| 1 | | - | Amended IN Assembly April 10, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1355Introduced by Assembly Member Ward(Principal coauthor: Assembly Member Aguiar-Curry)(Coauthor: Senator Wiener)February 21, 2025 An act to amend Sections 1798.100 and 1798.121 of, to add Section 1798.14.5 to, and to add Title 1.81.24 (commencing with Section 1798.90.75) to Part 4 of Division 3 of of, the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1355, as amended, Ward. Location privacy.Existing(1) Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use, as prescribed. Existing law defines sensitive personal information to mean, among other things, personal information that reveals a consumers precise geolocation. Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.This bill would prohibit a covered entity, as defined, entity from collecting or using processing the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual. The bill would impose various other restrictions on covered entities with regard to location information. The bill would define various terms for purposes of these provisions, including location information to mean information that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device, as specified.This bill would require a covered entity to prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. The bill would require a covered entity to maintain and make available to the data subject a location privacy policy that includes specified information on data usage and management and is subject to a specified notice procedure.This bill would make a covered entity that violates these provisions liable for actual damages suffered by a person denied a right under these provisions and other specified relief. The bill would authorize the Attorney General or other public prosecutors to bring an action against a covered entity that violates these provisions.This bill would require a business, as defined by the CCPA, to comply with the above-described provisions.(2) Existing law, the Information Practices Act of 1977, prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined.This bill would prohibit a state or local agency, including an agency as defined under the Information Practices Act, from monetizing, as defined, location information. By imposing new requirements on local agencies, this bill would impose a state-mandated local program.The(3) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.The(4) The California Consumer Privacy Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.14.5 is added to the Civil Code, to read:1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75).SECTION 1.SEC. 2. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual.(b) It is unlawful for a covered entity or service provider that collects or uses processes location information to do any of the following: (1)Collect more precise(1) (A) Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual.(B) Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5)Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6)(5) The data management and data security policies governing location information.(7)(6) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78.(a)Whoever1798.90.78. (a) The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein.(b) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b)(c) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c)(d) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy.SEC. 3. Section 1798.100 of the Civil Code is amended to read:1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following:(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75).(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.SEC. 4. Section 1798.121 of the Civil Code is amended to read:1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75).SEC. 2.SEC. 5. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.SEC. 3.SEC. 6. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 1 | + | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 1355Introduced by Assembly Member Ward(Principal coauthor: Assembly Member Aguiar-Curry)(Coauthor: Senator Wiener)February 21, 2025 An act to add Title 1.81.24 (commencing with Section 1798.90.75) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTAB 1355, as introduced, Ward. Location privacy.Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use, as prescribed. Existing law defines sensitive personal information to mean, among other things, personal information that reveals a consumers precise geolocation. Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.This bill would prohibit a covered entity, as defined, from collecting or using the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. The bill would impose various other restrictions on covered entities with regard to location information. The bill would define location information to mean information that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device, as specified.This bill would require a covered entity to prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. The bill would require a covered entity to maintain and make available to the data subject a location privacy policy that includes specified information on data usage and management and is subject to a specified notice procedure.This bill would make a covered entity that violates these provisions liable for actual damages suffered by a person denied a right under these provisions and other specified relief. The bill would authorize the Attorney General or other public prosecutors to bring an action against a covered entity that violates these provisions.This bill would prohibit a state or local agency from monetizing, as defined, location information. By imposing new requirements on local agencies, this bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.The California Consumer Privacy Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose.(b) It is unlawful for a covered entity or service provider that collects or uses location information to do any of the following: (1) Collect more precise location information than necessary to provide the goods or services requested by the individual.