Amended IN Senate August 16, 2021 Amended IN Senate June 24, 2021 Amended IN Senate June 16, 2021 Amended IN Assembly April 12, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 1391Introduced by Assembly Member ChauFebruary 19, 2021 An act to add Section 1724 to the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1391, as amended, Chau. Unlawfully obtained data.Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
Amended IN Senate August 16, 2021 Amended IN Senate June 24, 2021 Amended IN Senate June 16, 2021 Amended IN Assembly April 12, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 1391Introduced by Assembly Member ChauFebruary 19, 2021 An act to add Section 1724 to the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1391, as amended, Chau. Unlawfully obtained data.Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: NO Local Program: NO
Amended IN Senate August 16, 2021 Amended IN Senate June 24, 2021 Amended IN Senate June 16, 2021 Amended IN Assembly April 12, 2021
Amended IN Senate August 16, 2021
Amended IN Senate June 24, 2021
Amended IN Senate June 16, 2021
Amended IN Assembly April 12, 2021
CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION
Assembly Bill
No. 1391
Introduced by Assembly Member ChauFebruary 19, 2021
Introduced by Assembly Member Chau
February 19, 2021
An act to add Section 1724 to the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1391, as amended, Chau. Unlawfully obtained data.
Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.This bill would make it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.
Existing law, the California Consumer Privacy Act of 2018, authorizes a consumer whose nonencrypted and nonredacted personal information, as defined, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action, as specified.
This bill would make it unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed pursuant to the commission of a crime and would also make it unlawful for a person, who is not an authorized person, as defined, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data through the commission of a crime.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Section 1724 is added to the Civil Code, to read:1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
SECTION 1. Section 1724 is added to the Civil Code, to read:
### SECTION 1.
1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
1724. (a) As used in this section:(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.(2) Data has the same meaning as defined in Section 502 of the Penal Code.(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.(g) Liability under this section shall not limit or preclude liability under any other law.(h) A violation of this section shall not constitute a crime.
1724. (a) As used in this section:
(1) Authorized person means a person who has come to possess or access the data lawfully and who continues to maintain the legal authority to possess, access, or use that data, under state or federal law, as applicable.
(2) Data has the same meaning as defined in Section 502 of the Penal Code.
(b) It is unlawful for a person to sell data, or sell access to data, that the person has obtained or accessed through pursuant to the commission of a crime.
(c) It is unlawful for a person, who is not an authorized person, to purchase or use data from a source that the person knows or reasonably should know has obtained or accessed that data pursuant to through the commission of a crime.
(d) This section shall not be construed to limit the constitutional rights of the public, the rights of whistleblowers, and the press regarding matters of public concern, including, but not limited to, those described in Bartnicki v. Vopper, (2001) 532 U.S. 514.
(e) This section does not limit providing or obtaining data in an otherwise lawful manner for the purpose of protecting a computer system or data stored in a computer system or protecting an individual from risk of identity theft. theft or fraud.
(f) The court in an action pursuant to this section may award equitable relief, including, but not limited to, an injunction, costs, and any other relief the court deems proper.
(g) Liability under this section shall not limit or preclude liability under any other law.
(h) A violation of this section shall not constitute a crime.