BILL NUMBER: AB 1541AMENDED BILL TEXT AMENDED IN ASSEMBLY APRIL 29, 2015 INTRODUCED BY Committee on Privacy and Consumer Protection (Assembly Members Gatto (Chair), Baker, Chau, Cooper, Dahle, and Gordon) MARCH 26, 2015 An actto amend Sections 22580, 22581, and 22584 of the Business and Professions Code andto amend Section 1798.81.5 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST AB 1541, as amended, Committee on Privacy and Consumer Protection. Privacy: personal information.Existing law limits marketing to minors by an operator of an Internet Web site, online service, online application, or mobile application, as specified. Existing law requires the operator of an Internet Web site, online service, online application, or mobile application to permit a minor to remove, or to request and obtain removal of, content or information posted by the minor, as specified. Existing law prohibits an operator of an Internet Web site, online service, online application, or mobile application used primarily for school purposes from using a student's information, as specified.This bill would revise these provisions to specify that these laws pertain to an operator of an Internet Web site or online service, such as an online application or a mobile application.Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law defines terms for purposes of this law, including "personal information." This bill wouldupdaterevise the definition of personal information to include health insurance information, as defined, and a username or email address combined with a password or security question and answer for access to an online account. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:SECTION 1.Section 22580 of the Business and Professions Code is amended to read: 22580. (a) An operator of an Internet Web site or online service, such as an online application or a mobile application, directed to minors shall not market or advertise a product or service described in subdivision (i) on its Internet Web site or online service, such as an online application or a mobile application, directed to minors. (b) An operator of an Internet Web site or online service, such as an online application or a mobile application: (1) Shall not market or advertise a product or service described in subdivision (i) to a minor who the operator has actual knowledge is using its Internet Web site or online service, such as an online application or a mobile application, and is a minor, if the marketing or advertising is specifically directed to that minor based upon information specific to that minor, including, but not limited to, the minor's profile, activity, address, or location sufficient to establish contact with a minor, and excluding Internet Protocol (IP) address and product identification numbers for the operation of a service. (2) Shall be deemed to be in compliance with paragraph (1) if the operator takes reasonable actions in good faith designed to avoid marketing or advertising under circumstances prohibited under paragraph (1). (c) An operator of an Internet Web site or online service, such as an online application or a mobile application, directed to minors or who has actual knowledge that a minor is using its Internet Web site or online service, such as an online application or a mobile application, shall not knowingly use, disclose, compile, or allow a third party to use, disclose, or compile, the personal information of a minor with actual knowledge that the use, disclosure, or compilation is for the purpose of marketing or advertising products or services to that minor for a product described in subdivision (i). (d) "Minor" means a natural person under 18 years of age who resides in the state. (e) "Internet Web site or online service, such as an online application or a mobile application, directed to minors" mean an Internet Web site or online service, such as an online application or a mobile application, or a portion thereof, that is created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults. Provided, however, that an Internet Web site or online service, such as an online application or a mobile application, or a portion thereof, shall not be deemed to be directed at minors solely because it refers or links to an Internet Web site or online service, such as an online application or a mobile application, directed to minors by using information location tools, including a directory, index, reference, pointer, or hypertext link. (f) "Operator" means any person or entity that owns an Internet Web site or online service, such as an online application or a mobile application. It does not include any third party that operates, hosts, or manages, but does not own, an Internet Web site or online service, such as an online application or a mobile application, on the owner's behalf or processes information on the owner's behalf. (g) This section shall not be construed to require an operator of an Internet Web site or online service, such as an online application or a mobile application, to collect or retain age information about users. (h) (1) With respect to marketing or advertising provided by an advertising service, the operator of an Internet Web site or online service, such as an online application or a mobile application, directed to minors shall be deemed to be in compliance with subdivision (a) if the operator notifies the advertising service, in the manner required by the advertising service, that the site, service, or application is directed to minors. (2) If an advertising service is notified, in the manner required by the advertising service, that an Internet Web site or online service, such as an online application or a mobile application, is directed to minors pursuant to paragraph (1), the advertising service shall not market or advertise a product or service on the operator's Internet Web site or online service, such as an online application or a mobile application, that is described in subdivision (i). (i) The