Amended IN Senate June 14, 2019 Amended IN Assembly April 30, 2019 Amended IN Assembly April 12, 2019 Amended IN Assembly March 19, 2019 CALIFORNIA LEGISLATURE 20192020 REGULAR SESSION Assembly Bill No. 1146Introduced by Assembly Member BermanFebruary 21, 2019 An act to amend Section Sections 1798.105 and 1798.145 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1146, as amended, Berman. California Consumer Privacy Act of 2018: exemptions: vehicle information.Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know the categories of personal information, as well as the specific pieces of personal information, that a business collects about the consumer. direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. Under the act, a consumer also has the right to request that a business delete personal information about the consumer that the business has collected from the consumer, subject to certain conditions. Existing law excepts from the act certain categories of personal information from its provisions. This bill would except from the California Consumer Privacy Act of 2018 right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicles manufacturer, if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall, shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall, as specified. The bill would define terms for that purpose. The bill would also except from the right to request a business to delete personal information about the consumer the personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or federally mandated recall covering a product that the consumer purchased.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.105 of the Civil Code is amended to read:1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.SECTION 1.SEC. 2. Section 1798.145 of the Civil Code is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
Amended IN Senate June 14, 2019 Amended IN Assembly April 30, 2019 Amended IN Assembly April 12, 2019 Amended IN Assembly March 19, 2019 CALIFORNIA LEGISLATURE 20192020 REGULAR SESSION Assembly Bill No. 1146Introduced by Assembly Member BermanFebruary 21, 2019 An act to amend Section Sections 1798.105 and 1798.145 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1146, as amended, Berman. California Consumer Privacy Act of 2018: exemptions: vehicle information.Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know the categories of personal information, as well as the specific pieces of personal information, that a business collects about the consumer. direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. Under the act, a consumer also has the right to request that a business delete personal information about the consumer that the business has collected from the consumer, subject to certain conditions. Existing law excepts from the act certain categories of personal information from its provisions. This bill would except from the California Consumer Privacy Act of 2018 right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicles manufacturer, if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall, shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall, as specified. The bill would define terms for that purpose. The bill would also except from the right to request a business to delete personal information about the consumer the personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or federally mandated recall covering a product that the consumer purchased.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Senate June 14, 2019 Amended IN Assembly April 30, 2019 Amended IN Assembly April 12, 2019 Amended IN Assembly March 19, 2019
Amended IN Senate June 14, 2019
Amended IN Assembly April 30, 2019
Amended IN Assembly April 12, 2019
Amended IN Assembly March 19, 2019
CALIFORNIA LEGISLATURE 20192020 REGULAR SESSION
Assembly Bill No. 1146
Introduced by Assembly Member BermanFebruary 21, 2019
Introduced by Assembly Member Berman
February 21, 2019
An act to amend Section Sections 1798.105 and 1798.145 of the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1146, as amended, Berman. California Consumer Privacy Act of 2018: exemptions: vehicle information.
Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know the categories of personal information, as well as the specific pieces of personal information, that a business collects about the consumer. direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. Under the act, a consumer also has the right to request that a business delete personal information about the consumer that the business has collected from the consumer, subject to certain conditions. Existing law excepts from the act certain categories of personal information from its provisions. This bill would except from the California Consumer Privacy Act of 2018 right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicles manufacturer, if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall, shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall, as specified. The bill would define terms for that purpose. The bill would also except from the right to request a business to delete personal information about the consumer the personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or federally mandated recall covering a product that the consumer purchased.
Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know the categories of personal information, as well as the specific pieces of personal information, that a business collects about the consumer. direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. Under the act, a consumer also has the right to request that a business delete personal information about the consumer that the business has collected from the consumer, subject to certain conditions. Existing law excepts from the act certain categories of personal information from its provisions.
This bill would except from the California Consumer Privacy Act of 2018 right to opt out vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicles manufacturer, if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall, shared for the purpose of effectuating or in anticipation of effectuating a vehicle repair covered by a vehicle warranty or a recall, as specified. The bill would define terms for that purpose.
The bill would also except from the right to request a business to delete personal information about the consumer the personal information that is necessary for the business to maintain in order to fulfill the terms of a written warranty or federally mandated recall covering a product that the consumer purchased.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 1798.105 of the Civil Code is amended to read:1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.SECTION 1.SEC. 2. Section 1798.145 of the Civil Code is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 1798.105 of the Civil Code is amended to read:1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
SECTION 1. Section 1798.105 of the Civil Code is amended to read:
### SECTION 1.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.(3) Debug to identify and repair errors that impair existing intended functionality.(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.(8) Comply with a legal obligation.(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
1798.105. (a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumers rights to request the deletion of the consumers personal information.
(c) A business that receives a verifiable consumer request from a consumer to delete the consumers personal information pursuant to subdivision (a) of this section shall delete the consumers personal information from its records and direct any service providers to delete the consumers personal information from their records.
(d) A business or a service provider shall not be required to comply with a consumers request to delete the consumers personal information if it is necessary for the business or service provider to maintain the consumers personal information in order to:
(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or federally mandated recall covering a product purchased by the consumer, provide a good or service requested by the consumer, or reasonably anticipated within the context of a businesss business ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(3) Debug to identify and repair errors that impair existing intended functionality.
(4) Exercise free speech, ensure the right of another consumer to exercise his or her that consumers right of free speech, or exercise another right provided for by law.
(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses business deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumers relationship with the business.
(8) Comply with a legal obligation.
(9) Otherwise use the consumers personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
SECTION 1.SEC. 2. Section 1798.145 of the Civil Code is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
SECTION 1.SEC. 2. Section 1798.145 of the Civil Code is amended to read:
### SECTION 1.SEC. 2.
1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) For purposes of this subdivision:(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
1798.145. (a) The obligations imposed on businesses by this title shall not restrict a businesss business ability to:
(1) Comply with federal, state, or local laws.
(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
(4) Exercise or defend legal claims.
(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.
(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.
(c) (1) This title shall not apply to any of the following:
(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).
(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.
(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.
(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.
(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.
(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.
(g) (1) This title, except with respect to Sections 1798.100, 1798.110, 1798.115, and 1798.150, Section 1798.120 shall not apply to vehicle information, including information or ownership information, information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle or ownership information is shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code. Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.
(2) For purposes of this subdivision:
(A) Vehicle information means the vehicle information number, make, model, year, and odometer reading.
(B) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.
(h) Notwithstanding a businesss business obligations to respond to and honor consumer rights requests pursuant to this title:
(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.
(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.
(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.
(i) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
(j) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.
(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.