Bill Text: CA SB761 | 2011-2012 | Regular Session | Amended

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Computer spyware.

Status: (Introduced - Dead) 2012-01-31 - Returned to Secretary of Senate pursuant to Joint Rule 56. [SB761 Detail]

Download: California-2011-SB761-Amended.html
BILL NUMBER: SB 761	AMENDED
	BILL TEXT

	AMENDED IN SENATE  APRIL 25, 2011
	AMENDED IN SENATE  APRIL 4, 2011
	AMENDED IN SENATE  MARCH 24, 2011

INTRODUCED BY   Senator Lowenthal

                        FEBRUARY 18, 2011

   An act to add Section 22947.45 to the Business and Professions
Code, relating to business.


	LEGISLATIVE COUNSEL'S DIGEST

F   SB 761, as amended, Lowenthal. Computer spyware.
   Existing law, the Consumer Protection Against Computer Spyware
Act, prohibits a person or entity other than the authorized user of
computer software from, with actual knowledge, conscious avoidance of
actual knowledge, or willfully, causing computer software to be
copied onto the computer of a consumer in this state and using the
software to (1) take control of the computer, as specified, (2)
modify certain settings relating to the computer's access to or use
of the Internet, as specified, (3) collect, through intentionally
deceptive means, personally identifiable information, as defined, (4)
prevent, without authorization, an authorized user's reasonable
efforts to block the installation of or disabling of software, as
specified, (5) intentionally misrepresent that the software will be
uninstalled or disabled by an authorized user's action, or (6)
through intentionally deceptive means, remove, disable, or render
inoperative security, antispyware, or antivirus software installed on
Fthe computer.   Existing law establishes the  California  Office
of Privacy Protection for specified purposes relating to protecting
the privacy rights of consumers.
   This bill would, no later than July 1, 2012, require the Attorney
General, in consultation with the  California 
Office of Privacy Protection, to adopt regulations that would require
a covered entity, defined as a person or entity doing business in
California that collects, uses, or stores online data containing
covered information from a consumer in this state, to provide a
consumer in California with a method to opt out of that collection,
use, and storage of such information. The bill would specify that
such information, includes, but is not limited to, the online
activity of an individual and other personal information. The bill
would subject these regulations to certain requirements, including,
but not limited to, a requirement that a covered entity disclose to a
consumer certain information relating to its collection, use, and
storage information practices.  The bill would, to the extent
consistent with federal law, prohibit a covered entity from selling,
sharing, or transferring a consumer's covered information.  The
bill would make a covered entity that willfully fails to comply with
the adopted regulations liable to a consumer in a civil action for
damages, as specified, and would require such an action to be brought
Fwithin a certain time period.   Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
F  SECTION 1.  Section 22947.45 is added to the Business and
Professions Code, to read:
   22947.45.  (a) For the purposes of this section, the following
definitions shall apply:
   (1) "Covered entity" means a person or entity doing business in
California that collects, uses, or stores online data containing
covered information from a consumer in this state. "Covered entity"
shall not include any of the following:
   (A) The federal government or any instrumentality of the federal
government.
   (B) The government of any state or any instrumentality of state
government.
   (C) Any local government or instrumentality of local government.
   (D) Any person who can demonstrate that he or she does all of the
following:
   (i) Stores covered information from or about fewer than 15,000
individuals.
   (ii) Collects covered information from or about fewer than 10,000
individuals during any 12-month period.
   (iii) Does not collect or store sensitive information.
   (iv) Does not use covered information to study, monitor, or
analyze the behavior of individuals as the person's primary business.
F   (2) (A) "Covered information" means, with respect to an
individual, any of the following that is transmitted online:
   (i) The online activity of the individual, including, but not
limited to, the Internet Web sites and content from Internet Web
sites accessed; the date and hour of online access; the computer and
geolocation from which online information was accessed; and the means
by which online information was accessed, such as, but not limited
to, a device, browser, or application.
   (ii) Any unique or substantially unique identifier, such as a
customer number or Internet Protocol address.
   (iii) Personal information including, but not limited to, a name;
a postal address or other location; an e-mail address or other user
name; a telephone or fax number; a government-issued identification
number, such as a tax identification number, a passport number, or a
driver's license number; or a financial account number, or credit
card or debit card number, or any required security code, access
code, or password that is necessary to permit access to an individual'
s financial account.
   (B) "Covered information" shall not include the title, business
address, business e-mail address, business telephone number, or
business fax number associated with an individual's status as an
employee of an organization, or an individual's name when collected,
stored, used, or disclosed in connection with that employment status;
or any information collected from or about an employee by an
employer, prospective employer, or former employer that directly
relates to the employee-employer relationship.
   (3) (A) "Sensitive information" means any of the following:
   (i) Any information that is associated with covered information of
an individual and relates directly to that individual's medical
