| 1 | | - | Assembly Bill No. 335 CHAPTER 700 An act to amend Section 1798.145 of the Civil Code, relating to privacy. [ Approved by Governor October 08, 2021. Filed with Secretary of State October 08, 2021. ] LEGISLATIVE COUNSEL'S DIGESTAB 335, Boerner Horvath. California Consumer Privacy Act of 2018: vessel information.Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.This bill would exempt from the right to opt out vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall, as specified. The bill would define terms for that purpose.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.This bill would incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 694 to be operative only if this bill and AB 694 are enacted and this bill is enacted last.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.145 of the Civil Code, as amended by Section 2.3 of Chapter 763 of the Statutes of 2019, is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021.SEC. 2. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 2.5. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020.SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 1 | + | Enrolled September 13, 2021 Passed IN Senate September 08, 2021 Passed IN Assembly September 09, 2021 Amended IN Senate September 03, 2021 Amended IN Assembly March 26, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Assembly Bill No. 335Introduced by Assembly Member Boerner Horvath(Principal coauthor: Senator Bates)(Coauthors: Assembly Members ODonnell and Rodriguez)(Coauthor: Senator Jones)January 27, 2021 An act to amend Section 1798.145 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 335, Boerner Horvath. California Consumer Privacy Act of 2018: vessel information.Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.This bill would exempt from the right to opt out vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall, as specified. The bill would define terms for that purpose.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.This bill would incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 694 to be operative only if this bill and AB 694 are enacted and this bill is enacted last.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.145 of the Civil Code, as amended by Section 2.3 of Chapter 763 of the Statutes of 2019, is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021.SEC. 2. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 2.5. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020.SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 14 | 25 | | |
|---|
| 15 | 26 | | LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 16 | 27 | | |
|---|
| 17 | 28 | | ## LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 18 | 29 | | |
|---|
| 19 | 30 | | AB 335, Boerner Horvath. California Consumer Privacy Act of 2018: vessel information. |
|---|
| 20 | 31 | | |
|---|
| 21 | 32 | | Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.This bill would exempt from the right to opt out vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall, as specified. The bill would define terms for that purpose.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.This bill would incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 694 to be operative only if this bill and AB 694 are enacted and this bill is enacted last. |
|---|
| 22 | 33 | | |
|---|
| 23 | 34 | | Existing law, the California Consumer Privacy Act of 2018, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to direct a business not to sell, as defined, personal information about the consumer to third parties, as defined. This right is known as the right to opt out. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. |
|---|
| 24 | 35 | | |
|---|
| 25 | 36 | | This bill would exempt from the right to opt out vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, if the information is shared for the purpose of effectuating or in anticipation of effectuating a vessel repair covered by a vessel warranty or a recall, as specified. The bill would define terms for that purpose. |
|---|
| 26 | 37 | | |
|---|
| 27 | 38 | | The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified. |
|---|
| 28 | 39 | | |
|---|
| 29 | 40 | | This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 30 | 41 | | |
|---|
| 31 | 42 | | This bill would incorporate additional changes to Section 1798.145 of the Civil Code proposed by AB 694 to be operative only if this bill and AB 694 are enacted and this bill is enacted last. |
|---|
| 32 | 43 | | |
|---|
| 33 | 44 | | ## Digest Key |
|---|
| 34 | 45 | | |
|---|
| 35 | 46 | | ## Bill Text |
|---|
| 36 | 47 | | |
|---|
| 37 | 48 | | The people of the State of California do enact as follows:SECTION 1. Section 1798.145 of the Civil Code, as amended by Section 2.3 of Chapter 763 of the Statutes of 2019, is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021.SEC. 2. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 2.5. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020.SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 38 | 49 | | |
|---|
| 39 | 50 | | The people of the State of California do enact as follows: |
|---|
| 40 | 51 | | |
|---|
| 41 | 52 | | ## The people of the State of California do enact as follows: |
