Bill Text: CA AB2677 | 2021-2022 | Regular Session | Amended
Bill Title: Information Practices Act of 1977.
Spectrum: Bipartisan Bill
Status: (Vetoed) 2022-09-19 - Vetoed by Governor. [AB2677 Detail]
Download: California-2021-AB2677-Amended.html
Amended
IN
Assembly
April 21, 2022 |
Introduced by Assembly Member Gabriel (Coauthor: Assembly Member Seyarto) |
February 18, 2022 |
LEGISLATIVE COUNSEL'S DIGEST
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YESBill Text
The people of the State of California do enact as follows:
As used in this chapter:
(a)The term “personal information” means any information that is maintained by an agency that is reasonably capable of identifying or describing an individual, including, but not limited to, the individual’s name, social security number, physical description, genetic information, address, telephone number, IP address, online browsing history, location information, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.
(b)The term “agency” means every state and local office, officer, department, division, bureau, board, commission, or other
agency, except that the term agency shall not include:
(1)The California Legislature.
(2)Any agency established under Article VI of the California Constitution.
(3)The State Compensation Insurance Fund, except as to any records which contain personal information about the employees of the State Compensation Insurance Fund.
(c)The term “disclose” means to disclose, release, transfer, disseminate, or otherwise communicate all or any part of any record orally, in writing, or by electronic or any other means to any person or entity.
(d)The term “individual” means a natural person.
(e)The term “maintain” includes maintain, acquire, use, or disclose.
(f)The term “person” means any natural person, corporation, partnership, limited liability company, firm, or association.
(g)The term “record” means any file or grouping of personal information that is maintained by an agency.
(h)The term “commercial purpose” means any purpose which has financial gain as a major objective. It does not include the gathering or dissemination of newsworthy facts by a publisher or broadcaster.
(i)The term “regulatory agency” means the
Department of Financial Protection and Innovation, the Department of Insurance, the Bureau of Real Estate, and agencies of the United States or of any other state responsible for regulating financial institutions.
SEC. 2.SECTION 1.
Section 1798.3 of the Civil
Code, as amended by Section 43 of Chapter 615 of the Statutes of 2021, is amended to read:1798.3.
As used in this chapter:(h)
(i)
SEC. 2.
Section 1798.3 is added to the Civil Code, to read:1798.3.
(a) The term “personal information” means any information that is maintained by an agency that is reasonably capable of identifying or describing an individual, including, but not limited to, the individual’s name, social security number, physical description, genetic information, address, telephone number, IP address, online browsing history, location information, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.SEC. 3.
Section 1798.16 of the Civil Code is amended to read:1798.16.
(a) Whenever an agency collects personal information, the agency shall maintain the source or sources of the information, unless the source is the data subject or has received a copy of the source document, including, but not limited to, the name of any source who is an individual acting in their own private or individual capacity. If the source is an agency,SEC. 4.
Section 1798.16 is added to the Civil Code, to read:1798.16.
(a) Whenever an agency collects personal information, the agency shall maintain the source or sources of the information, unless the source is the data subject or has received a copy of the source document, including, but not limited to, the name of any source who is an individual acting in their own private or individual capacity. If the source is an agency, branch of the federal government, or other organization, such as a corporation or association, this requirement can be met by maintaining the name of the agency, branch of the federal government, or organization, as long as the smallest reasonably identifiable unit of that agency, branch of the federal government, or organization is named.SEC. 4.SEC. 5.
Section 1798.17 of the Civil Code is amended to read:1798.17.
Each agency shall provide on or with any form used to collect personal information from individuals the notice specified in this section. When contact with the individual is of a regularly recurring nature, an initial notice followed by a periodic notice of not more than one-year intervals shall satisfy this requirement. This requirement is also satisfied by notification to individuals of the availability of the notice in annual tax-related pamphlets or booklets provided for them. The notice shall include all of the following:SEC. 5.SEC. 6.
Section 1798.19 of the Civil Code is amended to read:1798.19.
(a) Each agency when it provides by contract for the operation or maintenance of records containing personal information to accomplish an agency function, shall cause, consistent with its authority, the requirements of this chapter to be applied to those records. For purposes of Article 10 (commencing with Section 1798.55), any contractor and any employee of the contractor, if the contract is agreed to on or after July 1, 1978, shall be considered to be an employee of an agency. Local government functions mandated by the state are not deemed agency functions within the meaning of this section.SEC. 7.
