Amended IN Assembly May 25, 2018 Amended IN Assembly March 15, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 2182Introduced by Assembly Member LevineFebruary 12, 2018 An act to amend Section 1798.81.5 of the Civil Code, and to add Section 12804.1 to the Government Code, relating to privacy. An act to add Section 340 to the Business and Professions Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 2182, as amended, Levine. Privacy: Department of Consumer Affairs: California Data Protection Authority. online platforms: personal data privacy.Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Internet Web site or online service to conspicuously post, or make available, its privacy policy, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency. Existing law establishes among the powers and duties of the Director of Consumer Affairs, the duty to propose and assist in the creation and development of consumer education programs.This bill would require the department to establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency.This bill would require the Department of Consumer Affairs to establish the California Data Protection Authority to, among other things, adopt regulations as necessary to protect California residents, including regulations to standardize online user agreements to facilitate the removal of personal information from an edge provider database and to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.This bill would state the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, as defined, when a user chooses not to continue to be a customer of that edge provider.Existing law requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the 3rd party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, as specified.This bill would also require a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated 3rd party to state in plain language in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated 3rd party.Existing law permits compliance by a business with state or federal law that provides greater protection to personal information than that provided by the provisions described above to be deemed compliance with these provisions, as specified.This bill would condition compliance with the provisions described above by compliance with other state and federal law upon determination by the California Data Protection Authority, at least every 5 years, that those state and federal laws provide greater protection than these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 340 is added to the Business and Professions Code, to be added to Article 7 (formerly commencing with Section 350) of Chapter 4 of Division 1, to read:340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.SECTION 1.Section 1798.81.5 of the Civil Code is amended to read:1798.81.5.(a)(1)It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.(2)It is the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, defined as any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet, when a user chooses not to continue to be a customer of that edge provider. (3)For the purpose of this section, the terms own and license include personal information that a business retains as part of the business internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term maintain includes personal information that a business maintains but does not own or license.(b)A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.(c)A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. That business shall also, in plain language, state in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated third party.(d)For purposes of this section, the following terms have the following meanings:(1)Personal information means either of the following:(A) An individuals first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:(i)Social security number.(ii)Drivers license number or California identification card number.(iii)Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals financial account.(iv)Medical information.(v)Health insurance information.(B)A username or email address in combination with a password or security question and answer that would permit access to an online account.(2)Medical information means any individually identifiable information, in electronic or physical form, regarding the individuals medical history or medical treatment or diagnosis by a health care professional.(3)Health insurance information means an individuals insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individuals application and claims history, including any appeals records.(4)Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.(e)The provisions of this section do not apply to any of the following:(1)A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).(2)A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code).(3)A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).(4)An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.(5)A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects provided that the Data Protection Authority determines, at least every five years, that the state or federal law provides greater protection to personal information than this section. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.SEC. 2.Section 12804.1 is added to the Government Code, to read:12804.1.(a)The Department of Consumer Affairs shall establish the California Data Protection Authority to adopt regulations as necessary to protect California residents including, but not limited to, all of the following:(1)Regulations to standardize online user agreements to help users clearly understand what permission a user gives to a company regarding the use and dissemination of his or her personal information.(2)Regulations to facilitate the removal of personal information, as defined in subdivision (e) of Section 1798.80, from an edge provider database when a user chooses not to continue to be a customer of that edge provider.(3)Regulations to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.(b)The authority shall evaluate the sufficiency of state and federal personal information protection laws in comparison to the protections provided in Section 1798.81.5 of the Civil Code to determine whether a business that is regulated by those laws shall be deemed in compliance with Section 1798.81.5 of the Civil Code because they provide greater protection to personal information.(c)For purposes of this section, edge provider means any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet.
