Signed by Governor Jerry Brown, Jr.

Vote Smart's Synopsis:

Vote to concur with Senate amendments and pass a bill that establishes various regulations regarding the sale of consumer personal information by companies, effective January 1, 2020.

Highlights:

• Requires that a business that collects personal information inform consumers of the categories of information to be collected and the purposes for collection at or before the point of collection (Sec. 3).

• Defines “personal information” as information which identifies, describes, or can be linked to a particular consumer or household including, but not limited to, the following (Sec. 3):

• Identifiers such as name, address, social security number, etc;

• Commercial information including records of personal property;

• Biometric information;

• Internet activity including browsing and search history;

• Geolocation data; and

• Education and employment information.

• Specifies that consumers have the right to request that a business that collects personal information disclose the categories of information and the specific pieces of information about such consumer that the business has collected (Sec. 3).

• Requires that a business that receives such a request promptly respond to the request free of charge and in a format that is easily understandable and transferrable (Sec. 3).

• Specifies that consumers have the right to request that a business that collects personal information delete any information about such consumer that the business has collected (Sec. 3).

• Requires that a business that receives such a request delete the consumer’s information and direct any additional services providers to delete the consumer’s information from their records (Sec. 3).

• Specifies that a business is not required to delete a consumer’s information if it is necessary for purposes including, but not limited to, the following (Sec. 3):

• Complete a transaction with the consumer;

• Detect or protect against security incidents;

• Debug errors that impair functionality;

• Exercise free speech;

• Engage in peer-reviewed research in the public interest if the deletion will render the research impossible; or

• Comply with a legal obligation.

• Specifies that consumers have the right to request that a business that collects personal information disclose the following (Sec. 3):

• Categories of information collected about such consumer;

• Categories of sources from which information is collected;

• Business purposes for collecting or selling information;

• Categories of third parties with whom information is shared; and

• Specific pieces of information collected about such consumer.

• Defines “business purpose” as the use of personal information for operational purposes including, but not limited to, the following (Sec. 3):

• Auditing related to a current interaction with the consumer;

• Detecting, protecting against, and prosecuting those responsible for security incidents;

• Debugging errors that impair functionality;

• Short-term use; and

• Performing services on behalf of the business.

• Specifies that consumers have the right to request that a business that sells personal information disclose (Sec. 3):

• Categories of information collected about such consumer;

• Categories of information sold and categories of third parties to whom information was sold; and

• Categories of information disclosed for a business purpose.

• Specifies that consumers have the right to “opt out,” or to direct a business that sells personal information not to sell such consumer’s information (Sec. 3).

• Requires businesses to offer consumers 2 or more methods for submitted requests for information including, at minimum, a toll-free number and a web address (Sec. 3).

• Requires businesses to respond to requests for information within 45 days of receiving the request and to include all relevant information for the 12 month period prior to receiving the request (Sec. 3).

• Requires a business to disclose in its privacy policy the following (Sec. 3):

• A description of the consumer’s right pursuant to this act and 1 or more methods for submitting requests;

• Categories of information it has collected about consumers for the preceding 12 months;

• Categories of information about consumers it has sold for the preceding 12 months; and

• Categories of information about consumers it has disclosed for a business purpose in the preceding 12 months.

• Requires a business to provide a clear and conspicuous link on its website titled “Do Not Sell My Personal Information,” which leads to a page where a consumer may “opt out” (Sec. 3).

• Specifies that a business is in violation of this act if the business fails to resolve any alleged noncompliance within 30 days of being notified (Sec. 3).

• Specifies that violations of this act are punishable by a fine of up to $7500 per violation (Sec. 3).

• Prohibits any contract or agreement which purports to waive a consumer’s rights under this act (Sec. 3).

Full Bill Text

Vote Smart's Synopsis:

Vote to pass with amendment a bill that establishes various regulations regarding the sale of consumer personal information by companies, effective January 1, 2020.

Highlights:

• Requires that a business that collects personal information inform consumers of the categories of information to be collected and the purposes for collection at or before the point of collection (Sec. 3).

• Defines “personal information” as information which identifies, describes, or can be linked to a particular consumer or household including, but not limited to, the following (Sec. 3):

• Identifiers such as name, address, social security number, etc;

• Commercial information including records of personal property;

• Biometric information;

• Internet activity including browsing and search history;

• Geolocation data; and

• Education and employment information.

• Specifies that consumers have the right to request that a business that collects personal information disclose the categories of information and the specific pieces of information about such consumer that the business has collected (Sec. 3).

• Requires that a business that receives such a request promptly respond to the request free of charge and in a format that is easily understandable and transferrable (Sec. 3).

• Specifies that consumers have the right to request that a business that collects personal information delete any information about such consumer that the business has collected (Sec. 3).

• Requires that a business that receives such a request delete the consumer’s information and direct any additional services providers to delete the consumer’s information from their records (Sec. 3).

• Specifies that a business is not required to delete a consumer’s information if it is necessary for purposes including, but not limited to, the following (Sec. 3):

• Complete a transaction with the consumer;

• Detect or protect against security incidents;

• Debug errors that impair functionality;

• Exercise free speech;

• Engage in peer-reviewed research in the public interest if the deletion will render the research impossible; or

• Comply with a legal obligation.

• Specifies that consumers have the right to request that a business that collects personal information disclose the following (Sec. 3):

• Categories of information collected about such consumer;

• Categories of sources from which information is collected;

• Business purposes for collecting or selling information;

• Categories of third parties with whom information is shared; and

• Specific pieces of information collected about such consumer.

• Defines “business purpose” as the use of personal information for operational purposes including, but not limited to, the following (Sec. 3):

• Auditing related to a current interaction with the consumer;

• Detecting, protecting against, and prosecuting those responsible for security incidents;

• Debugging errors that impair functionality;

• Short-term use; and

• Performing services on behalf of the business.

• Specifies that consumers have the right to request that a business that sells personal information disclose (Sec. 3):

• Categories of information collected about such consumer;

• Categories of information sold and categories of third parties to whom information was sold; and

• Categories of information disclosed for a business purpose.

• Specifies that consumers have the right to “opt out,” or to direct a business that sells personal information not to sell such consumer’s information (Sec. 3).

• Requires businesses to offer consumers 2 or more methods for submitted requests for information including, at minimum, a toll-free number and a web address (Sec. 3).

• Requires businesses to respond to requests for information within 45 days of receiving the request and to include all relevant information for the 12 month period prior to receiving the request (Sec. 3).

• Requires a business to disclose in its privacy policy the following (Sec. 3):

• A description of the consumer’s right pursuant to this act and 1 or more methods for submitting requests;

• Categories of information it has collected about consumers for the preceding 12 months;

• Categories of information about consumers it has sold for the preceding 12 months; and

• Categories of information about consumers it has disclosed for a business purpose in the preceding 12 months.

• Requires a business to provide a clear and conspicuous link on its website titled “Do Not Sell My Personal Information,” which leads to a page where a consumer may “opt out” (Sec. 3).

• Specifies that a business is in violation of this act if the business fails to resolve any alleged noncompliance within 30 days of being notified (Sec. 3).

• Specifies that violations of this act are punishable by a fine of up to $7500 per violation (Sec. 3).

• Prohibits any contract or agreement which purports to waive a consumer’s rights under this act (Sec. 3).

Full Bill Text