Bill Text: CA SB1059 | 2021-2022 | Regular Session | Amended
Bill Title: Privacy: data brokers.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced - Dead) 2022-05-19 - May 19 hearing: Held in committee and under submission. [SB1059 Detail]
Download: California-2021-SB1059-Amended.html
Amended
IN
Senate
April 21, 2022 |
Amended
IN
Senate
March 07, 2022 |
CALIFORNIA LEGISLATURE—
2021–2022 REGULAR SESSION
Senate Bill
No. 1059
Introduced by Senator Becker |
February 15, 2022 |
An act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Section 1798.99.85 to, the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
SB 1059, as amended, Becker.
Privacy: data brokers.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business, as defined, and also establishes, as approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, the California Privacy Protection Agency and vests it with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
The California Constitution grants a right of privacy. Existing law requires data brokers to register with, and provide certain information to, the Attorney General. Existing law defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.
Existing law subjects data brokers that fail to register to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund, as specified. Existing law imposes a $100 civil penalty for each day a data broker fails to register.
This bill would include in the definition of data broker a business that knowingly collects and shares, as defined, certain personal information to third parties. The bill would transfer all authority and responsibilities under the provisions relating to data broker registration from the Attorney General to the CCPA, including by requiring data brokers to annually register with the CPPA on or before January 31. However, the bill would authorize the Attorney General to also bring an action against a data broker that fails to register. The bill would require data brokers to provide additional information to the CPPA during the registration
process would increase the civil penalty for failing to register to $200 for each day the data broker fails to register. The bill would require the CPPA to adopt regulations in compliance with the Administrative Procedure Act on or before January 1, 2024. Act. The bill would also make other technical changes.
Digest Key
Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOBill Text
The people of the State of California do enact as follows:
SECTION 1.
Section 1798.99.80 of the Civil Code is amended to read:1798.99.80.
For purposes of this title:(a) “Breach” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.
(a)
(b) “Business” has the meaning provided in Section 1798.140.
(b)
(c) “Collect” and “collected” have the meaning provided in Section 1798.140.
(c)
(d) “Consumer” has the meaning provided in Section 1798.140.
(d)
(e) “Data broker” means a business that knowingly collects and either sells or shares to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).
(e)
(f) “Personal information” has the meaning provided in Section 1798.140.
(f)
(g) “Sale” or “sold” have the meaning provided in Section 1798.140.
(g)
(h) “Sensitive personal information” has the meaning provided in Section 1798.140.
(h)
(i) “Shares” or “shared” have the meaning provided in Section
1798.140.
(i)
(j) “Third party” has the meaning provided in Section 1798.140.
SEC. 2.
Section 1798.99.81 of the Civil Code is amended to read:1798.99.81.
A fund to be known as the “Data Brokers’ Registry Fund” is hereby created within the State Treasury. All registration fees received pursuant to paragraph (1) of subdivision (b) of Section 1798.99.82 shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset costs of establishing and maintaining the informational internet website described in Section 1798.99.84.SEC. 3.
Section 1798.99.82 of the Civil Code is amended to read:1798.99.82.
(a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section
1798.99.84. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) Whether the data broker has been breached and, if yes, additional details of each breach.
(C) Whether the data broker collects data of minors.
(D) Instructions on how consumers may exercise their rights to do any of the following:
(i) Delete personal information, as described in Section 1798.105.
(ii) Correct inaccurate personal information, as described in Section 1798.106.
(iii) Know what personal information is being collected and how to access that personal information, as described in Section 1798.110.
(iv) Know what personal information is being sold or shared, and to whom, as described in Section 1798.115.
(v) How to opt-out of the sale or sharing of personal information, as described in Section 1798.120.
(vi) How to limit the use and disclosure of
sensitive personal information, as described in Section 1798.121.
(E) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section
is subject to injunction and is liable for civil penalties, fees, and costs in an action brought by the California Privacy Protection Agency or in the name of the people of the State of California by the Attorney General as follows:
(1) A civil penalty of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the California Privacy Protection Agency or Attorney General, as applicable, in the investigation and prosecution of the action as the court deems appropriate.
(d) Any
penalties, fees, and expenses recovered in an action prosecuted under subdivision (c) shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160, with the intent that they be used to fully offset costs incurred by the state courts, California Privacy Protection Agency, and the Attorney General in connection with this title.