history, physical or mental health, or the provision of health care
to the individual; race or ethnicity; religious beliefs and
affiliation; sexual orientation or sexual behavior; income, assets,
liabilities, or financial records, and other financial information
associated with a financial account, including balances and other
financial information, except when financial account information is
provided by the individual and is used only to process an authorized
credit or debit to the account; or precise geolocation information
and any information about the individual's activities and
relationships associated with that geolocation.
   (ii) An individual's unique biometric data, including a
fingerprint or retina scan, or social security number.
   (iii) Information deemed sensitive information pursuant to
regulations adopted by the Attorney General under subparagraph (B).
   (B) The Attorney General in consultation with the 
California  Office of Privacy Protection may, by regulations
adopted pursuant to subdivision (b), modify the scope or application
of the definition of "sensitive information" as necessary to promote
the purposes of this act. In adopting these regulations, the
Attorney General shall consider the purpose of collecting the
information and the context in which the information is used; how
easily the information can be used to identify a specific individual;
the nature and extent of authorized access to the information; an
individual's reasonable expectations under the circumstances; and
adverse effects that may be experienced by an individual if the
information is disclosed to an unauthorized person.
   (b) (1) No later than July 1, 2012, the Attorney General, in
consultation with the  California  Office of Privacy
Protection, shall adopt regulations that would require a covered
entity doing business in California to provide a consumer in this
state with a method for the consumer to opt out of the collection or
use of any covered information by a covered entity.
   (2) The regulations shall do the following:
   (A) Include a requirement for a covered entity to disclose, in a
manner that is easily accessible to a consumer, information on the
collection, use, and storage of information practices, how the entity
uses or discloses that information, and the names of the persons to
whom that entity would disclose that information.
   (B) Prohibit the collection or use of covered information by a
covered entity for which a consumer has opted out of such collection
or use, unless the consumer changes his or her opt-out preference to
allow the collection or use of that information.
   (3) The regulations may do the following:
   (A) Include a requirement that a covered entity provide a consumer
with a means to access the covered information of that consumer and
the data retention and security policies of the covered entity in a
format that is clear and easy to understand.
   (B) Include a requirement that some or all of the regulations
apply with regard to the collection and use of covered information,
regardless of the source. 
   (4) The regulations shall not interfere with, affect, or prohibit
a commercial relationship between a consumer and a covered entity
where the consumer expressly opts in to the collection and use of his
or her covered information by the covered entity for the purpose of
engaging in that commercial relationship. However, if a majority of
the covered entity's revenue is derived from online advertising and
marketing, the regulations may regulate and affect such a commercial
relationship.  
   (4) 
    (5)  The Attorney General may exempt from some or all of
the regulations required by this section certain commonly accepted
commercial practices, including the following:
   (A) Providing, operating, or improving a product or service used,
requested, or authorized by an individual, including the ongoing
provision of customer service and support.
   (B) Analyzing data related to use of the product or service for
purposes of improving the products, services, or operations.
   (C) Basic business functions, such as, but not limited to,
accounting, inventory and supply chain management, quality assurance,
Fand internal auditing.   (D) Protecting or defending rights or property, including, but not
limited to, intellectual property, against actual or potential
security threats, fraud, theft, unauthorized transactions, or other
illegal activities.
   (E) Preventing imminent danger to the personal safety of an
individual or group of individuals.
   (F) Complying with a federal, state, or local law, regulation,
rule, or other applicable legal requirement, including, but not
limited to, disclosures pursuant to a court order, subpoena, summons,
For other properly executed compulsory process.   (G) Any other category of operational use specified by the
Attorney General in regulations adopted pursuant to this subdivision
that is consistent with the purposes of this act. 
   (c) Notwithstanding any other provision of law and to the extent
consistent with federal law, no covered entity shall sell, share, or
transfer a consumer's covered information.  
   (c) 
    (d)  A covered entity that willfully fails to comply
with regulations promulgated by the Attorney General pursuant to
subdivision (b) with respect to any individual is liable to that
individual in a civil action brought in a California court of
appropriate jurisdiction in an amount equal to the sum of the greater
of any actual damages, but in no event less than one hundred dollars
($100) or more than one thousand dollars ($1,000), and such amount
of punitive damages as the court may allow. In the case of any
successful action under this section, the covered entity shall be
liable to the individual for the costs of the action together with
reasonable attorney's fees as determined by the court. A civil action
under this section shall not be commenced later than two years after
the date upon which the claimant first discovered or had a
reasonable opportunity to discover the violation.
                                                     
feedback