marketing and advertising restrictions described in subdivisions (a) and (b) shall apply to the following products and services as they are defined under state law: (1) Alcoholic beverages, as referenced in Sections 23003 to 23009, inclusive, and Section 25658. (2) Firearms or handguns, as referenced in Sections 16520, 16640, and 27505 of the Penal Code. (3) Ammunition or reloaded ammunition, as referenced in Sections 16150 and 30300 of the Penal Code. (4) Handgun safety certificates, as referenced in Sections 31625 and 31655 of the Penal Code. (5) Aerosol container of paint that is capable of defacing property, as referenced in Section 594.1 of the Penal Code. (6) Etching cream that is capable of defacing property, as referenced in Section 594.1 of the Penal Code. (7) Any tobacco, cigarette, or cigarette papers, or blunt wraps, or any other preparation of tobacco, or any other instrument or paraphernalia that is designed for the smoking or ingestion of tobacco, products prepared from tobacco, or any controlled substance, as referenced in Division 8.5 (commencing with Section 22950) and Sections 308, 308.1, 308.2, and 308.3 of the Penal Code. (8) BB device, as referenced in Sections 16250 and 19910 of the Penal Code. (9) Dangerous fireworks, as referenced in Sections 12505 and 12689 of the Health and Safety Code. (10) Tanning in an ultraviolet tanning device, as referenced in Sections 22702 and 22706. (11) Dietary supplement products containing ephedrine group alkaloids, as referenced in Section 110423.2 of the Health and Safety Code. (12) Tickets or shares in a lottery game, as referenced in Sections 8880.12 and 8880.52 of the Government Code. (13) Salvia divinorum or Salvinorin A, or any substance or material containing Salvia divinorum or Salvinorin A, as referenced in Section 379 of the Penal Code. (14) Body branding, as referenced in Sections 119301 and 119302 of the Health and Safety Code. (15) Permanent tattoo, as referenced in Sections 119301 and 119302 of the Health and Safety Code and Section 653 of the Penal Code. (16) Drug paraphernalia, as referenced in Section 11364.5 of the Health and Safety Code. (17) Electronic cigarette, as referenced in Section 119405 of the Health and Safety Code. (18) Obscene matter, as referenced in Section 311 of the Penal Code. (19) A less lethal weapon, as referenced in Sections 16780 and 19405 of the Penal Code. (j) The marketing and advertising restrictions described in subdivisions (a), (b), and (c) shall not apply to the incidental placement of products or services embedded in content if the content is not distributed by or at the direction of the operator primarily for the purposes of marketing and advertising of the products or services described in subdivision (i). (k) "Marketing or advertising" means, in exchange for monetary compensation, to make a communication to one or more individuals, or to arrange for the dissemination to the public of a communication, about a product or service the primary purpose of which is to encourage recipients of the communication to purchase or use the product or service.SEC. 2.Section 22581 of the Business and Professions Code is amended to read: 22581. (a) An operator of an Internet Web site or online service, such as an online application or a mobile application, directed to minors or an operator of an Internet Web site or online service, such as an online application or a mobile application, that has actual knowledge that a minor is using its Internet Web site or online service, such as an online application or a mobile application, shall do all of the following: (1) Permit a minor who is a registered user of the operator's Internet Web site or online service, such as an online application or a mobile application, to remove or, if the operator prefers, to request and obtain removal of, content or information posted on the operator's Internet Web site or online service, such as an online application or a mobile application, by the user. (2) Provide notice to a minor who is a registered user of the operator's Internet Web site or online service, such as an online application or a mobile application, that the minor may remove or, if the operator prefers, request and obtain removal of, content or information posted on the operator's Internet Web site or online service, such as an online application or a mobile application, by the registered user. (3) Provide clear instructions to a minor who is a registered user of the operator's Internet Web site or online service, such as an online application or a mobile application, on how the user may remove or, if the operator prefers, request and obtain the removal of content or information posted on the operator's Internet Web site or online service, such as an online application or a mobile application. (4) Provide notice to a minor who is a registered user of the operator's Internet Web site or online service, such as an online application or a mobile application, that the removal described under paragraph (1) does not ensure complete or comprehensive removal of the content or information posted on the operator's Internet Web site or online service, such as an online application or a mobile application, by the registered user. (b) An operator or a third party is not required to erase or otherwise eliminate, or to enable erasure or elimination of, content or information in any of the following circumstances: (1) Any other provision of federal or state law requires the operator or third party to maintain the content or information. (2) The content or information was stored on or posted to the operator's Internet Web site or online service, such as an online application or a mobile application, by a third party other than the minor, who is a registered user, including any content or information posted by the registered user that was stored, republished, or reposted by the third party. (3) The operator anonymizes the content or information posted by the minor who is a registered