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5) Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6) The data management and data security policies governing location information.(7) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78. (a) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 68 | | - | The people of the State of California do enact as follows:SECTION 1. Section 1798.14.5 is added to the Civil Code, to read:1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75).SECTION 1.SEC. 2. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual.(b) It is unlawful for a covered entity or service provider that collects or uses processes location information to do any of the following: (1)Collect more precise(1) (A) Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual.(B) Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5)Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6)(5) The data management and data security policies governing location information.(7)(6) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78.(a)Whoever1798.90.78. (a) The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein.(b) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b)(c) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c)(d) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy.SEC. 3. Section 1798.100 of the Civil Code is amended to read:1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following:(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75).(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.SEC. 4. Section 1798.121 of the Civil Code is amended to read:1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75).SEC. 2.SEC. 5. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.SEC. 3.SEC. 6. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 52 | + | The people of the State of California do enact as follows:SECTION 1. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose.(b) It is unlawful for a covered entity or service provider that collects or uses location information to do any of the following: (1) Collect more precise location information than necessary to provide the goods or services requested by the individual.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5) Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6) The data management and data security policies governing location information.(7) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78. (a) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy.SEC. 2. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.SEC. 3. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 74 | | - | SECTION 1. Section 1798.14.5 is added to the Civil Code, to read:1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 58 | + | SECTION 1. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose.(b) It is unlawful for a covered entity or service provider that collects or uses location information to do any of the following: (1) Collect more precise location information than necessary to provide the goods or services requested by the individual.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5) Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6) The data management and data security policies governing location information.(7) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78. (a) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 80 | | - | 1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 64 | + | TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose.(b) It is unlawful for a covered entity or service provider that collects or uses location information to do any of the following: (1) Collect more precise location information than necessary to provide the goods or services requested by the individual.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5) Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6) The data management and data security policies governing location information.(7) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78. (a) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 82 | | - | 1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 83 | | - | |
|---|
| 84 | | - | 1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 85 | | - | |
|---|
| 86 | | - | |
|---|
| 87 | | - | |
|---|
| 88 | | - | 1798.14.5. Each agency shall not monetize location information, consistent with Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 89 | | - | |
|---|
| 90 | | - | SECTION 1.SEC. 2. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read:TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual.(b) It is unlawful for a covered entity or service provider that collects or uses processes location information to do any of the following: (1)Collect more precise(1) (A) Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual.(B) Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5)Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6)(5) The data management and data security policies governing location information.(7)(6) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78.(a)Whoever1798.90.78. (a) The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein.(b) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b)(c) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c)(d) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 91 | | - | |
|---|
| 92 | | - | SECTION 1.SEC. 2. Title 1.81.24 (commencing with Section 1798.90.75) is added to Part 4 of Division 3 of the Civil Code, to read: |
|---|
| 93 | | - | |
|---|
| 94 | | - | ### SECTION 1.SEC. 2. |
|---|
| 95 | | - | |
|---|
| 96 | | - | TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual.(b) It is unlawful for a covered entity or service provider that collects or uses processes location information to do any of the following: (1)Collect more precise(1) (A) Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual.(B) Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5)Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6)(5) The data management and data security policies governing location information.(7)(6) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78.(a)Whoever1798.90.78. (a) The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein.(b) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b)(c) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c)(d) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 97 | | - | |