|---|
| 42 | 53 | | |
|---|
| 43 | 54 | | SECTION 1. Section 1798.145 of the Civil Code, as amended by Section 2.3 of Chapter 763 of the Statutes of 2019, is amended to read:1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 44 | 55 | | |
|---|
| 45 | 56 | | SECTION 1. Section 1798.145 of the Civil Code, as amended by Section 2.3 of Chapter 763 of the Statutes of 2019, is amended to read: |
|---|
| 46 | 57 | | |
|---|
| 47 | 58 | | ### SECTION 1. |
|---|
| 48 | 59 | | |
|---|
| 49 | 60 | | 1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 50 | 61 | | |
|---|
| 51 | 62 | | 1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 52 | 63 | | |
|---|
| 53 | 64 | | 1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Exercise or defend legal claims.(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.(6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2021.(i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.(j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.(k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.(l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.(m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 54 | 65 | | |
|---|
| 55 | 66 | | |
|---|
| 56 | 67 | | |
|---|
| 57 | 68 | | 1798.145. (a) The obligations imposed on businesses by this title shall not restrict a business ability to: |
|---|
| 58 | 69 | | |
|---|
| 59 | 70 | | (1) Comply with federal, state, or local laws. |
|---|
| 60 | 71 | | |
|---|
| 61 | 72 | | (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. |
|---|
| 62 | 73 | | |
|---|
| 63 | 74 | | (3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law. |
|---|
| 64 | 75 | | |
|---|
| 65 | 76 | | (4) Exercise or defend legal claims. |
|---|
| 66 | 77 | | |
|---|
| 67 | 78 | | (5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information. |
|---|
| 68 | 79 | | |
|---|
| 69 | 80 | | (6) Collect or sell a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California. |
|---|
| 70 | 81 | | |
|---|
| 71 | 82 | | (b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication. |
|---|
| 72 | 83 | | |
|---|
| 73 | 84 | | (c) (1) This title shall not apply to any of the following: |
|---|
| 74 | 85 | | |
|---|
| 75 | 86 | | (A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). |
|---|
| 76 | 87 | | |
|---|
| 77 | 88 | | (B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section. |
|---|
| 78 | 89 | | |
|---|
| 79 | 90 | | (C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration. |
|---|
| 80 | 91 | | |
|---|
| 81 | 92 | | (2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply. |
|---|
| 82 | 93 | | |
|---|
| 83 | 94 | | (d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code. |
|---|
| 84 | 95 | | |
|---|
| 85 | 96 | | (2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. |
|---|
| 86 | 97 | | |
|---|
| 87 | 98 | | (3) This subdivision shall not apply to Section 1798.150. |
|---|
| 88 | 99 | | |
|---|
| 89 | 100 | | (e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150. |
|---|
| 90 | 101 | | |
|---|
| 91 | 102 | | (f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150. |
|---|
| 92 | 103 | | |
|---|
| 93 | 104 | | (g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 94 | 105 | | |
|---|
| 95 | 106 | | (2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 96 | 107 | | |
|---|
| 97 | 108 | | (3) For purposes of this subdivision: |
|---|
| 98 | 109 | | |
|---|
| 99 | 110 | | (A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners. |
|---|
| 100 | 111 | | |
|---|
| 101 | 112 | | (B) Vehicle information means the vehicle information number, make, model, year, and odometer reading. |
|---|
| 102 | 113 | | |
|---|
| 103 | 114 | | (C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value. |
|---|
| 104 | 115 | | |
|---|
| 105 | 116 | | (D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories: |
|---|
| 106 | 117 | | |
|---|
| 107 | 118 | | (i) An inboard engine. |
|---|
| 108 | 119 | | |
|---|
| 109 | 120 | | (ii) An outboard engine. |
|---|
| 110 | 121 | | |
|---|
| 111 | 122 | | (iii) A stern drive unit. |
|---|
| 112 | 123 | | |
|---|
| 113 | 124 | | (iv) An inflatable personal flotation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations. |
|---|
| 114 | 125 | | |
|---|
| 115 | 126 | | (h) (1) This title shall not apply to any of the following: |
|---|
| 116 | 127 | | |
|---|
| 117 | 128 | | (A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. |
|---|
| 118 | 129 | | |
|---|
| 119 | 130 | | (B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file. |
|---|
| 120 | 131 | | |
|---|
| 121 | 132 | | (C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits. |
|---|
| 122 | 133 | | |
|---|
| 123 | 134 | | (2) For purposes of this subdivision: |
|---|
| 124 | 135 | | |
|---|
| 125 | 136 | | (A) Contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 126 | 137 | | |
|---|
| 127 | 138 | | (B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 128 | 139 | | |
|---|
| 129 | 140 | | (C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code. |
|---|
| 130 | 141 | | |
|---|
| 131 | 142 | | (D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer. |
|---|
| 132 | 143 | | |
|---|
| 133 | 144 | | (E) Owner means a natural person who meets one of the following: |
|---|
