BILL NUMBER: SB 602AMENDED BILL TEXT AMENDED IN ASSEMBLY JUNE 6, 2011 AMENDED IN SENATE APRIL 25, 2011 AMENDED IN SENATE MARCH 30, 2011 AMENDED IN SENATE MARCH 21, 2011 INTRODUCED BY Senator Yee FEBRUARY 17, 2011 An act to add Title 1.81.15 (commencing with Section 1798.90) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 602, as amended, Yee. Reader Privacy Act. The California Public Records Act requires state and local agencies to make their records available for public inspection and, upon request of any person, to provide a copy of any public record unless the record is exempt from disclosure. The act provides that all registration and circulation records of any library that is in whole or in part supported by public fundsisare confidential and shall not be disclosed to any person, except as provided. Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.Existing law provides various grounds for the issuance of a search warrant, and provides that a search warrant cannot be issued but upon probable cause, supported by affidavit, naming or describing the person to be searched or searched for, and particularly describing the property and the place to be searched.The Civil Discovery Act generally provides for the scope of discovery in civil actions and proceedings, and permits a party to a civil action to obtain discovery by inspecting documents, tangible things, and land or other property in the possession of any other party to the action. This bill would enact the Reader Privacy Act, which would, among other things, prohibit a commercial provider of a book service, as defined, from disclosing, or being compelled to disclose, any personal information relating to a user of the book service, subject to certain exceptions. The bill would require a court, when considering whether to issuea search warrantoran order in a pending civil or administrative action, to make specified findings, including that the person or entity seeking disclosure of personal information of a user of a book service has a compelling interest in obtaining that information. The bill would additionally require a court having jurisdiction over an offense to make specified findings before issuing an order to disclose the personal information of a user to a government entity. The bill would impose civil penalties on a provider of a book service for knowingly disclosing a user's personal information to a government entity in violation of these provisions, except as otherwise provided. The bill would require that any provider of a book service prepare a specified report relating to demands for disclosure of personal information of users of the book service, and publish that information in a searchable format on the Internet or if the provider does not have an Internet Web site, to prominently post the report on its premises or send the report annually to the O ffice of Privacy Protection . Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Title 1.81.15 (commencing with Section 1798.90) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.15. Reader Privacy Act 1798.90. (a) This title shall be known and may be cited as the Reader Privacy Act. (b) For purposes of this section: (1) "Book" means paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes. (2) "Book service" means a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books. (3) "Government entity" means any state or local agency, including, but not limited to, a law enforcement or any other investigative agency, department, division, bureau, board, or commission, or any individual acting or purporting to act for or on behalf of a state or local agency. (4) "Personal information" means all of the following: (A) Any information that identifies, relates to, describes, or is associated with a particular user, including, but not limited to, the information specifically listed in Section 1798.80. (B) A unique identifier or Internet Protocol address, when that identifier or address is being used to identify, relate to, describe, or be associated with a particular user of a book service or book, in whole or in partial form. (C) Any information that relates to, or is capable of being associated with, a particular user's access to or use of a book service or a book, in whole or in partial form. (5) "Provider" means any commercial entity offering a book service to the public. (6) "User" means any person or entity that uses a book service. (c) A provider shall not knowingly disclose to any government entity, or be compelled to disclose to any person, private entity, or government entity, any personal information of a user, except under any of the following circumstances: (1) A provider shall disclose personal information of a user to a government entity only pursuant to asearch warrantcourt order issued by a duly authorized court with jurisdiction over an offense that is under investigationusing the procedures described in Chapter 3 (commencing with Section 1523) of Title 12 of Part 2 of the Penal Code, if all of the followingand only if all of the following conditions are met: (A) The court issuing the order finds that probable cause exists to believe the personal information requested is relevant evidence to the investigation of an offense and any of the grounds in Section 1524 of the Penal Code is satisfied.(A)(B) The court issuing thewarrantorder finds that the person or entity seeking disclosure has a compelling interest in obtaining the personal information sought.(B)(C) The court issuing thewarrantorder finds that the personal information sought cannot be obtained by the person or entity seeking disclosure through less intrusive means.(C)(D) The person or entity seeking disclosure provides the provider with reasonable notice of the proceeding prior to the issuance of thewarrantorder .(D)(E) The opportunity to appear and contest the issuance of thewarrantorder is afforded to the provider prior to the issuance of thewarrantorder .