BILL NUMBER: AB 1291	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  APRIL 1, 2013

INTRODUCED BY   Assembly Member Lowenthal
    (   Coauthors:   Assembly Members 
 Chau   and Rendon   ) 

                        FEBRUARY 22, 2013

   An act to repeal and add Section 1798.83 to the Civil Code,
relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 1291, as amended, Lowenthal. Privacy:  Right to Know Act of
2013:  disclosure of a customer's personal information.
   (1) Existing law requires a business to ensure the privacy of a
customer's personal information, as defined, contained in records by
destroying, or arranging for the destruction of, the records, as
specified. Any customer injured by a business' violation of these
provisions is entitled to recover damages, obtain injunctive relief,
or seek other remedies.
   This bill would  create the Right to Know Act of 2013, 
 would  repeal and reorganize certain provisions of existing
law  , and would provide legislative findings in support thereof
 .
    (2) Existing law also requires a business that collects customer
information for marketing purposes and that discloses a customer's
personal information to a 3rd party for direct marketing purposes, to
provide the customer with whom it had a business relationship, as
defined, within 30 days after the customer's request, as specified,
in writing or by e-mail, the names and addresses of the recipients of
that information and specified details regarding the information
disclosed, except as specified. Existing law requires a business
subject to these provisions to provide an address, electronic
address, or toll-free telephone or facsimile number that a customer
may use to deliver requests for copies of his or her personal
information.
   This bill would instead require any business that  has
  retains  a customer's personal information, as
defined,  or discloses that information to a 3rd party,  to
provide at no charge, within 30 days of the customer's specified
request, a copy of that information to the customer as well as the
names and contact information for all 3rd parties with which the
business has shared the information during the previous 12 months,
regardless of any business relationship with the customer. This bill
would require that a business subject to these provisions choose one
of several specified options to provide the customer with a
designated address for use in making a request for copies of
information under these provisions.
   (3) Existing law also requires a business that is required to
comply with these provisions to provide information to customers
regarding its privacy policy and to provide a designated means of
preventing disclosure of personal information.
    This bill would require a business that is required to comply
with these provisions to provide specified notice to the customer of
its privacy policies.
   (4) Existing law provides that a customer who sustains injury as a
result of a violation of these provisions is entitled to specified
remedies, including civil penalties.
   This bill would also provide that a violation of these provisions
is deemed to constitute an injury to the customer for purposes of
seeking remedies available under law.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1.    This act shall be known and may be
cited as the Right to Know Act of 2013. 
   SEC. 2.    The Legislature hereby finds and declares
all of the following:  
   (a) The right to privacy is a personal and fundamental right
protected by Section 1 of Article I of the California Constitution
and by the United States Constitution. All individuals have a right
of privacy in information pertaining to them.  
   (b) This state has previously recognized the importance of
providing Californians with transparency about how their personal
information has been shared by businesses by enacting Section 1798.83
of the Civil Code into law in 2003 and finding and declaring the
following:  
   "For free market forces to have a role in shaping the privacy
practices of California businesses and for 'opt-in' and 'opt-out'
remedies to be effective, Californians must be more than vaguely
informed that a business might share personal information with third
parties. Consumers must, for these reasons and pursuant to Section 1
of Article 1 of the California Constitution, be better informed about
what kinds of personal information are purchased by businesses for
direct marketing purposes. With these specifics, consumers can
knowledgeably choose to opt-in or opt-out or choose among businesses
that disclose information to third parties for direct marketing
purposes on the basis of how protective the business is of consumers'
privacy."  
   (c) Since Section 1798.83 of the Civil Code was first enacted in
2003, technology has advanced exponentially and business practices
have changed dramatically.  
   (d) Businesses are now collecting types of personal information
not included in the original law and sharing and selling it in ways
not contemplated or properly covered by the current law.  
   (e) Some Web sites are installing up to 100 tracking tools when
consumers visit Web pages and sending very personal information such
as age, gender, race, income, health concerns, and recent purchases
to third-party advertising and marketing companies.  
   (f) Third-party data broker companies are buying, selling, and
trading personal information obtained from mobile phones, financial
institutions, social media sites, and other online and brick and
mortar companies.  
   (g) Some mobile applications are sharing personal information,
such as location information, unique phone identification numbers,
and age, gender, and other personal details with third-party
companies.  
