BILL NUMBER: SB 602AMENDED BILL TEXT AMENDED IN ASSEMBLY JULY 5, 2011 AMENDED IN ASSEMBLY JUNE 6, 2011 AMENDED IN SENATE APRIL 25, 2011 AMENDED IN SENATE MARCH 30, 2011 AMENDED IN SENATE MARCH 21, 2011 INTRODUCED BY Senator Yee FEBRUARY 17, 2011 An act to add Title 1.81.15 (commencing with Section 1798.90) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 602, as amended, Yee. Reader Privacy Act. The California Public Records Act requires state and local agencies to make their records available for public inspection and, upon request of any person, to provide a copy of any public record unless the record is exempt from disclosure. The act provides that all registration and circulation records of any library that is in whole or in part supported by public funds are confidential and shall not be disclosed to any person, except as provided. Existing law protects the privacy of personal information, including customer records, and requires a business that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, in order to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. The Civil Discovery Act generally provides for the scope of discovery in civil actions and proceedings, and permits a party to a civil action to obtain discovery by inspecting documents, tangible things, and land or other property in the possession of any other party to the action. This bill would enact the Reader Privacy Act, which would, among other things, prohibit a commercial provider of a book service, as defined, from disclosing, or being compelled to disclose, any personal information relating to a user of the book service, subject to certain exceptions. The bill would requirea court, when considering whether to issue an order in a pending civil or administrative action, to make specified findings, including that the person or entity seeking disclosure of personal information of a user of a book service has a compelling interest in obtaining that information. The bill would additionally require a court having jurisdiction over an offense to make specified findings before issuing an order to disclose the personal information of a user to a government entity.a provider to disclose personal information of a user only if a court order has been issued, as specified, and certain other conditions have been satisfied. The bill would also require a provider to disclose personal information of a user if the user has consented to the disclosure and would authorize a provider to disclose the personal information of a user to a government entity, as defined, if an imminent danger of death or serious physical injury exists, as specified, or if the provider in good faith believes the information is directly relevant to a crime against the provider or user. The bill would impose civil penalties on a provider of a book service for knowingly disclosing a user's personal information to a government entity in violation of these provisions, except as otherwise provided. The bill would require that any provider of a book service prepare a specified report relating to demands for disclosure of personal information of users of the book service, and publish that information in a searchable format on the Internet or if the provider does not have an Internet Web site, to prominently post the report on its premises or send the report annually to the Office of Privacy Protection. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Title 1.81.15 (commencing with Section 1798.90) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.15. Reader Privacy Act 1798.90. (a) This title shall be known and may be cited as the Reader Privacy Act. (b) For purposes of this section: (1) "Book" means paginated or similarly organized content in printed, audio, electronic, or other format, including fiction, nonfiction, academic, or other works of the type normally published in a volume or volumes. (2) "Book service" means a service that, as its primary purpose, provides the rental, purchase, borrowing, browsing, or viewing of books. (3) "Government entity" means any state or local agency, including, but not limited to, a law enforcement entity or any other investigative entity, agency, department, division, bureau, board, or commission, or any individual acting or purporting to act for or on behalf of a state or local agency. (4) "Law enforcement entity" means a district attorney, a district attorney's office, a municipal police department, a sheriff's department, a county probation department, a county social services agency, the Department of Justice, the Department of Corrections and Rehabilitation, the Department of the Youth Authority, the Department of the California Highway Patrol, the police department of a campus of a community college, the University of California, or the California State University, or any other department or agency of the state authorized to investigate or prosecute the commission of a crime.(4)(5) "Personal information" means all of the following: (A) Any information that identifies, relates to, describes, or is associated with a particular user, including, but not limited to, the information specifically listed in Section 1798.80. (B) A unique identifier or Internet Protocol address, when that identifier or address isbeingused to identify, relate to, describe, or be associated with a particular userof a book serviceor book, in whole or in partial form. (C) Any information that relates to, or is capable of being associated with, a particular user's access to or use of a book service or a book, in whole or in partial form.(5)(6) "Provider" means any commercial entity offering a book service to the public.