|---|
| 98 | | - | TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use process the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. individual.(b) It is unlawful for a covered entity or service provider that collects or uses processes location information to do any of the following: (1)Collect more precise(1) (A) Subject to subparagraph (B), collect or process more location information than necessary to provide the goods or services requested by the individual.(B) Subparagraph (A) does not prohibit a covered entity from collecting or processing location information to respond to security incidents, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, or investigate, report or prosecute those responsible for any of those actions. Location information collected and processed under this subparagraph shall be limited to what is necessary to carry out one or more of the purposes listed in this subparagraph, and shall not be retained for longer than 24 hours.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5)Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6)(5) The data management and data security policies governing location information.(7)(6) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78.(a)Whoever1798.90.78. (a) The California Privacy Protection Agency shall have authority to enforce this title and its implementing regulations. When the agency determines that any person is violating or has violated this title, the agency may issue an order to that person to pay an administrative fine, to cease and desist from violating the title, or both. Enforcement actions shall be conducted in accordance with the provisions of Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code in the Administrative Procedure Act, and the Agency shall have all the powers granted therein.(b) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b)(c) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c)(d) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 66 | + | TITLE 1.81.24. California Location Privacy Act1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate.1798.90.76. (a) A covered entity shall not collect or use the location information of an individual unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose.(b) It is unlawful for a covered entity or service provider that collects or uses location information to do any of the following: (1) Collect more precise location information than necessary to provide the goods or services requested by the individual.(2) Retain location information longer than necessary to provide the goods or services requested by the individual.(3) Sell, rent, trade, or lease location information to third parties.(4) Derive or infer from location information any data that is not necessary to provide the goods or services requested by the individual.(5) Disclose, cause to disclose, or assist with or facilitate the disclosure of an individuals location information to third parties, unless the disclosure is necessary to provide the goods or services requested by the individual for which the information was collected, or requested by the individual to whom the location data pertains.(c) It is unlawful for a covered entity or service provider to disclose location information to any federal, state, or local government agency or official unless the agency or official serves the covered entity or service provider with a valid court order issued by a California court or a court order from another jurisdiction that is in keeping with Californias laws, including, but not limited to:(1) The Reproductive Privacy Act (Article 2.5 (commencing with Section 123460) of Chapter 2 of Part 2 of Division 106 of the Health and Safety Code).(2) A foreign penal civil action, as defined in Section 2029.200 of the Code of Civil Procedure.(d) It is unlawful for a state or local agency to monetize location information.1798.90.77. (a) A covered entity shall prominently display, at the point where location information is being captured, a notice to individuals stating that their location information is being collected, the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information.(b) A covered entity shall maintain and make available to the data subject a location privacy policy, which shall include, at a minimum, all of the following:(1) The goods or services requested by the individual for which the covered entity is collecting, processing, or disclosing any location information.(2) The type of location information collected, including the precision of the data.(3) The identities of service providers with which the covered entity contracts with respect to location data.(4) Any disclosures of location data necessary to provide the goods or services requested by the individual and the identities of the third parties to whom the location information could be disclosed.(5) Whether the covered entitys practices include the internal use of location information for purposes of targeted advertisement.(6) The data management and data security policies governing location information.(7) The retention schedule and guidelines for permanently deleting location information.(c) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its location privacy policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new location privacy policy.1798.90.78. (a) Whoever denies a right protected by this title, or aids, incites, or conspires in that denial, is liable for each and every offense for the actual damages suffered by any person denied that right and, in addition, all of the following:(1) An amount to be determined by a jury, or a court sitting without a jury, for exemplary damages.(2) A civil penalty of twenty-five thousand dollars ($25,000), to be awarded to the person denied the right protected by this title.(3) Preventive relief, including permanent or temporary injunction, restraining order, or other order against the person or persons responsible for the conduct, as the complainant deems necessary to ensure the full enjoyment of the rights described in this title.