Amended IN Assembly May 25, 2018 Amended IN Assembly March 15, 2018 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Assembly Bill No. 2182Introduced by Assembly Member LevineFebruary 12, 2018 An act to amend Section 1798.81.5 of the Civil Code, and to add Section 12804.1 to the Government Code, relating to privacy. An act to add Section 340 to the Business and Professions Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 2182, as amended, Levine. Privacy: Department of Consumer Affairs: California Data Protection Authority. online platforms: personal data privacy.Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Internet Web site or online service to conspicuously post, or make available, its privacy policy, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency. Existing law establishes among the powers and duties of the Director of Consumer Affairs, the duty to propose and assist in the creation and development of consumer education programs.This bill would require the department to establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency.This bill would require the Department of Consumer Affairs to establish the California Data Protection Authority to, among other things, adopt regulations as necessary to protect California residents, including regulations to standardize online user agreements to facilitate the removal of personal information from an edge provider database and to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.This bill would state the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, as defined, when a user chooses not to continue to be a customer of that edge provider.Existing law requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the 3rd party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, as specified.This bill would also require a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated 3rd party to state in plain language in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated 3rd party.Existing law permits compliance by a business with state or federal law that provides greater protection to personal information than that provided by the provisions described above to be deemed compliance with these provisions, as specified.This bill would condition compliance with the provisions described above by compliance with other state and federal law upon determination by the California Data Protection Authority, at least every 5 years, that those state and federal laws provide greater protection than these provisions.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly May 25, 2018 Amended IN Assembly March 15, 2018
Amended IN Assembly May 25, 2018
Amended IN Assembly March 15, 2018
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Assembly Bill No. 2182
Introduced by Assembly Member LevineFebruary 12, 2018
Introduced by Assembly Member Levine
February 12, 2018
An act to amend Section 1798.81.5 of the Civil Code, and to add Section 12804.1 to the Government Code, relating to privacy. An act to add Section 340 to the Business and Professions Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 2182, as amended, Levine. Privacy: Department of Consumer Affairs: California Data Protection Authority. online platforms: personal data privacy.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Internet Web site or online service to conspicuously post, or make available, its privacy policy, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency. Existing law establishes among the powers and duties of the Director of Consumer Affairs, the duty to propose and assist in the creation and development of consumer education programs.This bill would require the department to establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media, as specified.Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency.This bill would require the Department of Consumer Affairs to establish the California Data Protection Authority to, among other things, adopt regulations as necessary to protect California residents, including regulations to standardize online user agreements to facilitate the removal of personal information from an edge provider database and to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.This bill would state the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, as defined, when a user chooses not to continue to be a customer of that edge provider.Existing law requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the 3rd party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, as specified.This bill would also require a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated 3rd party to state in plain language in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated 3rd party.Existing law permits compliance by a business with state or federal law that provides greater protection to personal information than that provided by the provisions described above to be deemed compliance with these provisions, as specified.This bill would condition compliance with the provisions described above by compliance with other state and federal law upon determination by the California Data Protection Authority, at least every 5 years, that those state and federal laws provide greater protection than these provisions.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Internet Web site or online service to conspicuously post, or make available, its privacy policy, as specified.
Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency. Existing law establishes among the powers and duties of the Director of Consumer Affairs, the duty to propose and assist in the creation and development of consumer education programs.
This bill would require the department to establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media, as specified.
Existing law creates the Department of Consumer Affairs in the Business, Consumer Services, and Housing Agency.
This bill would require the Department of Consumer Affairs to establish the California Data Protection Authority to, among other things, adopt regulations as necessary to protect California residents, including regulations to standardize online user agreements to facilitate the removal of personal information from an edge provider database and to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
This bill would state the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, as defined, when a user chooses not to continue to be a customer of that edge provider.
Existing law requires a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the 3rd party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure, as specified.
This bill would also require a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated 3rd party to state in plain language in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated 3rd party.
Existing law permits compliance by a business with state or federal law that provides greater protection to personal information than that provided by the provisions described above to be deemed compliance with these provisions, as specified.
This bill would condition compliance with the provisions described above by compliance with other state and federal law upon determination by the California Data Protection Authority, at least every 5 years, that those state and federal laws provide greater protection than these provisions.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 340 is added to the Business and Professions Code, to be added to Article 7 (formerly commencing with Section 350) of Chapter 4 of Division 1, to read:340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.SECTION 1.Section 1798.81.5 of the Civil Code is amended to read:1798.81.5.(a)(1)It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.(2)It is the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, defined as any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet, when a user chooses not to continue to be a customer of that edge provider. (3)For the purpose of this section, the terms own and license include personal information that a business retains as part of the business internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term maintain includes personal information that a business maintains but does not own or license.(b)A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.(c)A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. That business shall also, in plain language, state in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated third party.(d)For purposes of this section, the following terms have the following meanings:(1)Personal information means either of the following:(A) An individuals first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:(i)Social security number.(ii)Drivers license number or California identification card number.(iii)Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals financial account.(iv)Medical information.(v)Health insurance information.(B)A username or email address in combination with a password or security question and answer that would permit access to an online account.(2)Medical information means any individually identifiable information, in electronic or physical form, regarding the individuals medical history or medical treatment or diagnosis by a health care professional.(3)Health insurance information means an individuals insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individuals application and claims history, including any appeals records.(4)Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.(e)The provisions of this section do not apply to any of the following:(1)A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).(2)A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code).(3)A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).(4)An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.(5)A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects provided that the Data Protection Authority determines, at least every five years, that the state or federal law provides greater protection to personal information than this section. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.SEC. 2.Section 12804.1 is added to the Government Code, to read:12804.1.(a)The Department of Consumer Affairs shall establish the California Data Protection Authority to adopt regulations as necessary to protect California residents including, but not limited to, all of the following:(1)Regulations to standardize online user agreements to help users clearly understand what permission a user gives to a company regarding the use and dissemination of his or her personal information.(2)Regulations to facilitate the removal of personal information, as defined in subdivision (e) of Section 1798.80, from an edge provider database when a user chooses not to continue to be a customer of that edge provider.(3)Regulations to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.(b)The authority shall evaluate the sufficiency of state and federal personal information protection laws in comparison to the protections provided in Section 1798.81.5 of the Civil Code to determine whether a business that is regulated by those laws shall be deemed in compliance with Section 1798.81.5 of the Civil Code because they provide greater protection to personal information.(c)For purposes of this section, edge provider means any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 340 is added to the Business and Professions Code, to be added to Article 7 (formerly commencing with Section 350) of Chapter 4 of Division 1, to read:340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.
