A bill by Senator Mark DeSaulnier (D-Concord) to protect the personal information of consumers passed the Assembly Judiciary Committee today. SB 1348 reinforces a consumer’s constitutional right to privacy by requiring that data brokers give California residents the option to opt-out of having their personal information sold or traded.
This bill defines a data broker as a commercial entity that collects, assembles, and sells personal information of people who have had no prior direct contact with the data broker. This definition was derived from the Federal Trade Commission (FTC) in recent reports on the data broker industry.
“Consumers should have a right to protect their personal information from being bought, sold, and traded by unregulated data brokers,” Senator DeSaulnier said. “Californians face serious personal safety threats, privacy violations, and discrimination when they have no control over who can buy and sell their personal information. Californians should have a clear and simple way to opt-out of having their personal information bought and sold.”
Research from the Pew Center indicates that 68% of US internet users feel that current laws are not sufficient to protect people’s privacy online, and that 86% of users have taken steps to mask their digital footprint. This bill would take steps towards establishing a citizen’s fundamental right to privacy in the modern digital world.
Recently, the FTC released a report, Data Brokers: A Call for Transparency and Accountability, outlining the lack of consumer rights in relation to personal information that is held by data brokers. SB 1348 works towards the FTC’s call for greater protections of consumers’ personal information.
This bill requires a data broker who sells personal information to third parties to allow California residents to opt-out of the sale and public posting of their personal information upon request. SB 1348 requires that data brokers offer an option to opt-out, either in written form or in an easily located link on their business websites.
Additionally, the bill prohibits the data broker from re-posting the individual’s personal information or transferring the information to another business entity.
Website of Senator Mark DeSaulnier: http://sd07.senate.ca.gov/
Here is a look at the Bill
| Introduced by Senator DeSaulnier |
| February 21, 2014 |
An act to add Chapter 22.3 (commencing with Section 22590) to Division 8 of the Business and Professions Code, relating to personal information.
LEGISLATIVE COUNSEL’S DIGEST
SB 1348, as amended, DeSaulnier. Data brokers: sale of personal information.
Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Internet Web site or online service to conspicuously post its privacy policy on its Internet Web site or online service and to comply with that policy.
Unless prohibited by federal or state law, required or authorized by federal or state law to share the personal information with a 3rd party or prohibited by federal or state law from providing access to the personal information, this bill would require a data broker, as defined, that sells or offers for sale to a 3rd party the personal information of any resident of California, to (1) permit a subject individual, as defined, to review his or her personal information, as specified. The bill would require a data broker, unless prohibited by federal or state law, to and (2) conspicuously post an opt-out notice on its Internet Web site that would include specific and easily understood instructions for permanently removing personal information from the online data broker’s database by making a demand requesting that his or her personal information not be shared with or sold to third parties. the subject individual to make a demand on the data broker’s Internet Web site that his or her personal information not be shared with or sold to a 3rd party. The bill would require a data broker that receives a demand from a subject individual pursuant to these provisions, unless prohibited by federal or state law, to cease sharing or selling that information with third parties a 3rd party as soon as is reasonably possible, and thereafter to only retain as much personal information as is reasonably necessary to comply with the subject individual’s demand.
This bill would also make it unlawful for a data broker to solicit or accept the payment of a fee or other consideration to review or permanently remove personal information from the data broker’s database, and. The bill would authorize a subject individual to bring a civil action against any person in violation of these provisions for specified damages.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Bill Text
The people of the State of California do enact as follows:
SECTION 1.
Chapter 22.3 (commencing with Section 22590) is added to Division 8 of the Business and Professions Code, to read:
CHAPTER 22.3. Data Brokers
The following definitions apply to this chapter:
(a) “Conspicuously post,” with respect to an opt-out notice, means to post through any of the following:
(1) An Internet Web page on which the actual opt-out notice is posted if the Internet Web page is the homepage or first significant page after entering the Internet Web site.