(4) Upon a motion, a court shall award reasonable attorneys fees and costs, including expert witness fees and other litigation expenses, to a prevailing plaintiff in an action brought pursuant to this section. In awarding reasonable attorneys fees, the court shall consider the degree to which the relief obtained relates to the relief sought.(b) Either of the following public entities may bring a civil action against a covered entity for a violation of this title:(1) The Attorney General in the name of the people of the State of California.(2) A district attorney, county counsel, or city attorney for the jurisdiction in which the violation occurred.(c) An action under this section shall be commenced within three years of the alleged violation of this title.1798.90.79. This title shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), or other applicable federal and state laws and regulations pertaining to health care privacy. |
|---|
| 104 | | - | 1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Process means any operation or set of operations that are performed on location information whether or not by automated means.(12) Sale means selling, auctioning, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individuals location information by the covered entity to a third party for monetary or other valuable consideration. (11)(13) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12)(14) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate. |
|---|
| 72 | + | 1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act.(b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings:(1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system.(2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.(3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information.(4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof.(5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means.(6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image.(7) Individual means a natural person located within the State of California.(8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following:(A) An internet protocol address capable of revealing the physical or geographical location of an individual. (B) Global Positioning System (GPS) coordinates.(C) Cell-site location information. (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time.(E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time.(F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time.(9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code).(10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file.(11) Service provider means an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that the service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.(12) Speed safety system means a fixed or mobile radar or laser system or any other electronic device that utilizes automated equipment to detect a violation of speed laws and obtains a clear photograph of a speeding vehicles license plate. |
|---|
| 105 | 73 | | |
|---|
| 106 | 74 | | |
|---|
| 107 | 75 | | |
|---|
| 108 | 76 | | 1798.90.75. (a) This title shall be known, and may be cited, as the California Location Privacy Act. |
|---|
| 109 | 77 | | |
|---|
| 110 | 78 | | (b) For purposes of this title, the following terms shall, unless the context clearly requires otherwise, have the following meanings: |
|---|
| 111 | 79 | | |
|---|
| 112 | 80 | | (1) Automated license plate recognition information, or ALPR information means information or data collected through the use of an ALPR system. |
|---|
| 113 | 81 | | |
|---|
| 114 | 82 | | (2) Automated license plate recognition system or ALPR system means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data. |
|---|
| 115 | 83 | | |
|---|
| 116 | 84 | | (3) Collect means to obtain, infer, generate, create, receive, or access an individuals location information. |
|---|
| 117 | 85 | | |
|---|
| 118 | 86 | | (4) Covered entity means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity includes all agents of the entity. A covered entity does not include a state or local agency, or any court of California, a clerk of the court, or a judge or justice thereof. |
|---|
| 119 | 87 | | |
|---|
| 120 | 88 | | (5) Disclose means to make location information available to a third party, including, but not limited to, by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating that location information orally, in writing, electronically, or by any other means. |
|---|
| 121 | 89 | | |
|---|
| 122 | 90 | | (6) Facial recognition technology or FRT means a system that compares a probe image of an unidentified human face against a reference photograph database, and, based on biometric data, generates possible matches to aid in identifying the person in the probe image. |
|---|
| 123 | 91 | | |
|---|
| 124 | 92 | | (7) Individual means a natural person located within the State of California. |
|---|
| 125 | 93 | | |
|---|
| 126 | 94 | | (8) Location information means information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the State of California with sufficient precision to identify street-level location information within a range of five miles or less. Location information includes, but is not limited to, the following: |
|---|
| 127 | 95 | | |
|---|
| 128 | 96 | | (A) An internet protocol address capable of revealing the physical or geographical location of an individual. |
|---|
| 129 | 97 | | |
|---|
| 130 | 98 | | (B) Global Positioning System (GPS) coordinates. |
|---|
| 131 | 99 | | |
|---|
| 132 | 100 | | (C) Cell-site location information. |
|---|
| 133 | 101 | | |
|---|
| 134 | 102 | | (D) Information captured by an automated license plate recognition system that could be used to identify the specific location of an automobile at a point in time. |
|---|
| 135 | 103 | | |
|---|
| 136 | 104 | | (E) Information or image captured by a speed safety system or other traffic monitoring system that could be used to identify the specific location of an automobile at a point in time. |
|---|
| 137 | 105 | | |
|---|
