Bill Text: CA AB2488 | 2021-2022 | Regular Session | Amended


Bill Title: Personal information: precise geolocation data: data collection.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced - Dead) 2022-04-19 - In committee: Set, first hearing. Hearing canceled at the request of author. [AB2488 Detail]

Download: California-2021-AB2488-Amended.html

Amended  IN  Assembly  March 28, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 2488


Introduced by Assembly Member Irwin

February 17, 2022


An act to add Title 1.81.22 (commencing with Section 1798.90.4) to Part 4 of Division 3 of the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 2488, as amended, Irwin. Consumer privacy. Personal information: precise geolocation data: data collection.
Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. information, including geolocation data. Existing law also provides a consumer with the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to certain prescribed uses, and defines “sensitive personal information” to mean, among other things, a consumer’s precise geolocation.
Existing law requires an operator and an end-user of an automated license plate recognition (ALPR) system, as defined, to, among other things, maintain reasonable security procedures and practices to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure and implement a usage and privacy policy, as specified. Existing law requires a public agency, as defined, that operates or intends to operate an ALPR system to provide an opportunity for public comment, as specified, before implementing the program. Existing law prohibits a public agency from selling, sharing, or transferring ALPR information except to another public agency, and only as otherwise permitted by law.
This bill would require a public agency that collects precise geolocation data to maintain reasonable security procedures and practices to protect precise geolocation data from unauthorized access, destruction, use, modification, or disclosure and implement a usage and privacy policy, as specified. The bill would define precise geolocation data as any data that is derived from a device and that is used or intended to be used to locate a person within a radius equal to or less than 1,850 feet around that person. The bill would require a public agency that collects or intends to collect precise geolocation data to provide an opportunity for public comment, as specified, before collection begins. The bill would prohibit a public agency from selling, sharing, or transferring precise geolocation data except to comply with a lawful court order.
This bill would also require a public agency that collects precise geolocation data to obtain lawful permission to collect precise geolocation data prior to the collection of that precise geolocation data and maintain that permission for the duration of the collection of the precise geolocation data. The bill would provide that lawful permission includes any collection in conformity with the California Electronic Communications Privacy Act, a subpoena, court order, or search warrant for the particular device from which precise geolocation data is derived, or consent, as defined, of the person who possesses the device from which precise geolocation data is derived.
By imposing new duties on public agencies, which include local jurisdictions, this bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.

This bill would state the intent of the Legislature to enact legislation that would relate to consumer privacy.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NOYES   Local Program: NOYES  

The people of the State of California do enact as follows:


SECTION 1.

 Title 1.81.22 (commencing with Section 1798.90.4) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.22. Collection of Geolocation Information

1798.90.4.
 The following definitions shall apply for purposes of this title:
(a) “Precise geolocation data” means any data that is derived from a device and that is used or intended to be used to locate a person within a radius equal to or less than 1,850 feet around that person.
(b) “Person” means any natural person, partnership, firm, association, corporation, limited liability company, or other legal entity.
(c) “Public agency” means the state, any city, county, or city and county, or any agency or political subdivision of the state or of a city, county, or city and county, including, but not limited to, a law enforcement agency.
(d) “Consent” means any freely given, specific, informed, and unambiguous indication of the person’s wishes, including by a statement or by a clear affirmative action, by which the person, or the person’s legal guardian, another person who has power of attorney for the person, or another person acting as a conservator for the person, signifies agreement to the collection of precise geolocation data for a specific purpose communicated by a public agency. Acceptance of a general or broad terms of use, or similar document, that contains generalized purposes for collecting precise geolocation data, or unrelated information, does not constitute consent. Consent may not be obtained through third parties. Consent may be revoked at any time by a person, the person’s legal guardian, another person who has power of attorney for the person, or another person acting as a conservator for the person.

1798.90.41.
 A public agency that collects precise geolocation data shall do all of the following:
(a) Obtain lawful permission to collect precise geolocation data prior to the collection of that precise geolocation data and maintain that permission for the duration of the collection of the precise geolocation data. Lawful permission includes any collection in conformity with the California Electronic Communications Privacy Act (Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code), or any of the following:
(1) A subpoena or court order for the particular device from which precise geolocation data is derived.
(2) A search warrant for the particular device from which precise geolocation data is derived.
(3) Consent of the person who possesses the device from which precise geolocation data is derived.
(b) Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect precise geolocation data from unauthorized access, destruction, use, modification, or disclosure.
(c) (1) Implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing, and dissemination of precise geolocation data is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the public agency has an internet website, the usage and privacy policy shall be posted conspicuously on that internet website.
(2) The usage and privacy policy shall, at a minimum, include all of the following:
(A) The authorized purposes for using the precise geolocation data and collecting precise geolocation data.
(B) A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the precise geolocation data, or to collect precise geolocation data. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.
(C) A description of how the precise geolocation data will be monitored to ensure the security of the information and compliance with applicable privacy laws.
(D) The title of the official custodian, or owner, of the precise geolocation data responsible for implementing this section.
(E) A description of the reasonable measures that will be used to ensure the accuracy of precise geolocation data and correct data errors.
(F) The length of time precise geolocation data will be retained, and the process the public agency will utilize to determine if and when to destroy retained precise geolocation data.
(G) The process by which a person may revoke their consent to the collection of precise geolocation data.

1798.90.45.
 Notwithstanding any other law or regulation:
(a) A public agency that collects or intends to collect precise geolocation data shall provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the public agency before collection begins.
(b) A public agency shall not sell, share, or transfer precise geolocation data, other than to comply with a lawful court order. For purposes of this section, the provision of data hosting shall not be considered the sale, sharing, or transferring of precise geolocation data.

SEC. 2.

 If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.

SEC. 3.

 The Legislature finds and declares that Section 1 of this act, which adds Title 1.81.22 (commencing with Section 1798.90.4) to Part 4 of Division 3 of the Civil Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
In order to protect the privacy and security of the precise geolocation data of Californians, it is necessary that this act limit the public’s right of access to that data.
SECTION 1.

It is the intent of the Legislature to enact legislation that would relate to consumer privacy.

feedback