| Old | New | Differences | |
|---|---|---|---|
| 1 | - | ||
| 1 | + | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Senate Bill No. 361Introduced by Senator BeckerFebruary 13, 2025 An act to amend Section 1798.99.82 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTSB 361, as introduced, Becker. Data broker registration: data collection.The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.Existing law requires a data broker to register with the agency, and defines data broker to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers precise geolocation, or consumers reproductive health care data.This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, and biometric data.This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Section 1798.99.82 of the Civil Code is amended to read:1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.SEC. 2. The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers. | |
| 2 | 2 | ||
| 3 | - | ||
| 3 | + | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION Senate Bill No. 361Introduced by Senator BeckerFebruary 13, 2025 An act to amend Section 1798.99.82 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGESTSB 361, as introduced, Becker. Data broker registration: data collection.The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.Existing law requires a data broker to register with the agency, and defines data broker to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers precise geolocation, or consumers reproductive health care data.This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, and biometric data.This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO | |
| 4 | 4 | ||
| 5 | - | Amended IN Senate March 24, 2025 | |
| 6 | 5 | ||
| 7 | - | Amended IN Senate March 24, 2025 | |
| 6 | + | ||
| 7 | + | ||
| 8 | 8 | ||
| 9 | 9 | CALIFORNIA LEGISLATURE 20252026 REGULAR SESSION | |
| 10 | 10 | ||
| 11 | 11 | Senate Bill | |
| 12 | 12 | ||
| 13 | 13 | No. 361 | |
| 14 | 14 | ||
| 15 | 15 | Introduced by Senator BeckerFebruary 13, 2025 | |
| 16 | 16 | ||
| 17 | 17 | Introduced by Senator Becker | |
| 18 | 18 | February 13, 2025 | |
| 19 | 19 | ||
| 20 | 20 | An act to amend Section 1798.99.82 of the Civil Code, relating to privacy. | |
| 21 | 21 | ||
| 22 | 22 | LEGISLATIVE COUNSEL'S DIGEST | |
| 23 | 23 | ||
| 24 | 24 | ## LEGISLATIVE COUNSEL'S DIGEST | |
| 25 | 25 | ||
| 26 | - | SB 361, as | |
| 26 | + | SB 361, as introduced, Becker. Data broker registration: data collection. | |
| 27 | 27 | ||
| 28 | - | The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.Existing law requires a data broker to register with the agency, and defines data broker to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers precise geolocation, or consumers reproductive health care data.This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, | |
| 28 | + | The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA.Existing law requires a data broker to register with the agency, and defines data broker to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers precise geolocation, or consumers reproductive health care data.This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, and biometric data.This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons. | |
| 29 | 29 | ||
| 30 | 30 | The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumers personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce the CCPA. | |
| 31 | 31 | ||
| 32 | 32 | Existing law requires a data broker to register with the agency, and defines data broker to mean a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law requires a data broker, in registering with the agency, to pay a registration fee in an amount determined by the agency and provide specified information, including, among other things, the name of the data broker and its primary physical, email, and internet website addresses, and whether the data broker collects the personal information of minors, consumers precise geolocation, or consumers reproductive health care data. | |
| 33 | 33 | ||
| 34 | - | This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, | |
| 34 | + | This bill would require a data broker to provide additional information to the agency, including whether the data broker collects consumers login or account information, various government identification numbers, citizenship data, union membership status, sexual orientation status, and biometric data. | |
| 35 | 35 | ||
| 36 | 36 | This bill would declare that it furthers the purposes and intent of the CPRA for specified reasons. | |
| 37 | 37 | ||
| 38 | 38 | ## Digest Key | |
| 39 | 39 | ||
| 40 | 40 | ## Bill Text | |
| 41 | 41 | ||
| 42 | - | The people of the State of California do enact as follows:SECTION 1. Section 1798.99.82 of the Civil Code is amended to read:1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers | |
| 42 | + | The people of the State of California do enact as follows:SECTION 1. Section 1798.99.82 of the Civil Code is amended to read:1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.SEC. 2. The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers. | |
| 43 | 43 | ||
| 44 | 44 | The people of the State of California do enact as follows: | |
| 45 | 45 | ||
| 46 | 46 | ## The people of the State of California do enact as follows: | |
| 47 | 47 | ||
