Bill Text: CA AB3204 | 2023-2024 | Regular Session | Amended
Bill Title: Data Digesters Registration Act.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2024-05-16 - In committee: Held under submission. [AB3204 Detail]
Download: California-2023-AB3204-Amended.html
|
Amended
IN
Assembly
April 18, 2024 |
CALIFORNIA LEGISLATURE—
2023–2024 REGULAR SESSION
Assembly Bill
No. 3204
| Introduced by Assembly Member Bauer-Kahan |
February 16, 2024 |
An act to add Title 1.81.8 (commencing with Section 1798.321) to Part 4 of Division 3 of the Civil Code, relating to data digesters.
LEGISLATIVE COUNSEL'S DIGEST
AB 3204, as amended, Bauer-Kahan.
Data digesters. Digesters Registration Act.
The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
Existing law requires data brokers to register with the agency, pay a registration fee, and provide certain information, prescribes penalties for failure to register as required by these provisions, requires the agency to create a page on its internet website where this registration
information is accessible to the public, and creates a fund known as the “Data Brokers’ Registry Fund” that may be used by the agency, upon appropriation, to, among other things, offset the reasonable costs of establishing and maintaining the informational website and the costs incurred by the state courts and the agency in connection with enforcing these provisions, as specified. Existing law defines various terms for these purposes, including by incorporating specified definitions provided in the CPRA.
This bill would require data digesters to register with the agency, pay a registration fee, and provide specified information, prescribe penalties for a failure to register as required by these provisions, require the agency to create a page on its internet website where this registration information is accessible to the public, and create a fund known as the “Data Digester Registry Fund” to be administered by the agency to be available for expenditure by the
agency, upon appropriation, to offset the reasonable costs of establishing and maintaining the informational website and the costs incurred by the state courts and the agency in connection with enforcing these provisions, as specified. The bill would define “data digester” various terms and incorporate specified definitions provided in the CPRA for these purposes.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Title 1.81.8 (commencing with Section 1798.321) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.8. Data Digesters Registration Act
1798.321.
For purposes of this title:(a) The definitions in Section 1798.140 shall apply unless otherwise specified in this title.
(b) “Artificial intelligence” means an engineered or machine-based system that varies in its level of autonomy and that can, for explicit or implicit objectives, infer from the input it receives how to generate outputs that can influence physical or virtual environments.
(c) “Covered entity” means an organization or enterprise, including, but not limited to, a proprietorship, partnership, firm, business trust, joint venture,
syndicate, corporation, association, or nonprofit.
(b)
(d) “Data digester” means a business that uses personal information to train artificial intelligence. covered entity that designs, codes, or produces an artificial intelligence system or service, or that substantially modifies an existing artificial intelligence system or service, by training the system or service on the personal data of 1,000 or more individuals or households.
(e) “Train” or “training” means exposing artificial intelligence to data in order to alter the relationship between inputs and outputs.
(f) “Personal data” means any of the following:
(1) Personal data.
(2) Sensitive personal information.
(3) Information related to a consumer’s receipt of sensitive services.
(g) “Personal information” has the same meaning as defined in paragraph (1) of subdivision (v) of Section 1798.140.
(h) “Sensitive services” has the same meaning as defined in Section 56.05.
1798.322.
A fund to be known as the “Data Digester Registry Fund” is hereby created within the State Treasury. The fund shall be administered by the California Privacy Protection Agency. All moneys collected or received by the California Privacy Protection Agency under this title shall be deposited into the Data Digester Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset all of the following costs:(a) The reasonable costs of establishing and maintaining the informational internet website described in Section 1798.324.
1798.325.
(b) The costs incurred by the state courts and the California Privacy Protection Agency in connection with enforcing this title, as specified in Section 1798.323.
1798.323.
(a) On or before January 31 following each year in which a(b) In registering with the California Privacy Protection
Agency, as described in subdivision (a), a data digester shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.324. 1798.325.
(2) Provide the following information:
(A) The name of the data digester and its primary physical, email, and internet website addresses.
(B) Each category of
personal information that the data digester uses has used to train artificial intelligence, identified by reference to the applicable subparagraph enumerated under paragraph (1) of subdivision (v) of Section 1798.140.
(C) Each category of sensitive personal information that the data digester uses has used to train artificial intelligence, identified by reference to the applicable paragraph and subparagraph enumerated under subdivision (ae) of Section 1798.140.
(D) Each category of information related to consumers’ receipt of sensitive services, as that term is defined in Section 56.05, services that the data digester uses has used to train artificial intelligence, identified by reference to the specific category of sensitive service enumerated in the definition. subdivision (s) of Section 56.05.
(E) Whether the data digester trains has trained artificial intelligence using the personal information data of minors.
(F) Whether and to what extent the data digester or any of its subsidiaries is regulated by any of the following:
(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(ii) The federal Gramm-Leach-Bliley Act (Public Law 106-102) and
implementing regulations.
(iii) The federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.).
(iv) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(v) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(vi) The privacy of pupil records pursuant to Article 5 (commencing with Section 49073) of Chapter 6.5 of Part 27 of Division 4 of Title 2 of the Education Code.
(G) Any additional information or explanation the data digester chooses to provide concerning its artificial intelligence training practices.
(c) If the California Privacy Protection Agency reasonably believes that a data digester has failed to register within 90 days of the date on which it is required to register under this section, the California Privacy Protection Agency shall provide notice of failure to the data digester and post a copy of the notice on the informational internet website described in Section 1798.324.
1798.325.
(d) A data digester that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:
(1) Administrative fines according to the following schedule:
(A) An administrative fine of two hundred dollars ($200) for
each day the data digester fails to register as required by this section prior to the date on which notice is posted on the informational internet website pursuant to subdivision (c).
(B) An administrative fine of five thousand dollars ($5,000) for each day the data digester fails to register as required by this section beginning the 15th day after notice is posted on the informational internet website pursuant to subdivision (c).
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.
(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (d) shall be deposited in the Data Digester Registry Fund, created within the State Treasury pursuant to Section 1798.322, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.
1798.324.
If a covered entity sells, leases, or otherwise transfers an artificial intelligence system or service to a third party, and the system or service can be substantially modified through training on personal data, the covered entity shall inform the recipient in writing of the responsibilities under this title.1798.324.1798.325.
The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data digesters described in paragraph (2) of subdivision (b) of Section 1798.323 shall be accessible to the public.1798.325.1798.326.
(a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title.(b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure
Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).
