Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to amend Section 1798.84 of add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy. privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill would make a nonsubstantive change to those provisions. require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.SECTION 1.Section 1798.84 of the Civil Code is amended to read:1798.84.(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b)A customer injured by a violation of this title may institute a civil action to recover damages.(c)In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g)A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
Amended IN Senate March 20, 2017 CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION Senate Bill No. 327Introduced by Senator JacksonFebruary 13, 2017 An act to amend Section 1798.84 of add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy. LEGISLATIVE COUNSEL'S DIGESTSB 327, as amended, Jackson. Information privacy. privacy: connected devices.Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill would make a nonsubstantive change to those provisions. require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Senate March 20, 2017
Amended IN Senate March 20, 2017
CALIFORNIA LEGISLATURE 20172018 REGULAR SESSION
Senate Bill No. 327
Introduced by Senator JacksonFebruary 13, 2017
Introduced by Senator Jackson
February 13, 2017
An act to amend Section 1798.84 of add Title 1.81.26 (commencing with Section 1798.91.01) to Part 4 of Division 3 of the Civil Code, relating to information privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
SB 327, as amended, Jackson. Information privacy. privacy: connected devices.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.This bill would make a nonsubstantive change to those provisions. require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.
Existing law requires a business to take all reasonable steps to dispose of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable. Existing law also requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law authorizes a customer injured by a violation of these provisions to institute a civil action to recover damages.
This bill would make a nonsubstantive change to those provisions. require a manufacturer that sells or offers to sell a connected device, defined as any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device, to equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect it from unauthorized access, destruction, use, modification, or disclosure, and to design the device to indicate when it is collecting information and to obtain consumer consent before it collects or transmits information, as specified. The bill would also require a person who sells or offers to sell a connected device to provide a short, plainly written notice of the connected devices information collection functions at the point of sale, as specified. The bill would require a manufacturer of a connected device to provide direct notification of security patches and updates to a consumer who purchases the device.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.SECTION 1.Section 1798.84 of the Civil Code is amended to read:1798.84.(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.(b)A customer injured by a violation of this title may institute a civil action to recover damages.(c)In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).(g)A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.26. Security of Connected Devices1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.
SECTION 1. Title 1.81.26 (commencing with Section 1798.91.01) is added to Part 4 of Division 3 of the Civil Code, to read:
### SECTION 1.
TITLE 1.81.26. Security of Connected Devices1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.
TITLE 1.81.26. Security of Connected Devices1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.
TITLE 1.81.26. Security of Connected Devices
TITLE 1.81.26. Security of Connected Devices
1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.
1798.91.01. (a) A manufacturer that sells or offers to sell a connected device in this state shall equip the device with reasonable security features appropriate to the nature of the device and the information it may collect, contain, or transmit, that protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
(b) A manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.
(c) A manufacturer that sells or offers to sell a connected device in this state shall design the device to obtain consumer consent before it collects or transmits information beyond what is necessary in order to fulfill a consumer transaction or for the stated functionality of the connected device.
1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.(2) Where a consumer can find the applicable privacy policy for the connected device.(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.
1798.91.02. (a) A person who sells or offers to sell a connected device in this state shall provide a short, plainly written notice of the connected devices information collection functions at the point of sale that contains, but is not limited to, all of the following:
(1) Whether the device is capable of collecting audio, video, location, biometric, health, or other personal or sensitive consumer information.
(2) Where a consumer can find the applicable privacy policy for the connected device.
(3) How the consumer will be notified directly of security patches and updates applicable to the connected device.
(b) Direct notification of security patches and updates shall be provided to a consumer who purchases a connected device by the manufacturer of that device in addition to any other notices required by law.
1798.91.03. For purposes of this title, the following terms have the following meanings:(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.(b) Person means an individual, partnership, corporation, association, or other group, however organized.
1798.91.03. For purposes of this title, the following terms have the following meanings:
(a) Connected device means any device, sensor, or other physical object that is capable of connecting to the Internet, directly or indirectly, or to another connected device.
(b) Person means an individual, partnership, corporation, association, or other group, however organized.
(a)Any waiver of a provision of this title is contrary to public policy and is void and unenforceable.
(b)A customer injured by a violation of this title may institute a civil action to recover damages.
(c)In addition, for a willful, intentional, or reckless violation of Section 1798.83, a customer may recover a civil penalty not to exceed three thousand dollars ($3,000) per violation; otherwise, the customer may recover a civil penalty of up to five hundred dollars ($500) per violation for a violation of Section 1798.83.
(d)Unless the violation is willful, intentional, or reckless, a business that is alleged to have not provided all the information required by subdivision (a) of Section 1798.83, to have provided inaccurate information, failed to provide any of the information required by subdivision (a) of Section 1798.83, or failed to provide information in the time period required by subdivision (b) of Section 1798.83, may assert as a complete defense in any action in law or equity that it thereafter provided regarding the information that was alleged to be untimely, all the information, or accurate information, to all customers who were provided incomplete or inaccurate information, respectively, within 90 days of the date the business knew that it had failed to provide the information, timely information, all the information, or the accurate information, respectively.
(e)Any business that violates, proposes to violate, or has violated this title may be enjoined.
(f)(1)A cause of action shall not lie against a business for disposing of abandoned records containing personal information by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(2)The Legislature finds and declares that when records containing personal information are abandoned by a business, they often end up in the possession of a storage company or commercial landlord. It is the intent of the Legislature in paragraph (1) to create a safe harbor for such a record custodian who properly disposes of the records in accordance with paragraph (1).
(g)A prevailing plaintiff in any action commenced under Section 1798.83 shall also be entitled to recover his or her reasonable attorneys fees and costs.
(h)The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.