   (h) Californians need to know the ways that their personal
information is being collected by companies and then shared or sold
to third parties in order to properly protect their privacy, personal
safety, and financial security. 
   SECTION 1.   SEC. 3.   Section 1798.83
of the Civil Code is repealed.
   SEC. 2.   SEC. 4.   Section 1798.83 is
added to the Civil Code, to read:
   1798.83.  (a) (1) A business that  has  
retains  a customer's personal information shall make available
to the customer free of charge access to, or copies of, all of the
customer's personal information  held   retained
 by the business.
   (2) A business that  has   discloses  a
customer's personal information  and discloses that personal
information  to a third party shall make the following
information available to the customer free of charge:
   (A) All    categories of the customer's 
personal information that  was   were 
disclosed, including the categories set forth in paragraph (1) of
subdivision  (e)   (d)  .
   (B) The names and contact information of all of the third parties
that received  the customer's  personal information from the
business, including the third party's designated request address or
addresses if available.
   (b) A business required to comply with subdivision (a) shall make
the required information available by one or more of the following
means:
   (1) By providing a designated request address and, upon receipt of
a request under this section to the designated request address,
providing the customer within 30 days  with  the required
information for all disclosures occurring in the prior 12 months,
provided that:
   (A) If the business has an online privacy policy, that policy
includes a description of a customer's rights pursuant to this
section accompanied by one or more designated request addresses. A
business with multiple online privacy policies must include 
a description   this information  in the policy of
each product or service that collects personal information that may
be disclosed to a third party.
   (B) The business ensures that all persons responsible for handling
customer inquiries about the business' privacy practices or the
business' compliance with this section are informed of all designated
request addresses.
   (C) The business provides information pertaining to the specific
customer if that information is reasonably available to the business,
and provides information in standardized format if information
pertaining to the specific customer is not reasonably available.
   (2) For information required to be provided by paragraph (2) of
subdivision (a), by providing the customer with notice including the
required information prior to or immediately following a disclosure.
   (3) By providing the customer the disclosure required by Section
6803 of Title 15 of the United States Code, but only if the
disclosure also complies with this section.
   (c)  (1)    A business is not obligated to
provide more than one notice under paragraph (2) of subdivision (b)
to the same customer in a 12-month period about the disclosure of the
same personal information to the same third party and is not
obligated under paragraph (1) of subdivision (b) to respond to a
request by the same customer more than once within a given 12-month
period. 
   (2) A business is not obligated to provide information to the
customer pursuant to subdivision (a) if the business cannot
reasonably verify that the individual making the request is the
customer.  
   (d) A violation of this section by a business subject to these
provisions is deemed to constitute an injury to a customer. 

   (e) 
    (d)  For purposes of this section, the following terms
have the following meanings:
   (1) "Categories of personal information" includes, but is not
limited to, the following:
   (A) Identity information including, but not limited to, real name,
alias, nickname, and user name.
   (B) Address information, including, but not limited to, postal
address or e-mail.
   (C) Telephone number.
   (D) Account name.
   (E) Social security number or other government-issued
identification number, including, but not limited to, social security
number, driver's license number, identification card number, and
passport number.
   (F) Birthdate or age.
   (G) Physical characteristic information, including, but not
limited to, height and weight.
   (H) Sexual information, including, but not limited to, sexual
orientation, sex, gender status, gender identity, and gender
expression.
   (I) Race or ethnicity.
   (J) Religious affiliation or activity.
   (K) Political affiliation or activity.
   (L) Professional or employment-related information.
   (M) Educational information.
   (N) Medical information, including, but not limited to, medical
conditions or drugs, therapies, mental health, or medical products or
equipment used.
   (O) Financial information, including, but not limited to, credit,
debit, or account numbers, account balances, payment history, or
information related to assets, liabilities, or general
creditworthiness.
   (P) Commercial information, including, but not limited to, records
of property, products or services provided, obtained, or considered,
or other purchasing or consuming histories or tendencies.
   (Q) Location information.
   (R) Internet or mobile activity information, including, but not
limited to, Internet Protocol addresses or information concerning the
access or use of any Internet or mobile-based site or service.
   (S) Content, including text, photographs, audio or video
recordings, or other material generated by or provided by the
customer.