(E)(F) Notice of thewarrantorder is given to the user by the person or entity seeking disclosure contemporaneous with execution of thewarrantorder , unless there is a judicial determination of a strong showing of necessity to delay that notification for a reasonable period of time, not to exceed seven days. (2) A provider shall disclose personal information of a user pursuant to a court order in a pending civil or administrative action, if all of the following conditions are met: (A) The court issuing the order finds that the person or entity seeking disclosure has a compelling interest in obtaining the personal information sought. (B) The court issuing the order finds that the personal information sought cannot be obtained by the person or entity seeking disclosure through less intrusive means. (C) The person or entity seeking disclosure takes reasonable steps to provide the user and the provider with reasonable notice of the proceeding prior to the issuance of the court order in a timely manner to allow the user and provider the opportunity to appear and contest the issuance of the court order. (D) The provider refrains from disclosing any personal information pursuant to the court order until it provides notice to the user about the issuance of the order and the ability to appear and quash the order, and the user has been given a reasonable opportunity to appear and quash the order. (3) A provider shall disclose the personal information of a user to any person if the user has given his or her informed, affirmative consent to the specific disclosure for a particular purpose. (4) A provider may disclose to a government entity, if the government entity asserts, and the provider in good faith believes, that there is an imminent danger of death or serious physical injury requiring the immediate disclosure of the requested personal information and there is insufficient time to obtain awarrantcourt order . The government entity seeking the disclosure shall provide the provider with a written statement setting forth the facts giving rise to the emergency upon request or no later than 48 hours after seeking disclosure. (5) A provider may disclose personal information of a user of a book service to a government entity if the provider in good faith believes that the personal information is evidence directly related and relevant to a crime against the provider or that user of the book service. (d) (1) Any court issuinga search warrant oran order requiring the disclosure of personal information of a user of a book service shall impose appropriate safeguards against the unauthorized disclosure of personal information by the provider pursuant to thewarrant ororder. (2) The court may, in its discretion, quash or modifya warrant or courtan order requiring the disclosure of the user's personal information upon a motion made by the user, provider, or person or entity seeking disclosure. (e) Except as proof in an action for a violation of this section, no evidence obtained in violation of this section shall be admissible in any civil, administrative, or other proceeding. (f) (1) Violations of this section shall be subject to the following penalties: (A) Any provider that knowingly provides personal information about a user to a government entity in violation of this section shall be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, which may be recovered in a civil action brought by the person who is the subject of the records. (B) Any provider that knowingly provides personal information to a government entity in violation of this section shall, in addition to the penalty prescribed by subparagraph (A), be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, which may be assessed and recovered in a civil action brought by the Attorney General, by any district attorney or city attorney, or by a city prosecutor in any city having a full-time city prosecutor, in any court of competent jurisdiction. (2) If an action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. If the action is brought by a city attorney or city prosecutor, one-half of the penalty shall be paid to the treasurer of the city in which the judgment was entered, and one-half to the treasurer of the county in which the judgment was entered. (3) The penalties provided by this section are not the exclusive remedy and do not affect any other relief or remedy provided by law. (4) A civil action brought pursuant to this section shall be commenced within two years after the date upon which the claimant first discovered the violation. (g) An objectively reasonable reliance by the provider on awarrant orcourt order for the disclosure of personal information of a user of a book service, or on any of the enumerated exceptions to the confidentiality of a user's personal information set forth in this section, is a complete defense to any civil, administrative, or criminal action. (h) Unless disclosure of information pertaining to a particular request or set of requests is specifically prohibited by law, a provider shall prepare a report including all of the following information, to the extent it can be reasonably determined: (1) The number offederal warrants, state warrants,grand jury subpoenas, civil and administrative subpoenas, federal and state civil and criminal court orders, and requests for information made with the informed consent of the user as described in paragraph (3) of subdivision(a)(c) , seeking disclosure of any personal information of a user related to the access or use of a book service or book, received by the provider from January 1 to December 31, inclusive, of the previous year. (2) The number of disclosures made by the provider pursuant to paragraphs(5) and (6) of subdivision (a)(4) and (5) of subdivision (c) from January 1 to December 31, inclusive, of the previous year. (3) For each category of demand or disclosure, the provider shall include all of the following information: (A) The number of times notice of awarrant or acourt order in acivilcriminal, civil, or administrative action has been provided by the provider and the date the notice was provided. (B) The number of times personal information has been disclosed by the provider. (C) The number of times no personal information has been disclosed by the provider. (D) The number of times the provider contests the demand. (E) The number of times the user contests the demand. (F) The number of users whose personal information was disclosed by the provider. (G) The type of personal information that was disclosed and the number of times that type of personal information was disclosed. (i) Reports prepared pursuant to subdivision (h) shall be made publicly available in an online, searchable format on or before March 1 of each year. If the provider does not have an Internet Web site, the provider shall post the reports prominently on its premises or send the reports to the Office of Privacy Protection on or before March 1 of each year. (j) Any provider subject to Section 22575 of the Business and Professions Code shall create a prominent hyperlink to its latest report published pursuant to subdivision (i) in the disclosure section of the privacy policy applicable to its book service on or before March 1 of each year. (k) Nothing in this section shall otherwise affect the rights of any person under the California Constitution or any other law.