its discretion, quash or modify a court order requiring the disclosure of the user’s personal information upon a motion made by the user, provider, person, or entity seeking disclosure.
(e) A provider, upon the request of a law enforcement entity, shall take all
necessary steps to preserve records and other evidence in its possession of a user’s personal information related to the use of a book or part of a book, pending the issuance of a court order or a warrant pursuant to this section or Section 1798.90.05. The provider shall retain the records and evidence for a period of 90 days from the date of the request by the law enforcement entity, which shall be extended for an additional 90-day period upon a renewed request by the law enforcement entity.
(f) Except in an action for a violation of this section, no evidence obtained in violation of this section shall be admissible in any civil or administrative proceeding.
(g) (1) Violations of this section shall be subject to the following penalties:
(A) Any provider that knowingly provides personal
information about a user to a government entity in violation of this section shall be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, which shall be paid to the user in a civil action brought by the user.
(B) Any provider that knowingly provides personal information about a user to a government entity in violation of this section shall, in addition to the penalty prescribed by subparagraph (A), be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, which may be assessed and recovered in a civil action brought by the Attorney General, by any district attorney or city attorney, or by a city prosecutor in any city having a full-time city prosecutor, in any court of competent jurisdiction.
(2) If an action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of
the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. If the action is brought by a city attorney or city prosecutor, one-half of the penalty shall be paid to the treasurer of the city in which the judgment was entered, and one-half to the treasurer of the county in which the judgment was entered.
(3) The penalties provided by this section are not the exclusive remedy and do not affect any other relief or remedy provided by law.
(4) A civil action brought pursuant to this section shall be commenced within two years after the date upon which the claimant first discovered the violation.
(h) An objectively reasonable reliance by the provider on a
warrant or court order for the disclosure of personal information of a user, or on any of the enumerated exceptions to the confidentiality of a user’s personal information set forth in this section, is a complete defense to any civil action for the violation of this section.
(i) (1) Unless disclosure of information pertaining to a particular request or set of requests is specifically prohibited by law, a provider shall prepare a report including all of the following information, to the extent it can be reasonably determined:
(A) The number of federal and state warrants, federal and state grand jury subpoenas, federal and state civil and administrative subpoenas, federal and state civil and criminal court orders, and requests for information made with the informed consent of the user as described in paragraph (3) of subdivision (c), seeking disclosure of any
personal information of a user related to the access or use of a book service or book, received by the provider from January 1 to December 31, inclusive, of the previous year.
(B) The number of disclosures made by the provider pursuant to paragraphs (4) and (5) of subdivision (c) from January 1 to December 31, inclusive, of the previous year.
(C) For each category of demand or disclosure, the provider shall include all of the following information:
(i) The number of times notice of a court order in a criminal, civil, or administrative action has been provided by the provider and the date the notice was provided.
(ii) The number of times personal information has been disclosed by the provider.
(iii) The number of times no personal information has been disclosed by the provider.
(iv) The number of times the provider contests the demand.
(v) The number of times the user contests the demand.
(vi) The number of users whose personal information was disclosed by the provider.
(vii) The type of personal information that was disclosed and the number of times that type of personal information was disclosed.
(2) Notwithstanding paragraph (1), a provider is not required to prepare a report pursuant to this subdivision unless it has disclosed personal information related to the access or use of a book service or book of more than 30 total users consisting of users located in this
state or users whose location is unknown or of both types of users.
(3) The reporting requirements of this subdivision shall not apply to information disclosed to a government entity that is made by a provider serving a postsecondary educational institution when the provider is required to disclose the information in order to be reimbursed for the sale or rental of a book that was purchased or rented by a student using book vouchers or other financial aid subsidies for books.
(j) Reports prepared pursuant to subdivision (i) shall be made publicly available in an online, searchable format on or before March 1 of each year. If the provider does not have an Internet Web site, the provider shall post the reports prominently on its premises or send the reports to the Office of Privacy Protection on or before March 1 of each year.
(k) On or before March 1 of each year, a provider subject to Section 22575 of the Business and Professions Code shall complete one of the following actions:
(1) Create a prominent hyperlink to its latest report prepared pursuant to subdivision (i) in the disclosure section of its privacy policy applicable to its book service.
(2) Post the report prepared pursuant to subdivision (i) in the section of its Internet Web site explaining the way in which user information and privacy issues related to its book service are addressed.
(3) State on its Internet Web site in one of the areas described in paragraphs (1) and (2) that no report prepared pursuant to subdivision (i) is available because the provider is exempt from the reporting requirement pursuant to paragraph (2) of subdivision (i).
(l) Nothing in this section shall otherwise affect the rights of any person under the California Constitution or any other law or be construed as conflicting with the federal Privacy Protection Act of 1980 (42 U.S.C. 2000aa et seq.).
(Added by Stats. 2011, Ch. 424, Sec. 1. (SB 602) Effective January 1, 2012.)