| 134 | 145 | | |
|---|
| 135 | 146 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 136 | 147 | | |
|---|
| 137 | 148 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 138 | 149 | | |
|---|
| 139 | 150 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 140 | 151 | | |
|---|
| 141 | 152 | | (3) This subdivision shall not apply to subdivision (b) of Section 1798.100 or Section 1798.150. |
|---|
| 142 | 153 | | |
|---|
| 143 | 154 | | (4) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 144 | 155 | | |
|---|
| 145 | 156 | | (i) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title: |
|---|
| 146 | 157 | | |
|---|
| 147 | 158 | | (1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. |
|---|
| 148 | 159 | | |
|---|
| 149 | 160 | | (2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. |
|---|
| 150 | 161 | | |
|---|
| 151 | 162 | | (3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive. |
|---|
| 152 | 163 | | |
|---|
| 153 | 164 | | (j) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title. |
|---|
| 154 | 165 | | |
|---|
| 155 | 166 | | (k) This title shall not be construed to require a business to collect personal information that it would not otherwise collect in the ordinary course of its business, retain personal information for longer than it would otherwise retain such information in the ordinary course of its business, or reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. |
|---|
| 156 | 167 | | |
|---|
| 157 | 168 | | (l) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers. |
|---|
| 158 | 169 | | |
|---|
| 159 | 170 | | (m) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution. |
|---|
| 160 | 171 | | |
|---|
| 161 | 172 | | (n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency. |
|---|
| 162 | 173 | | |
|---|
| 163 | 174 | | (2) For purposes of this subdivision: |
|---|
| 164 | 175 | | |
|---|
| 165 | 176 | | (A) Contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 166 | 177 | | |
|---|
| 167 | 178 | | (B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 168 | 179 | | |
|---|
| 169 | 180 | | (C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer. |
|---|
| 170 | 181 | | |
|---|
| 171 | 182 | | (D) Owner means a natural person who meets one of the following: |
|---|
| 172 | 183 | | |
|---|
| 173 | 184 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 174 | 185 | | |
|---|
| 175 | 186 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 176 | 187 | | |
|---|
| 177 | 188 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 178 | 189 | | |
|---|
| 179 | 190 | | (3) This subdivision shall become inoperative on January 1, 2021. |
|---|
| 180 | 191 | | |
|---|
| 181 | 192 | | SEC. 2. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 182 | 193 | | |
|---|
| 183 | 194 | | SEC. 2. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read: |
|---|
| 184 | 195 | | |
|---|
| 185 | 196 | | ### SEC. 2. |
|---|
| 186 | 197 | | |
|---|
| 187 | 198 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 188 | 199 | | |
|---|
| 189 | 200 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 190 | 201 | | |
|---|
| 191 | 202 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 192 | 203 | | |
|---|
| 193 | 204 | | |
|---|
| 194 | 205 | | |
|---|
| 195 | 206 | | 1798.145. Exemptions |
|---|
| 196 | 207 | | |
|---|
| 197 | 208 | | (a) The obligations imposed on businesses by this title shall not restrict a business ability to: |
|---|
| 198 | 209 | | |
|---|
| 199 | 210 | | (1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information. |
|---|
| 200 | 211 | | |
|---|
| 201 | 212 | | (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title. |
|---|
| 202 | 213 | | |
|---|
| 203 | 214 | | (3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law. |
|---|
| 204 | 215 | | |
|---|
| 205 | 216 | | (4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that: |
|---|
| 206 | 217 | | |
|---|
| 207 | 218 | | (A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information. |
|---|
| 208 | 219 | | |
|---|
| 209 | 220 | | (B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis. |
|---|
| 210 | 221 | | |
|---|
| 211 | 222 | | (C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted. |
|---|
| 212 | 223 | | |
|---|
| 213 | 224 | | (5) Exercise or defend legal claims. |
|---|
| 214 | 225 | | |
|---|
| 215 | 226 | | (6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information. |
|---|
| 216 | 227 | | |
|---|
| 217 | 228 | | (7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California. |
|---|
| 218 | 229 | | |
|---|
| 219 | 230 | | (b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication. |
|---|
| 220 | 231 | | |
|---|
| 221 | 232 | | (c) (1) This title shall not apply to any of the following: |
|---|
| 222 | 233 | | |
|---|
| 223 | 234 | | (A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). |
|---|
| 224 | 235 | | |
|---|
| 225 | 236 | | (B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section. |
|---|
| 226 | 237 | | |
|---|
| 227 | 238 | | (C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent. |
|---|
| 228 | 239 | | |
|---|
| 229 | 240 | | (2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply. |
|---|
| 230 | 241 | | |
|---|
| 231 | 242 | | (d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code. |
