Amended IN Assembly April 12, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 1391Introduced by Assembly Member ChauFebruary 19, 2021 An act to add Section 1724 to the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1391, as amended, Chau. Compromised Unlawfully obtained data.Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell, purchase, or utilize data, as defined, that the person knows or reasonably should know is compromised data. The bill would define the term compromised data to mean data that has been obtained or accessed pursuant to the commission of a crime. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
Amended IN Assembly April 12, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 1391Introduced by Assembly Member ChauFebruary 19, 2021 An act to add Section 1724 to the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1391, as amended, Chau. Compromised Unlawfully obtained data.Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell, purchase, or utilize data, as defined, that the person knows or reasonably should know is compromised data. The bill would define the term compromised data to mean data that has been obtained or accessed pursuant to the commission of a crime. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Assembly April 12, 2021
Amended IN Assembly April 12, 2021
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 1391
Introduced by Assembly Member ChauFebruary 19, 2021
Introduced by Assembly Member Chau
February 19, 2021
An act to add Section 1724 to the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1391, as amended, Chau. Compromised Unlawfully obtained data.
Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell, purchase, or utilize data, as defined, that the person knows or reasonably should know is compromised data. The bill would define the term compromised data to mean data that has been obtained or accessed pursuant to the commission of a crime. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.
Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.
This bill would make it unlawful for a person to sell, purchase, or utilize data, as defined, that the person knows or reasonably should know is compromised data. The bill would define the term compromised data to mean data that has been obtained or accessed pursuant to the commission of a crime. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
SECTION 1. Section 1724 is added to the Civil Code, to read:
### SECTION 1.
1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.(e) Liability under this section shall not limit or preclude liability under any other law.
1724. (a) As used in this section, compromised data means data, as defined in Section 502 of the Penal Code, that has been obtained or accessed pursuant to the commission of a crime. section:
(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, as applicable.
(2) Data has the same meaning as defined in Section 502 of the Penal Code.
(b) It is unlawful for a person to sell, purchase, or utilize data that the person knows or reasonably should know is compromised data. sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime.
(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to the commission of a crime.
(d) This section shall not be construed to limit the constitutional rights of the public, including those described in Bartnicki v. Vopper, (2001) 532 U.S. 514, pertaining to the rights of whistleblowers and the press regarding matters of public concern.
(e) Liability under this section shall not limit or preclude liability under any other law.