SECTION 1. Section 340 is added to the Business and Professions Code, to be added to Article 7 (formerly commencing with Section 350) of Chapter 4 of Division 1, to read:
### SECTION 1.
340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.
340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.
340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.
340. (a) Consistent with subdivision (f) of Section 310, the department shall establish an Internet Web portal linked to its Consumer Information Center Internet Web page that contains links to the personal data privacy policies of online platforms, including social media.
(b) The department shall determine the threshold for the number of annual users of, or visitors to, an online platform that will have the privacy policy linked through the portal.
(c) This section shall not be construed to require an online platform to disclose information beyond what is already required by existing law.
(d) Nothing in this section shall be construed to authorize a private cause of action for relief or damages.
(a)(1)It is the intent of the Legislature to ensure that personal information about California residents is protected. To that end, the purpose of this section is to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.
(2)It is the intent of the Legislature to ensure that personal information can be removed from the database of an edge provider, defined as any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet, when a user chooses not to continue to be a customer of that edge provider.
(3)For the purpose of this section, the terms own and license include personal information that a business retains as part of the business internal customer account or for the purpose of using that information in transactions with the person to whom the information relates. The term maintain includes personal information that a business maintains but does not own or license.
(b)A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
(c)A business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party that is not subject to subdivision (b) shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. That business shall also, in plain language, state in a privacy policy or user agreement that it may disclose personal information to a nonaffiliated third party.
(d)For purposes of this section, the following terms have the following meanings:
(1)Personal information means either of the following:
(A) An individuals first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i)Social security number.
(ii)Drivers license number or California identification card number.
(iii)Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals financial account.
(iv)Medical information.
(v)Health insurance information.
(B)A username or email address in combination with a password or security question and answer that would permit access to an online account.
(2)Medical information means any individually identifiable information, in electronic or physical form, regarding the individuals medical history or medical treatment or diagnosis by a health care professional.
(3)Health insurance information means an individuals insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individuals application and claims history, including any appeals records.
(4)Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(e)The provisions of this section do not apply to any of the following:
(1)A provider of health care, health care service plan, or contractor regulated by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1).
(2)A financial institution as defined in Section 4052 of the Financial Code and subject to the California Financial Information Privacy Act (Division 1.2 (commencing with Section 4050) of the Financial Code).
(3)A covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996 (HIPAA).
(4)An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.
(5)A business that is regulated by state or federal law providing greater protection to personal information than that provided by this section in regard to the subjects addressed by this section. Compliance with that state or federal law shall be deemed compliance with this section with regard to those subjects provided that the Data Protection Authority determines, at least every five years, that the state or federal law provides greater protection to personal information than this section. This paragraph does not relieve a business from a duty to comply with any other requirements of other state and federal law regarding the protection and privacy of personal information.
(a)The Department of Consumer Affairs shall establish the California Data Protection Authority to adopt regulations as necessary to protect California residents including, but not limited to, all of the following:
(1)Regulations to standardize online user agreements to help users clearly understand what permission a user gives to a company regarding the use and dissemination of his or her personal information.
(2)Regulations to facilitate the removal of personal information, as defined in subdivision (e) of Section 1798.80, from an edge provider database when a user chooses not to continue to be a customer of that edge provider.
(3)Regulations to prohibit edge provider Internet Web sites from conducting potentially harmful experiments on nonconsenting users.
(b)The authority shall evaluate the sufficiency of state and federal personal information protection laws in comparison to the protections provided in Section 1798.81.5 of the Civil Code to determine whether a business that is regulated by those laws shall be deemed in compliance with Section 1798.81.5 of the Civil Code because they provide greater protection to personal information.
(c)For purposes of this section, edge provider means any individual or entity in California that provides any content, application, or service over the Internet, and any individual or entity in California that provides a device used for accessing any content, application, or service over the Internet.