|---|
| 232 | 243 | | |
|---|
| 233 | 244 | | (2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. |
|---|
| 234 | 245 | | |
|---|
| 235 | 246 | | (3) This subdivision shall not apply to Section 1798.150. |
|---|
| 236 | 247 | | |
|---|
| 237 | 248 | | (e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150. |
|---|
| 238 | 249 | | |
|---|
| 239 | 250 | | (f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150. |
|---|
| 240 | 251 | | |
|---|
| 241 | 252 | | (g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 242 | 253 | | |
|---|
| 243 | 254 | | (2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 244 | 255 | | |
|---|
| 245 | 256 | | (3) For purposes of this subdivision: |
|---|
| 246 | 257 | | |
|---|
| 247 | 258 | | (A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners. |
|---|
| 248 | 259 | | |
|---|
| 249 | 260 | | (B) Vehicle information means the vehicle information number, make, model, year, and odometer reading. |
|---|
| 250 | 261 | | |
|---|
| 251 | 262 | | (C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value. |
|---|
| 252 | 263 | | |
|---|
| 253 | 264 | | (D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories: |
|---|
| 254 | 265 | | |
|---|
| 255 | 266 | | (i) An inboard engine. |
|---|
| 256 | 267 | | |
|---|
| 257 | 268 | | (ii) An outboard engine. |
|---|
| 258 | 269 | | |
|---|
| 259 | 270 | | (iii) A stern drive unit. |
|---|
| 260 | 271 | | |
|---|
| 261 | 272 | | (iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations. |
|---|
| 262 | 273 | | |
|---|
| 263 | 274 | | (h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title: |
|---|
| 264 | 275 | | |
|---|
| 265 | 276 | | (1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. |
|---|
| 266 | 277 | | |
|---|
| 267 | 278 | | (2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. |
|---|
| 268 | 279 | | |
|---|
| 269 | 280 | | (3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive. |
|---|
| 270 | 281 | | |
|---|
| 271 | 282 | | (i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title. |
|---|
| 272 | 283 | | |
|---|
| 273 | 284 | | (2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation. |
|---|
| 274 | 285 | | |
|---|
| 275 | 286 | | (j) This title shall not be construed to require a business, service provider, or contractor to: |
|---|
| 276 | 287 | | |
|---|
| 277 | 288 | | (1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information. |
|---|
| 278 | 289 | | |
|---|
| 279 | 290 | | (2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained. |
|---|
| 280 | 291 | | |
|---|
| 281 | 292 | | (3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information. |
|---|
| 282 | 293 | | |
|---|
| 283 | 294 | | (k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information, pursuant to Section 1798.110 to delete a consumers personal information, pursuant to Section 1798.105, or to correct inaccurate personal information, pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession. |
|---|
| 284 | 295 | | |
|---|
| 285 | 296 | | (l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution. |
|---|
| 286 | 297 | | |
|---|
| 287 | 298 | | (m) (1) This title shall not apply to any of the following: |
|---|
| 288 | 299 | | |
|---|
| 289 | 300 | | (A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business. |
|---|
| 290 | 301 | | |
|---|
| 291 | 302 | | (B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file. |
|---|
| 292 | 303 | | |
|---|
| 293 | 304 | | (C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits. |
|---|
| 294 | 305 | | |
|---|
| 295 | 306 | | (2) For purposes of this subdivision: |
|---|
| 296 | 307 | | |
|---|
| 297 | 308 | | (A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 298 | 309 | | |
|---|
| 299 | 310 | | (B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 300 | 311 | | |
|---|
| 301 | 312 | | (C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code. |
|---|
| 302 | 313 | | |
|---|
| 303 | 314 | | (D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer. |
|---|
| 304 | 315 | | |
|---|
| 305 | 316 | | (E) Owner means a natural person who meets one of the following criteria: |
|---|
| 306 | 317 | | |
|---|
| 307 | 318 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 308 | 319 | | |
|---|
| 309 | 320 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 310 | 321 | | |
|---|
| 311 | 322 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 312 | 323 | | |
|---|
| 313 | 324 | | (3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150. |
|---|
| 314 | 325 | | |
|---|
| 315 | 326 | | (4) This subdivision shall become inoperative on January 1, 2023. |
|---|
| 316 | 327 | | |
|---|
| 317 | 328 | | (n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency. |
|---|
| 318 | 329 | | |
|---|
| 319 | 330 | | (2) For purposes of this subdivision: |
|---|
| 320 | 331 | | |
|---|
| 321 | 332 | | (A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 322 | 333 | | |
|---|
| 323 | 334 | | (B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 324 | 335 | | |
|---|
| 325 | 336 | | (C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer. |
|---|
| 326 | 337 | | |
|---|
| 327 | 338 | | (D) Owner means a natural person who meets one of the following: |
|---|
| 328 | 339 | | |