Section 1798.19 is added to the Civil Code, to read:1798.19.
(a) Each agency when it provides by contract for the operation or maintenance of records containing personal information to accomplish an agency function, shall cause, consistent with its authority, the requirements of this chapter to be applied to those records. For purposes of Article 10 (commencing with Section 1798.55), any contractor and any employee of the contractor, if the contract is agreed to on or after July 1, 1978, shall be considered to be an employee of an agency.SEC. 6.SEC. 8.
Section 1798.20 of the Civil Code is amended to read:1798.20.
(a) Consistent with applicable provisions of the State Administrative Manual and the State Information Management Manual, each agency shall establish rules of conduct for persons involved in the design, development, operation, disclosure, or maintenance of records containing personal information and instruct each such person with respect to such rules and the requirements of this chapter, including any other rules and procedures adopted pursuant to this chapter and the remedies and penalties for noncompliance.SEC. 7.SEC. 9.
Section 1798.24 of the Civil Code is amended to read:1798.24.
An agency shall not disclose any personal information in a manner that could link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:SEC. 10.
Section 1798.24 is added to the Civil Code, to read:1798.24.
An agency shall not disclose any personal information in a manner that could link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:SEC. 8.SEC. 11.
Section 1798.24b of the Civil Code is amended to read:1798.24b.
(a) Notwithstanding Section 1798.24, except subdivision (t) thereof, information shall be disclosed to the protection and advocacy agency designated by the Governor in this state pursuant to federal law to protect and advocate for the rights of people with disabilities, as described in Division 4.7 (commencing with Section 4900) of the Welfare and Institutions Code.SEC. 9.SEC. 12.
Section 1798.25 of the Civil Code is amended to read:1798.25.
(a) Each agency shall keep an accurate accounting of the date, nature, and purpose of each disclosure of a record made pursuant to subdivision (i), (k), or (n) of Section 1798.24. This accounting shall also be required for disclosures made pursuant to subdivision (e) or (f) of Section 1798.24 unless notice of the type of disclosure has been provided pursuant to Sections 1798.9 and 1798.10. The accounting shall also include the name, title, and business address of the person or agency to whom the disclosure was made.SEC. 10.SEC. 13.
Section 1798.26 of the Civil Code is amended to read:1798.26.
With respect to the sale of information concerning the registration of any vehicle or the sale of information from the files of drivers’ licenses, the Department of Motor Vehicles shall, by regulation, establish administrative procedures under which any person making a request for information shall be required to identify themselves and state the reason for making the request. These procedures shall provide for the verification of the name and address of the person making a request for the information and the department may require the person to produce the information as it determines is necessary in order to ensure that the name and address of the person are their true name and address. These procedures may provide for a 10-day delay in the release of the requested information. These procedures shall also provide for notification to the person to whom the information relates, as to what information was provided and to whom it was provided. The department shall, by regulation, establish a reasonable period of time for which a record of all the foregoing shall be maintained.SEC. 11.SEC. 14.
Section 1798.27 of the Civil Code is amended to read:1798.27.
Each agency shall retain the accounting made pursuant to Section 1798.25 for at least three years after the disclosure for which the accounting is made.SEC. 12.SEC. 15.
Section 1798.29 of the Civil Code is amended to read:1798.29.
(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. [NAME OF INSTITUTION / LOGO]
_____
_____
Date: [insert date] | ||
NOTICE OF DATA BREACH | ||
What Happened? | ||
What Information Was Involved? | ||
What We Are Doing. | ||
What You Can Do. | ||
Other Important Information. [insert other important
information] | ||
For More Information. | Call [telephone number] or go to [internet website] |
(k)
SEC. 16.
Section 1798.29 is added to the Civil Code, to read:1798.29.
(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California (1) whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person, or, (2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. [NAME OF INSTITUTION / LOGO]
_____
_____
Date: [insert date] | ||
NOTICE OF DATA BREACH | ||
What Happened? | ||
What Information Was Involved? | ||
What We Are Doing. | ||
What You Can Do. | ||
Other Important Information. [insert other important
information] | ||
For More Information. | Call [telephone number] or go to [internet website] |