(6)(7) "User" means any person or entity that uses a book service. (c) A provider shall not knowingly disclose to any government entity, or be compelled to disclose to any person, private entity, or government entity, any personal information of a user, except under any of the following circumstances: (1) A provider shall disclose personal information of a user to agovernmentlaw enforcement entity only pursuant to a court order issued by a duly authorized court with jurisdiction over an offense that is under investigation and only if all of the following conditions are met: (A) The court issuing the order finds that probable cause exists to believe the personal information requested is relevant evidence to the investigation of an offense and any of the grounds in Section 1524 of the Penal Code is satisfied. (B) The court issuing the order finds that theperson orlaw enforcement entity seeking disclosure has a compelling interest in obtaining the personal information sought. (C) The court issuing the order finds that the personal information sought cannot be obtained by theperson orlaw enforcement entity seeking disclosure through less intrusive means.(D) The person or entity seeking disclosure provides the provider with reasonable notice of the proceeding prior to the issuance of the order.(E) The opportunity to appear and contest the issuance of the order is afforded to the provider prior to the issuance of the order.(F) Notice of the order is given to the user by the person or entity seeking disclosure contemporaneous with execution of(D) Prior to issuance of the court order, the law enforcement entity seeking disclosure provides, in a timely manner, the provider with reasonable notice of the proceeding to allow the provider the opportunity to appear and contest issuance of the order. (E) The law enforcement entity seeking disclosure has informed the provider that it has given notice of the court order to the user contemporaneously with the execution of the order, unless there is a judicial determination of a strong showing of necessity to delay that notification for a reasonable period of time, not to exceed seven days. (2) A provider shall disclose personal information of a user to a government entity, other than a law enforcement entity, pursuant to a court orderin a pending civil or administrative action,issued by a court having jurisdiction over an offense under investigation by that government entity or to a government entity, other than a law enforcement entity, or to a person or private entity pursuant to a court order in a pending action brought by the government entity or by the person or private entity only if all of the following conditions are met: (A) The court issuing the order finds that the person or entity seeking disclosure has a compelling interest in obtaining the personal information sought. (B) The court issuing the order finds that the personal information sought cannot be obtained by the person or entity seeking disclosure through less intrusive means.(C) The person or entity seeking disclosure takes reasonable steps to provide the user and the provider with reasonable notice of the proceeding prior to the issuance of the court order in a timely manner to allow the user and provider the opportunity to appear(C) Prior to issuance of the court order, the person or entity seeking disclosure provides, in a timely manner, the provider with reasonable notice of the proceeding to allow the provider the opportunity to appear and contest the issuance of the court order. (D) The provider refrains from disclosing any personal information pursuant to the court order until it provides , in a timely manner, notice to the user about the issuance of the order and the ability to appear and quash the order, and the user has been givena reasonable opportunitya minimum of 35 days prior to disclosure of the information within which to appear and quash the order. (3) A provider shall disclose the personal information of a user to any person , private entity, or government entity if the user has given his or her informed, affirmative consent to the specific disclosure for a particular purpose. (4) A provider may disclose personal information of a user to a government entity, if the government entity asserts, and the provider in good faith believes, that there is an imminent danger of death or serious physical injury requiring the immediate disclosure of the requested personal information and there is insufficient time to obtain a court order. The government entity seeking the disclosure shall provide the provider with a written statement setting forth the facts giving rise to the emergency upon request or no later than 48 hours after seeking disclosure. (5) A provider may disclose personal information of a userof a book serviceto a government entity if the provider in good faith believes that the personal information is evidence directly related and relevant to a crime against the provider or that userof the book service. (d) (1) Any court issuingana court order requiring the disclosure of personal information of a userof a book serviceshall impose appropriate safeguards against the unauthorized disclosure of personal information by the provider and by the person, private entity, or government entity seeking disclosure pursuant to the order. (2) The court may, in its discretion, quash or modifyana court order requiring the disclosure of the user's personal information upon a motion made by the user, provider,or personperson, or entity seeking disclosure. (e) Exceptas proofin an action for a violation of this section, no evidence obtained in violation of this section shall be admissible in any civil, administrative, or otheror administrative proceeding. (f) (1) Violations of this section shall be subject to the following penalties: (A) Any provider that