|---|
| 329 | 340 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 330 | 341 | | |
|---|
| 331 | 342 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 332 | 343 | | |
|---|
| 333 | 344 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 334 | 345 | | |
|---|
| 335 | 346 | | (3) This subdivision shall become inoperative on January 1, 2023. |
|---|
| 336 | 347 | | |
|---|
| 337 | 348 | | (o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business. |
|---|
| 338 | 349 | | |
|---|
| 339 | 350 | | (2) For the purposes of this subdivision: |
|---|
| 340 | 351 | | |
|---|
| 341 | 352 | | (A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee. |
|---|
| 342 | 353 | | |
|---|
| 343 | 354 | | (B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42. |
|---|
| 344 | 355 | | |
|---|
| 345 | 356 | | (C) Owner means a natural person that meets one of the following: |
|---|
| 346 | 357 | | |
|---|
| 347 | 358 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 348 | 359 | | |
|---|
| 349 | 360 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 350 | 361 | | |
|---|
| 351 | 362 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 352 | 363 | | |
|---|
| 353 | 364 | | (D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 354 | 365 | | |
|---|
| 355 | 366 | | (E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer. |
|---|
| 356 | 367 | | |
|---|
| 357 | 368 | | (F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business. |
|---|
| 358 | 369 | | |
|---|
| 359 | 370 | | (p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data. |
|---|
| 360 | 371 | | |
|---|
| 361 | 372 | | (q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception. |
|---|
| 362 | 373 | | |
|---|
| 363 | 374 | | (2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception. |
|---|
| 364 | 375 | | |
|---|
| 365 | 376 | | (3) For purposes of this subdivision: |
|---|
| 366 | 377 | | |
|---|
| 367 | 378 | | (A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body. |
|---|
| 368 | 379 | | |
|---|
| 369 | 380 | | (B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person. |
|---|
| 370 | 381 | | |
|---|
| 371 | 382 | | (r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if: |
|---|
| 372 | 383 | | |
|---|
| 373 | 384 | | (1) The business has incurred significant expense in reliance on the consumers consent. |
|---|
| 374 | 385 | | |
|---|
| 375 | 386 | | (2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable. |
|---|
| 376 | 387 | | |
|---|
| 377 | 388 | | (3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 378 | 389 | | |
|---|
| 379 | 390 | | SEC. 2.5. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read:1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 380 | 391 | | |
|---|
| 381 | 392 | | SEC. 2.5. Section 1798.145 of the Civil Code, as amended November 3, 2020, by initiative Proposition 24, Section 15, is amended to read: |
|---|
| 382 | 393 | | |
|---|
| 383 | 394 | | ### SEC. 2.5. |
|---|
| 384 | 395 | | |
|---|
| 385 | 396 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 386 | 397 | | |
|---|
| 387 | 398 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 388 | 399 | | |
|---|
| 389 | 400 | | 1798.145. Exemptions(a) The obligations imposed on businesses by this title shall not restrict a business ability to:(1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title.(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.(4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that:(A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information.(B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis.(C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.(5) Exercise or defend legal claims.(6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information.(7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.(c) (1) This title shall not apply to any of the following:(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.(2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.(d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.(3) This subdivision shall not apply to Section 1798.150.(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.(g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.(3) For purposes of this subdivision:(A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners.(B) Vehicle information means the vehicle information number, make, model, year, and odometer reading.(C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.(D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:(i) An inboard engine.(ii) An outboard engine.(iii) A stern drive unit.(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.(h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title:(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.(i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.(j) This title shall not be construed to require a business, service provider, or contractor to:(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession.(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.(m) (1) This title shall not apply to any of the following:(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.(D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(E) Owner means a natural person who meets one of the following criteria:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.