Amended IN Assembly March 24, 2025 Amended IN Assembly March 13, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 364Introduced by Assembly Member DeMaioFebruary 03, 2025 An act to amend Section 1798.100 of, and to add Section 1798.122 to, the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 364, as amended, DeMaio. Personal information: maintenance. The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information, as specified. The CCPA requires a business that controls the collection of a consumers personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.This bill would enact the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumers personal information outside of the United States. The bill would prohibit a business from maintaining a consumers personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumers personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act.SECTION 1.SEC. 2. Section 1798.100 of the Civil Code is amended to read:1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.SEC. 2.SEC. 3. Section 1798.122 is added to the Civil Code, to read:1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.SEC. 3.SEC. 4. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
Amended IN Assembly March 24, 2025 Amended IN Assembly March 13, 2025 CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Assembly Bill No. 364Introduced by Assembly Member DeMaioFebruary 03, 2025 An act to amend Section 1798.100 of, and to add Section 1798.122 to, the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTAB 364, as amended, DeMaio. Personal information: maintenance. The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information, as specified. The CCPA requires a business that controls the collection of a consumers personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.This bill would enact the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumers personal information outside of the United States. The bill would prohibit a business from maintaining a consumers personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumers personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly March 24, 2025 Amended IN Assembly March 13, 2025
Amended IN Assembly March 24, 2025
Amended IN Assembly March 13, 2025
CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION
Assembly Bill
No. 364
Introduced by Assembly Member DeMaioFebruary 03, 2025
Introduced by Assembly Member DeMaio
February 03, 2025
An act to amend Section 1798.100 of, and to add Section 1798.122 to, the Civil Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 364, as amended, DeMaio. Personal information: maintenance.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information, as specified. The CCPA requires a business that controls the collection of a consumers personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.This bill would enact the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumers personal information outside of the United States. The bill would prohibit a business from maintaining a consumers personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumers personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumers personal information, as specified. The CCPA requires a business that controls the collection of a consumers personal information to, at or before the point of collection, inform a consumer of, among other things, the categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that information is sold or shared. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.
This bill would enact the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act which would additionally require a business to disclose to a consumer if the business intends to maintain the consumers personal information outside of the United States. The bill would prohibit a business from maintaining a consumers personal information outside of the United States unless, among other things, the consumer explicitly consented to the business maintaining the consumers personal information outside of the United States. The bill would also prohibit a business from maintaining personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act.SECTION 1.SEC. 2. Section 1798.100 of the Civil Code is amended to read:1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.SEC. 2.SEC. 3. Section 1798.122 is added to the Civil Code, to read:1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.SEC. 3.SEC. 4. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act.
SECTION 1. This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act.
SECTION 1. This act shall be known, and may be cited, as the Stop Foreign Governments from Accessing Californians Sensitive Personal Information Act.
### SECTION 1.
SECTION 1.SEC. 2. Section 1798.100 of the Civil Code is amended to read:1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
SECTION 1.SEC. 2. Section 1798.100 of the Civil Code is amended to read:
### SECTION 1.SEC. 2.
1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
1798.100. General Duties of Businesses that Collect Personal Information(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.(4) If the business intends to maintain the consumers personal information outside of the United States.(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
1798.100. General Duties of Businesses that Collect Personal Information
(a) A business that controls the collection of a consumers personal information shall, at or before the point of collection, inform a consumer of all of the following:
(1) The categories of personal information to be collected, the purposes for which the categories of personal information are collected or used, and whether that personal information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.
(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.
(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumers personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
(4) If the business intends to maintain the consumers personal information outside of the United States.
(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage home page of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.
(c) A business collection, use, retention, and sharing of a consumers personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
(d) A business that collects a consumers personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:
(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.
(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business obligations under this title.
(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.
(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
(e) A business that collects a consumers personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.
SEC. 2.SEC. 3. Section 1798.122 is added to the Civil Code, to read:1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
SEC. 2.SEC. 3. Section 1798.122 is added to the Civil Code, to read:
### SEC. 2.SEC. 3.
1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.(3) The personal information is not health care information, financial information, or geolocation data.(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
1798.122. (a) A business shall not maintain a consumers personal information outside of the United States unless all of the following are true:
(1) The business has informed the consumer of potential risks associated with the business maintaining the consumers personal information outside of the United States.
(2) The consumer explicitly consented to the business maintaining the consumers personal information outside of the United States.
(3) The personal information is not health care information, financial information, or geolocation data.
(b) A business shall not maintain personal information that is health care information, financial information, or geolocation data in the custody of a foreign government or a third party that is owned or controlled by a foreign government.
SEC. 3.SEC. 4. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3.SEC. 4. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
SEC. 3.SEC. 4. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
### SEC. 3.SEC. 4.