(2) An icon that hyperlinks to an Internet Web page on which the actual opt-out notice is posted, if the icon is located on the homepage or the first significant page after entering the Internet Web site, and if the icon contains the term “opt out” or “opt-out.” The icon shall also use a color that contrasts with the background color of the Internet Web page or is otherwise distinguishable.
(3) A text link that hyperlinks to an Internet Web page on which the actual opt-out notice is posted, if the text link is located on the homepage or first significant page after entering the Internet Web site, and if the text link does one of the following:
(A) Includes the term “opt out” or “opt-out.”
(B) Is written in capital letters equal to or greater in size than the surrounding text.
(C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a reasonable person would notice it and understand it to be a hyperlink to the actual opt-out notice.
(b) (1) “Data broker” means a commercial entity that collects, assembles, or maintains personal information concerning individuals residing in California who are not customers or employees of that entity or who had no previous contact with that entity prior to contacting the entity pursuant to Section 22591, for the purposes of selling or offering for sale, or other consideration, the personal information to a third party.
(2) “Data broker” does not include any of the following:
(A) A commercial entity that sells personal information to the subject individual or his or her representative.
(B) A commercial entity engaging in the activities of a “consumer reporting agency” pursuant to the Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.)
(C) A commercial entity engaging in the activities of a “consumer credit reporting agency” pursuant to the Consumer Credit Reporting Agencies Act Title 1.6 (commencing with Section 1785.1) of Part 4 of Division 3 of the Civil Code.
(D) A commercial entity selling or providing for sale personal information to other commercial or nonprofit entities or government agencies that will use the information for purposes permitted to be used or disclosed pursuant to any applicable provision of Title V of the Gramm-Leach-Bliley Act (15 U.S.C. Sec. 6801 et seq.), including purposes such as identity confirmation and fraud prevention.
(E) A person or entity enumerated in subdivision (b) of Section 2 of Article I of the California Constitution or Section 1070 of the Evidence Code that publishes or broadcasts information obtained or prepared in gathering, receiving, or processing of information for the purpose of communicating information to the public.
(c) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include information that is lawfully made available to the general public from federal, state, or local government records.
(d) “Subject individual” means the person to whom personal information pertains.
Unless prohibited by federal or state law, Unless the data broker is required or authorized by federal or state law to share the personal information with a third party or is prohibited by federal or state law from providing access to the personal information, a data broker that sells or offers for sale the personal information of any resident of California to a third party shall do both of the following:
(a) Permit a subject individual to review his or her personal information that has been collected, assembled, or maintained by the data broker by submitting an electronic demand through a secure online system.
(b) (1) The data broker shall conspicuously Conspicuously post an opt-out notice on its Internet Web site, which shall include specific and easily understood instructions for the subject individual to make a demand on the data broker’s Internet Web site that his or her personal information not be shared with or sold to a third parties party.
(2) If a subject individual makes a demand on the data broker’s Internet Web site that his or her personal information not be shared with or sold to a third parties party, the data broker shall cease sharing or selling that information with a third parties party as soon as is reasonably possible, and in no event later than 10 30 days after receipt of the notice, and the data broker shall thereafter retain only as much personal information as is reasonably necessary to comply with the subject individual’s demand.
(3) After receiving a subject individual’s demand, the data broker shall not transfer the subject individual’s personal information to any other person, business, or association through any other medium.
(4) Any information collected by a data broker to confirm the identity of a subject individual who has made a demand to remove his or her personal information from a database pursuant to this chapter shall be deleted after the identity of the subject individual has been confirmed and shall not be used for any other purpose.
(a) It is unlawful for a data broker to solicit or accept the payment of a fee or other consideration to review or permanently remove personal information from the data broker’s database.
(b) Each payment solicited or accepted in violation of this section constitutes a separate violation.
In addition to any other sanction, penalty, or remedy provided by law, a subject individual may bring a civil action in any court of competent jurisdiction against any person in violation of this chapter for damages in an amount equal to the greater of one thousand dollars ($1,000) per violation or the actual damages suffered by the subject individual as a result, along with costs, reasonable attorney’s fees, and any other legal or equitable relief.