(4) This subdivision shall become inoperative on January 1, 2023.(n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.(2) For purposes of this subdivision:(A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract.(B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.(D) Owner means a natural person who meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(3) This subdivision shall become inoperative on January 1, 2023.(o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business.(2) For the purposes of this subdivision:(A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.(B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42.(C) Owner means a natural person that meets one of the following:(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.(iii) Has the power to exercise a controlling influence over the management of a company.(D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.(E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.(F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business.(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.(q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.(3) For purposes of this subdivision:(A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.(B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.(r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if:(1) The business has incurred significant expense in reliance on the consumers consent.(2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable.(3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 390 | 401 | | |
|---|
| 391 | 402 | | |
|---|
| 392 | 403 | | |
|---|
| 393 | 404 | | 1798.145. Exemptions |
|---|
| 394 | 405 | | |
|---|
| 395 | 406 | | (a) The obligations imposed on businesses by this title shall not restrict a business ability to: |
|---|
| 396 | 407 | | |
|---|
| 397 | 408 | | (1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information. |
|---|
| 398 | 409 | | |
|---|
| 399 | 410 | | (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriffs departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumers personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumers personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumers personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumers personal information shall not use the consumers personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumers deletion request is subject to an exemption from deletion under this title. |
|---|
| 400 | 411 | | |
|---|
| 401 | 412 | | (3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law. |
|---|
| 402 | 413 | | |
|---|
| 403 | 414 | | (4) Cooperate with a government agency request for emergency access to a consumers personal information if a natural person is at risk or danger of death or serious physical injury provided that: |
|---|
| 404 | 415 | | |
|---|
| 405 | 416 | | (A) The request is approved by a high-ranking agency officer for emergency access to a consumers personal information. |
|---|
| 406 | 417 | | |
|---|
| 407 | 418 | | (B) The request is based on the agencys good faith determination that it has a lawful basis to access the information on a nonemergency basis. |
|---|
| 408 | 419 | | |
|---|
| 409 | 420 | | (C) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted. |
|---|
| 410 | 421 | | |
|---|
| 411 | 422 | | (5) Exercise or defend legal claims. |
|---|
| 412 | 423 | | |
|---|
| 413 | 424 | | (6) Collect, use, retain, sell, share, or disclose consumers personal information that is deidentified or aggregate consumer information. |
|---|
| 414 | 425 | | |
|---|
| 415 | 426 | | (7) Collect, sell, or share a consumers personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumers personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California. |
|---|
| 416 | 427 | | |
|---|
| 417 | 428 | | (b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication. |
|---|
| 418 | 429 | | |
|---|
| 419 | 430 | | (c) (1) This title shall not apply to any of the following: |
|---|
| 420 | 431 | | |
|---|
| 421 | 432 | | (A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). |
|---|
| 422 | 433 | | |
|---|
| 423 | 434 | | (B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section. |
|---|
| 424 | 435 | | |
|---|
| 425 | 436 | | (C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent. |
|---|
| 426 | 437 | | |
|---|
| 427 | 438 | | (2) For purposes of this subdivision, the definitions of medical information and provider of health care in Section 56.05 shall apply and the definitions of business associate, covered entity, and protected health information in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply. |
|---|
| 428 | 439 | | |
|---|
| 429 | 440 | | (d) (1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumers creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code. |
|---|
| 430 | 441 | | |
|---|
| 431 | 442 | | (2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. |
|---|
| 432 | 443 | | |
|---|
| 433 | 444 | | (3) This subdivision shall not apply to Section 1798.150. |
|---|
| 434 | 445 | | |
|---|
| 435 | 446 | | (e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150. |
|---|
| 436 | 447 | | |
|---|