knowingly provides personal information about a user to a government entity in violation of this section shall be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, whichmay be recovered in a civil action brought by the person who is the subject of the records.shall be paid to the user in a civil action brought by the user. (B) Any provider that knowingly provides personal information about a user to a government entity in violation of this section shall, in addition to the penalty prescribed by subparagraph (A), be subject to a civil penalty not to exceed five hundred dollars ($500) for each violation, which may be assessed and recovered in a civil action brought by the Attorney General, by any district attorney or city attorney, or by a city prosecutor in any city having a full-time city prosecutor, in any court of competent jurisdiction. (2) If an action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. If the action is brought by a city attorney or city prosecutor, one-half of the penalty shall be paid to the treasurer of the city in which the judgment was entered, and one-half to the treasurer of the county in which the judgment was entered. (3) The penalties provided by this section are not the exclusive remedy and do not affect any other relief or remedy provided by law. (4) A civil action brought pursuant to this section shall be commenced within two years after the date upon which the claimant first discovered the violation. (g) An objectively reasonable reliance by the provider on a warrant or court order for the disclosure of personal information of a userof a book service, or on any of the enumerated exceptions to the confidentiality of a user's personal information set forth in this section, is a complete defense to any civil, administrative, or criminal actionaction for the violation of this section . (h) Unless disclosure of information pertaining to a particular request or set of requests is specifically prohibited by law, a provider shall prepare a report including all of the following information, to the extent it can be reasonably determined: (1) The number of federal and state warrants, federal and state grand jury subpoenas, federal and state civil and administrative subpoenas, federal and state civil and criminal court orders, and requests for information made with the informed consent of the user as described in paragraph (3) of subdivision (c), seeking disclosure of any personal information of a user related to the access or use of a book service or book, received by the provider from January 1 to December 31, inclusive, of the previous year. (2) The number of disclosures made by the provider pursuant to paragraphs (4) and (5) of subdivision (c) from January 1 to December 31, inclusive, of the previous year. (3) For each category of demand or disclosure, the provider shall include all of the following information: (A) The number of times notice of a court order in a criminal, civil, or administrative action has been provided by the provider and the date the notice was provided. (B) The number of times personal information has been disclosed by the provider. (C) The number of times no personal information has been disclosed by the provider. (D) The number of times the provider contests the demand. (E) The number of times the user contests the demand. (F) The number of users whose personal information was disclosed by the provider. (G) The type of personal information that was disclosed and the number of times that type of personal information was disclosed , except user textbook purchase or rental verifications generated by a campus bookstore at a public postsecondary educational institution in response to an audit request from a government entity that provides textbook purchase or rental subsidies to users are exempt from the reporting requirement of this subparagraph . (i) Reports prepared pursuant to subdivision (h) shall be made publicly available in an online, searchable format on or before March 1 of each year. If the provider does not have an Internet Web site, the provider shall post the reports prominently on its premises or send the reports to the Office of Privacy Protection on or before March 1 of each year. (j) Any provider subject to Section 22575 of the Business and Professions Code shall create a prominent hyperlink to its latest report published pursuant to subdivision (i) in the disclosure section of the privacy policy applicable to its book service on or before March 1 of each year. (k) Nothing in this section shall otherwise affect the rights of any person under the California Constitution or any other law or be construed as conflicting with the federal Privacy Protection Act of 1980 (Chapter 21A (commencing with Section 2000aa) of Title 42 of the United States Code) . 1798.90.05. Section 1798.90 does not make it unlawful for a law enforcement entity subject to Section 2000aa of Title 42 of the United States Code to obtain a search warrant for the personal information of a user pursuant to otherwise applicable law in connection with the investigation or prosecution of a criminal offense when probable cause exists to believe that the person possessing the personal information has committed, or is committing, a criminal offense involving the production, possession, receipt, mailing, sale, distribution, shipment, or transportation of child pornography, the sexual exploitation of children, or the sale or purchase of children prohibited by Sections 2251, 2251A, 2252, and 2252A of Title 18 of the United States Code. Nothing in Section 1798.90 shall prevent a provider from complying with a proper search warrant issued by a duly authorized court in connection with the investigation or prosecution of any of those offenses.