user, so that the minor who is a registered user cannot be individually identified. (4) The minor does not follow the instructions provided to the minor pursuant to paragraph (3) of subdivision (a) on how the registered user may request and obtain the removal of content or information posted on the operator's Internet Web site or online service, such as an online application or a mobile application, by the registered user. (5) The minor has received compensation or other consideration for providing the content. (c) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. (d) An operator shall be deemed compliant with this section if: (1) It renders the content or information posted by the minor user no longer visible to other users of the service and the public even if the content or information remains on the operator's servers in some form. (2) Despite making the original posting by the minor user invisible, it remains visible because a third party has copied the posting or reposted the content or information posted by the minor. (e) This section shall not be construed to require an operator of an Internet Web site or online service, such as an online application or a mobile application, to collect age information about users. (f) "Posted" means content or information that can be accessed by a user in addition to the minor who posted the content or information, whether the user is a registered user or not, of the Internet Web site or online service, such as an online application or a mobile application, where the content or information is posted.SEC. 3.Section 22584 of the Business and Professions Code is amended to read: 22584. (a) For the purposes of this section, "operator" means the operator of an Internet Web site or online service, such as an online application or a mobile application, with actual knowledge that the Internet Web site or online service, such as an online application or a mobile application, is used primarily for K-12 school purposes and was designed and marketed for K-12 school purposes. (b) An operator shall not knowingly engage in any of the following activities with respect to their Internet Web site or online service, such as an online application or a mobile application: (1) (A) Engage in targeted advertising on the operator's Internet Web site or online service, such as an online application or a mobile application, or (B) target advertising on any other Internet Web site or online service, such as an online application or a mobile application, when the targeting of the advertising is based upon any information, including covered information and persistent unique identifiers, that the operator has acquired because of the use of that operator's Internet Web site or online service, such as an online application or a mobile application, described in subdivision (a). (2) Use information, including persistent unique identifiers, created or gathered by the operator's Internet Web site or online service, such as an online application or a mobile application, to amass a profile about a K-12 student except in furtherance of K-12 school purposes. (3) Sell a student's information, including covered information. This prohibition does not apply to the purchase, merger, or other type of acquisition of an operator by another entity, provided that the operator or successor entity continues to be subject to the provisions of this section with respect to previously acquired student information. (4) Disclose covered information unless the disclosure is made: (A) In furtherance of the K-12 purpose of the Internet Web site or online service, such as an online application or a mobile application, provided the recipient of the covered information disclosed pursuant to this subparagraph: (i) Shall not further disclose the information unless done to allow or improve operability and functionality within that student's classroom or school; and (ii) Is legally required to comply with subdivision (d); (B) To ensure legal and regulatory compliance; (C) To respond to or participate in judicial process; (D) To protect the safety of users or others or security of the site; or (E) To a service provider, provided the operator contractually (i) prohibits the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator, (ii) prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties, and (iii) requires the service provider to implement and maintain reasonable security procedures and practices as provided in subdivision (d). (c) Nothing in subdivision (b) shall be construed to prohibit the operator's use of information for maintaining, developing, supporting, improving, or diagnosing the operator's Internet Web site or online service, such as an online application or a mobile application. (d) An operator shall: (1) Implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure. (2) Delete a student's covered information if the school or district requests deletion of data under the control of the school or district. (e) Notwithstanding paragraph (4) of subdivision (b), an operator may disclose covered information of a student, as long as paragraphs (1) to (3), inclusive, of subdivision (b) are not violated, under the following circumstances: (1) If other provisions of federal or state law require the operator to disclose the information, and the operator complies with the requirements of federal and state law in protecting and disclosing that information. (2) For legitimate research purposes: (A) as required by state or federal law and subject to the restrictions under applicable state and federal law or (B) as allowed by state or federal law and under the direction of a school, school district, or state department of education, if no covered information is used for any purpose in furtherance of advertising or to amass a profile on the student for purposes other than K-12 school purposes. (3) To a state or local educational agency, including schools and school districts, for K-12 school purposes, as permitted by state or