| 437 | 448 | | (f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Drivers Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150. |
|---|
| 438 | 449 | | |
|---|
| 439 | 450 | | (g) (1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicles manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 440 | 451 | | |
|---|
| 441 | 452 | | (2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessels manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose. |
|---|
| 442 | 453 | | |
|---|
| 443 | 454 | | (3) For purposes of this subdivision: |
|---|
| 444 | 455 | | |
|---|
| 445 | 456 | | (A) Ownership information means the name or names of the registered owner or owners and the contact information for the owner or owners. |
|---|
| 446 | 457 | | |
|---|
| 447 | 458 | | (B) Vehicle information means the vehicle information number, make, model, year, and odometer reading. |
|---|
| 448 | 459 | | |
|---|
| 449 | 460 | | (C) Vessel dealer means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value. |
|---|
| 450 | 461 | | |
|---|
| 451 | 462 | | (D) Vessel information means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories: |
|---|
| 452 | 463 | | |
|---|
| 453 | 464 | | (i) An inboard engine. |
|---|
| 454 | 465 | | |
|---|
| 455 | 466 | | (ii) An outboard engine. |
|---|
| 456 | 467 | | |
|---|
| 457 | 468 | | (iii) A stern drive unit. |
|---|
| 458 | 469 | | |
|---|
| 459 | 470 | | (iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations. |
|---|
| 460 | 471 | | |
|---|
| 461 | 472 | | (h) Notwithstanding a business obligations to respond to and honor consumer rights requests pursuant to this title: |
|---|
| 462 | 473 | | |
|---|
| 463 | 474 | | (1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. |
|---|
| 464 | 475 | | |
|---|
| 465 | 476 | | (2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business. |
|---|
| 466 | 477 | | |
|---|
| 467 | 478 | | (3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive. |
|---|
| 468 | 479 | | |
|---|
| 469 | 480 | | (i) (1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title. |
|---|
| 470 | 481 | | |
|---|
| 471 | 482 | | (2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumers rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation. |
|---|
| 472 | 483 | | |
|---|
| 473 | 484 | | (j) This title shall not be construed to require a business, service provider, or contractor to: |
|---|
| 474 | 485 | | |
|---|
| 475 | 486 | | (1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information. |
|---|
| 476 | 487 | | |
|---|
| 477 | 488 | | (2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained. |
|---|
| 478 | 489 | | |
|---|
| 479 | 490 | | (3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information. |
|---|
| 480 | 491 | | |
|---|
| 481 | 492 | | (k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumers personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business possession. |
|---|
| 482 | 493 | | |
|---|
| 483 | 494 | | (l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution. |
|---|
| 484 | 495 | | |
|---|
| 485 | 496 | | (m) (1) This title shall not apply to any of the following: |
|---|
| 486 | 497 | | |
|---|
| 487 | 498 | | (A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural persons personal information is collected and used by the business solely within the context of the natural persons role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business. |
|---|
| 488 | 499 | | |
|---|
| 489 | 500 | | (B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file. |
|---|
| 490 | 501 | | |
|---|
| 491 | 502 | | (C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits. |
|---|
| 492 | 503 | | |
|---|
| 493 | 504 | | (2) For purposes of this subdivision: |
|---|
| 494 | 505 | | |
|---|
| 495 | 506 | | (A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 496 | 507 | | |
|---|
| 497 | 508 | | (B) Director means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 498 | 509 | | |
|---|
| 499 | 510 | | (C) Medical staff member means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code. |
|---|
| 500 | 511 | | |
|---|
| 501 | 512 | | (D) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer. |
|---|
| 502 | 513 | | |
|---|
| 503 | 514 | | (E) Owner means a natural person who meets one of the following criteria: |
|---|
| 504 | 515 | | |
|---|
| 505 | 516 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 506 | 517 | | |
|---|
| 507 | 518 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 508 | 519 | | |
|---|
| 509 | 520 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 510 | 521 | | |
|---|
| 511 | 522 | | (3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150. |
|---|
| 512 | 523 | | |
|---|
| 513 | 524 | | (4) This subdivision shall become inoperative on January 1, 2023. |
|---|
| 514 | 525 | | |
|---|
| 515 | 526 | | (n) (1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency. |
|---|
| 516 | 527 | | |
|---|
| 517 | 528 | | (2) For purposes of this subdivision: |
|---|
| 518 | 529 | | |
|---|
| 519 | 530 | | (A) Independent contractor means a natural person who provides any service to a business pursuant to a written contract. |
|---|
| 520 | 531 | | |
|---|
| 521 | 532 | | (B) Director means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 522 | 533 | | |