| 138 | 106 | | (F) A video or photographic image that is used as a probe image in a facial recognition technology system that could be used to identify the specific location of an individual at a point in time. |
|---|
| 139 | 107 | | |
|---|
| 140 | 108 | | (9) Monetize means to collect, process, or disclose an individuals location information for profit or in exchange for monetary or other consideration. This term includes, but is not limited to, selling, renting, trading, or leasing location information. Monetize shall not include the disclosure of public records for purposes of the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code). |
|---|
| 141 | 109 | | |
|---|
| 142 | 110 | | (10) Probe image means an image of a person that is searched against a database of known, identified persons or an unsolved photograph file. |
|---|
| 143 | 111 | | |
|---|
| 275 | | - | |
|---|
| 276 | | - | 1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following:(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75).(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185. |
|---|
| 277 | | - | |
|---|
| 278 | | - | 1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following:(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75).(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185. |
|---|
| 279 | | - | |
|---|
| 280 | | - | 1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following:(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75).(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185. |
|---|
| 281 | | - | |
|---|
| 282 | | - | |
|---|
| 283 | | - | |
|---|
| 284 | | - | 1798.100. General Duties of Businesses that Collect Personal Information |
|---|
| 285 | | - | |
|---|
| 286 | | - | (a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform consumers of the following: |
|---|
| 287 | | - | |
|---|
| 288 | | - | (1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section. |
|---|
| 289 | | - | |
|---|
| 290 | | - | (2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section. |
|---|
| 291 | | - | |
|---|
| 292 | | - | (3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. |
|---|
| 293 | | - | |
|---|
| 294 | | - | (b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location. |
|---|
| 295 | | - | |
|---|
| 296 | | - | (c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes. |
|---|
| 297 | | - | |
|---|
| 298 | | - | (d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that: |
|---|
| 299 | | - | |
|---|
| 300 | | - | (1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes. |
|---|
| 301 | | - | |
|---|
| 302 | | - | (2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title. |
|---|
| 303 | | - | |
|---|
| 304 | | - | (3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title. |
|---|
| 305 | | - | |
|---|
| 306 | | - | (4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title. |
|---|
| 307 | | - | |
|---|
| 308 | | - | (5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. |
|---|
| 309 | | - | |
|---|
| 310 | | - | (e) (1) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5. |
|---|
| 311 | | - | |
|---|
| 312 | | - | (2) A business that collects or processes location information, as defined in Section 1798.90.75, shall comply with the requirements of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 313 | | - | |
|---|
| 314 | | - | (f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185. |
|---|
| 315 | | - | |
|---|
| 316 | | - | SEC. 4. Section 1798.121 of the Civil Code is amended to read:1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 317 | | - | |
|---|
| 318 | | - | SEC. 4. Section 1798.121 of the Civil Code is amended to read: |
|---|
| 319 | | - | |
|---|
| 320 | | - | ### SEC. 4. |
|---|
| 321 | | - | |
|---|
| 322 | | - | 1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 323 | | - | |
|---|
| 324 | | - | 1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 325 | | - | |
|---|
| 326 | | - | 1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.(b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes.(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.(e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 327 | | - | |
|---|
| 328 | | - | |
|---|
| 329 | | - | |
|---|
| 330 | | - | 1798.121. Consumers Right to Limit Use and Disclosure of Sensitive Personal Information |
|---|
| 331 | | - | |
|---|
| 332 | | - | (a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumers sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumers sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information. |
|---|
| 333 | | - | |
|---|
| 334 | | - | (b) A business that has received direction from a consumer not to use or disclose the consumers sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumers sensitive personal information for any other purpose after its receipt of the consumers direction unless the consumer subsequently provides consent for the use or disclosure of the consumers sensitive personal information for additional purposes. |
|---|
| 335 | | - | |
|---|
| 336 | | - | (c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business. |
|---|
| 337 | | - | |
|---|
| 338 | | - | (d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (18) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100. |
|---|
| 339 | | - | |
|---|
| 340 | | - | (e) This section does not limit the application of Title 1.81.24 (commencing with Section 1798.90.75). |
|---|
| 341 | | - | |
|---|
| 342 | | - | SEC. 2.SEC. 5. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 343 | | - | |
|---|
| 344 | | - | SEC. 2.SEC. 5. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 345 | | - | |
|---|
| 346 | | - | SEC. 2.SEC. 5. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 347 | | - | |
|---|
| 348 | | - | ### SEC. 2.SEC. 5. |
|---|
| 349 | | - | |
|---|
| 350 | | - | SEC. 3.SEC. 6. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 351 | | - | |
|---|
| 352 | | - | SEC. 3.SEC. 6. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 353 | | - | |
|---|
| 354 | | - | SEC. 3.SEC. 6. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020. |
|---|
| 355 | | - | |
|---|
| 356 | | - | ### SEC. 3.SEC. 6. |
|---|