federal law. (f) Nothing in this section prohibits an operator from using deidentified student covered information as follows: (1) Within the operator's Internet Web site or online service, such as an online application or a mobile application, or other Internet Web sites or online services, such as online applications or mobile applications, owned by the operator to improve educational products. (2) To demonstrate the effectiveness of the operator's products or services, including in their marketing. (g) Nothing in this section prohibits an operator from sharing aggregated deidentified student covered information for the development and improvement of educational Internet Web Sites or online services, such as online applications or mobile applications. (h) "Online service" includes, but is not limited to, cloud computing services, which must comply with this section if they otherwise meet the definition of an operator. (i) "Covered information" means personally identifiable information or materials, in any media or format that meets any of the following: (1) Is created or provided by a student, or the student's parent or legal guardian, to an operator in the course of the student's, parent's, or legal guardian's use of the operator's Internet Web site or online service, such as an online application or a mobile application, for K-12 school purposes. (2) Is created or provided by an employee or agent of the K-12 school, school district, local education agency, or county office of education, to an operator. (3) Is gathered by an operator through the operation of an Internet Web site or online service, such as an online application or a mobile application, described in subdivision (a) and is descriptive of a student or otherwise identifies a student, including, but not limited to, information in the student's educational record or email, first and last name, home address, telephone number, email address, or other information that allows physical or online contact, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information. (j) "K-12 school purposes" means purposes that customarily take place at the direction of the K-12 school, teacher, or school district or aid in the administration of school activities, including, but not limited to, instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents, or are for the use and benefit of the school. (k) This section shall not be construed to limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction. ( l) This section does not limit the ability of an operator to use student data, including covered information, for adaptive learning or customized student learning purposes. (m) This section does not apply to general audience Internet Web sites or general audience online services, such as general audience online applications or general audience mobile applications, even if login credentials created for an operator's Internet Web Sites or online service, such as online application or a mobile application, may be used to access those general audience Internet Web site or online services, such as an online applications or mobile applications. (n) This section does not limit Internet service providers from providing Internet connectivity to schools or students and their families. (o) This section shall not be construed to prohibit an operator of an Internet Web site or online service, such as an online application or a mobile application, from marketing educational products directly to parents so long as the marketing did not result from the use of covered information obtained by the operator through the provision of services covered under this section. (p) This section does not impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software. (q) This section does not impose a duty upon a provider of an interactive computer service, as defined in Section 230 of Title 47 of the United States Code, to review or enforce compliance with this section by third-party content providers. (r) This section does not impede the ability of students to download, export, or otherwise save or maintain their own student created data or documents.SEC. 4.SECTION 1. Section 1798.81.5 of the Civil Code is amended to read: 1798.81.5. (a) (1) It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information. (2) For the purpose of this section, the terms "own" and "license" include personal information that a business retains as part of the business' internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term "maintain" includes personal information that a business maintains but does not own or license. (b) A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (c) A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. (d) For purposes of this section, the following terms have the following meanings: (1) "Personal information" means either of the following: (A) An individual's first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) Social security number. (ii) Driver's license number or California identification card number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (iv) Medical information. (v) Health insurance information. (B) A username or emailaddress,address in combination with a password or security question and answer that would permit access to an online account. (2) "Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual' s medical history or medical treatment or diagnosis by a health care professional. (3) "Health insurance information" means an individual's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records. (4) "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (e) The provisions of this section do not apply to any of the following: (1) A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1). (2) A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code). (3) A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA). (4) An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code. (5) A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.