|---|
| 523 | 534 | | (C) Officer means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer. |
|---|
| 524 | 535 | | |
|---|
| 525 | 536 | | (D) Owner means a natural person who meets one of the following: |
|---|
| 526 | 537 | | |
|---|
| 527 | 538 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 528 | 539 | | |
|---|
| 529 | 540 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 530 | 541 | | |
|---|
| 531 | 542 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 532 | 543 | | |
|---|
| 533 | 544 | | (3) This subdivision shall become inoperative on January 1, 2023. |
|---|
| 534 | 545 | | |
|---|
| 535 | 546 | | (o) (1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agencys collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumers role as the owner, director, officer, or management employee of the business. |
|---|
| 536 | 547 | | |
|---|
| 537 | 548 | | (2) For the purposes of this subdivision: |
|---|
| 538 | 549 | | |
|---|
| 539 | 550 | | (A) Business controller information means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee. |
|---|
| 540 | 551 | | |
|---|
| 541 | 552 | | (B) Commercial credit reporting agency has the meaning set forth in subdivision (b) of Section 1785.42. |
|---|
| 542 | 553 | | |
|---|
| 543 | 554 | | (C) Owner means a natural person that meets one of the following: |
|---|
| 544 | 555 | | |
|---|
| 545 | 556 | | (i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. |
|---|
| 546 | 557 | | |
|---|
| 547 | 558 | | (ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. |
|---|
| 548 | 559 | | |
|---|
| 549 | 560 | | (iii) Has the power to exercise a controlling influence over the management of a company. |
|---|
| 550 | 561 | | |
|---|
| 551 | 562 | | (D) Director means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. |
|---|
| 552 | 563 | | |
|---|
| 553 | 564 | | (E) Officer means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer. |
|---|
| 554 | 565 | | |
|---|
| 555 | 566 | | (F) Management employee means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural persons role as the primary manager of the business. |
|---|
| 556 | 567 | | |
|---|
| 557 | 568 | | (p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data. |
|---|
| 558 | 569 | | |
|---|
| 559 | 570 | | (q) (1) This title does not require a business to comply with a verifiable consumer request to delete a consumers personal information under Section 1798.105 to the extent the verifiable consumer request applies to a students grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception. |
|---|
| 560 | 571 | | |
|---|
| 561 | 572 | | (2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumers specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception. |
|---|
| 562 | 573 | | |
|---|
| 563 | 574 | | (3) For purposes of this subdivision: |
|---|
| 564 | 575 | | |
|---|
| 565 | 576 | | (A) Educational standardized assessment or educational assessment means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body. |
|---|
| 566 | 577 | | |
|---|
| 567 | 578 | | (B) Jeopardize the validity and reliability of that educational standardized assessment or educational assessment means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person. |
|---|
| 568 | 579 | | |
|---|
| 569 | 580 | | (r) Sections 1798.105 and 1798.120 shall not apply to a business use, disclosure, or sale of particular pieces of a consumers personal information if the consumer has consented to the business use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumers photograph if: |
|---|
| 570 | 581 | | |
|---|
| 571 | 582 | | (1) The business has incurred significant expense in reliance on the consumers consent. |
|---|
| 572 | 583 | | |
|---|
| 573 | 584 | | (2) Compliance with the consumers request to opt out of the sale of the consumers personal information or to delete the consumers personal information would not be commercially reasonable. |
|---|
| 574 | 585 | | |
|---|
| 575 | 586 | | (3) The business complies with the consumers request as soon as it is commercially reasonable to do so. |
|---|
| 576 | 587 | | |
|---|
| 577 | 588 | | SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020. |
|---|
| 578 | 589 | | |
|---|
| 579 | 590 | | SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020. |
|---|
| 580 | 591 | | |
|---|
| 581 | 592 | | SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of The California Privacy Rights Act of 2020. |
|---|
| 582 | 593 | | |
|---|
| 583 | 594 | | ### SEC. 3. |
|---|
| 584 | 595 | | |
|---|
| 585 | 596 | | SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 586 | 597 | | |
|---|
| 587 | 598 | | SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 588 | 599 | | |
|---|
| 589 | 600 | | SEC. 4. Section 2.5 of this bill incorporates amendments to Section 1798.145 of the Civil Code proposed by both this bill and Assembly Bill 694. That section of this bill shall become operative only if (1) both bills are enacted and become effective on or before January 1, 2022, (2) each bill amends Section 1798.145 of the Civil Code, and (3) this bill is enacted after Assembly Bill 694, in which case Section 2 of this bill shall not become operative. |
|---|
| 590 | 601 | | |
|---|
| 591 | 602 | | ### SEC. 4. |
|---|