   (T) Any of the above categories of information as they pertain to
the children of the customer.
   (2) (A) "Customer" means an individual who is a resident of
California who provides personal information to a business, with or
without an exchange of consideration, in the course of purchasing,
viewing, accessing, renting, leasing, or otherwise using real or
personal property, or any interest therein, or obtaining a product or
service from the business including advertising or any other
content.
   (B) An individual is also the customer of a business if that
business obtained the personal information of that individual from
any other business.
   (3) "Designated request address" means a mailing address, e-mail
address, Web page, toll-free telephone number, or other applicable
contact information, whereby customers may request or obtain the
information required to be provided under subdivision (a).
   (4) (A) "Disclose" means to disclose, release, share, transfer,
disseminate, make available, or otherwise communicate orally, in
writing, or by electronic or any other means to any third party as
defined in this section.
   (B) "Disclose" does not include:
   (i) Disclosure of personal information by a business to a third
party pursuant to a written contract authorizing the third party to
utilize the personal information to perform services on behalf of the
business, including maintaining or servicing accounts, providing
customer service, processing or fulfilling orders and transactions,
verifying customer information, processing payments, providing
financing, or similar services, but only if (I) the contract
prohibits the third party from using the personal information for any
reason other than performing the specified service(s) on behalf of
the business and from disclosing any such personal information to
additional third parties and (II) the business effectively enforces
these prohibitions.
   (ii) Disclosure of personal information by a business to a third
party based on a good-faith belief that disclosure is required to
comply with applicable law, regulation, legal process, or court
order.
   (iii) Disclosure of personal information by a business to a third
party that is reasonably necessary to address fraud, security, or
technical issues; to protect the disclosing business's rights or
property; or to protect customers or the public from illegal
activities as required or permitted by law.
   (iv) Disclosure of personal information by a business to a third
party that is otherwise lawfully available to the general public,
provided that the business did not direct the third party to the
personal information.
   (5) "Personal information" means:
   (A) Any information that identifies or references a particular
individual or electronic device, including, but not limited to, a
real name, alias, postal address, telephone number, electronic mail
address, Internet Protocol address, account name, social security
number, driver's license number, passport number, or any other
identifier intended or able to be uniquely associated with a
particular individual or device.
   (B) Any information that relates to or describes an individual,
including, but not limited to, any information specifically listed in
subdivision (e) of Section 1798.80 of the Civil Code, and including
inferences or conclusions drawn from other information, if such
information is disclosed in connection with any identifying or
referencing information as defined in subparagraph (A) above. 
   (6) (A) "Retains" means to store or otherwise hold information,
whether the information is collected or obtained directly from the
subject of the information or from any third party.  
   (B) "Retains" does not include information that is stored or
otherwise held solely for one or more of the following purposes, so
long as the information is deleted as soon as it is no longer needed
for those purposes:  
   (i) To perform a service or complete a transaction initiated by or
on behalf of the customer, including maintaining or servicing
accounts, providing customer service, processing or fulfilling orders
and transactions, verifying customer information, processing
payments, providing financing, or similar services.  
   (ii) To address fraud, security, or technical issues; to protect
the disclosing business' rights or property; or to protect customers
or the public from illegal activities as required or permitted by
law.  
   (iii) To comply with applicable law or regulation or with a court
order or other legal process where the business has a good-faith
belief that the law, regulation, court order, or legal process
requires the information to be stored or held.  
   (6) 
    (7)  "Third party" or "third parties" means one or more
of the following:
   (A) A business that is a separate legal entity from the business
that has disclosed personal information.
   (B) A business that does not share common ownership or common
corporate control with the business that has disclosed personal
information.
   (C) A business that does not share a brand name or common branding
with the business that has disclosed personal information such that
the affiliate relationship is clear to the customer. 
   (f) 
    (e)  The provisions of this section are severable. If
any provision of this section or its application is held invalid,
that invalidity shall not affect other provisions or applications
that can be given effect without the invalid provision or
application. 
   (f) A violation of this section constitutes an injury to a
customer. A civil action to recover penalties pursuant to Section
1798.84 may be brought by a customer, the Attorney General, a
district attorney, a city attorney, or a city prosecutor, in a court
of competent jurisdiction.