| 48 | - | SECTION 1. Section 1798.99.82 of the Civil Code is amended to read:1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers | |
| 48 | + | SECTION 1. Section 1798.99.82 of the Civil Code is amended to read:1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title. | |
| 49 | 49 | ||
| 50 | 50 | SECTION 1. Section 1798.99.82 of the Civil Code is amended to read: | |
| 51 | 51 | ||
| 52 | 52 | ### SECTION 1. | |
| 53 | 53 | ||
| 54 | - | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers | |
| 54 | + | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title. | |
| 55 | 55 | ||
| 56 | - | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers | |
| 56 | + | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title. | |
| 57 | 57 | ||
| 58 | - | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers | |
| 58 | + | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.(2) Provide the following information:(A) The name of the data broker and its primary physical, email, and internet website addresses.(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.(C) Whether the data broker collects the personal information of minors.(D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party.(E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.(F) Whether the data broker collects consumers citizenship data, including immigration status.(G) Whether the data broker collects consumers union membership status.(H) Whether the data broker collects consumers sexual orientation status.(I) Whether the data broker collects consumers biometric data. (D)(J) Whether the data broker collects consumers precise geolocation.(E)(K) Whether the data broker collects consumers reproductive health care data.(F)(L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.(G)(M) A link to a page on the data brokers internet website that does both of the following:(i) Details how consumers may exercise their privacy rights by doing all of the following:(I) Deleting personal information, as described in Section 1798.105.(II) Correcting inaccurate personal information, as described in Section 1798.106.(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.(ii) Does not make use of any dark patterns.(H)(N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).(ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).(I)(O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.(2) An amount equal to the fees that were due during the period it failed to register.(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title. | |
| 59 | 59 | ||
| 60 | 60 | ||
| 61 | 61 | ||
| 62 | 62 | 1798.99.82. (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section. | |
| 63 | 63 | ||
| 64 | 64 | (b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following: | |
| 65 | 65 | ||
| 66 | 66 | (1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph. | |
| 67 | 67 | ||
| 68 | 68 | (2) Provide the following information: | |
| 69 | 69 | ||
| 70 | 70 | (A) The name of the data broker and its primary physical, email, and internet website addresses. | |
| 71 | 71 | ||
| 72 | 72 | (B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85. | |
| 73 | 73 | ||
| 74 | 74 | (C) Whether the data broker collects the personal information of minors. | |
| 75 | 75 | ||
| 76 | 76 | (D) Whether the data broker collects consumers account login or account number in combination with any required security code, access code, or password that would permit access to a consumers account with a third party. | |
| 77 | 77 | ||
| 78 | 78 | (E) Whether the data broker collects consumers drivers license number, California identification card number, tax identification number, social security number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual. | |
| 79 | 79 | ||
| 80 | 80 | (F) Whether the data broker collects consumers citizenship data, including immigration status. | |
| 81 | 81 | ||
| 82 | 82 | (G) Whether the data broker collects consumers union membership status. | |
| 83 | 83 | ||
| 84 | 84 | (H) Whether the data broker collects consumers sexual orientation status. | |
| 85 | 85 | ||
| 86 | - | (I) Whether the data broker collects consumers | |
| 86 | + | (I) Whether the data broker collects consumers biometric data. | |
| 87 | 87 | ||
| 88 | - | ( | |
| 88 | + | (D) | |
| 89 | 89 | ||
| 90 | 90 | ||
| 91 | 91 | ||
| 92 | - | (J) Whether the data broker collects consumers | |
| 92 | + | (J) Whether the data broker collects consumers precise geolocation. | |
| 93 | 93 | ||
| 94 | - | ( | |
| 94 | + | (E) | |
| 95 | 95 | ||
| 96 | 96 | ||
| 97 | 97 | ||
| 98 | - | (K) Whether the data broker collects consumers | |
| 98 | + | (K) Whether the data broker collects consumers reproductive health care data. | |
| 99 | 99 | ||
| 100 | - | ( | |
| 100 | + | (F) | |
| 101 | 101 | ||
| 102 | 102 | ||
| 103 | 103 | ||
| 104 | - | (L) Whether the data broker | |
| 104 | + | (L) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency. | |
| 105 | 105 | ||
| 106 | - | ( | |
| 106 | + | (G) | |
| 107 | 107 | ||
| 108 | 108 | ||
| 109 | 109 | ||
| 110 | - | (M) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency. | |
| 111 | - | ||
| 112 | - | (M) | |
| 113 | - | ||
| 114 | - | ||
| 115 | - | ||
| 116 | - | (N) A link to a page on the data brokers internet website that does both of the following: | |
| 110 | + | (M) A link to a page on the data brokers internet website that does both of the following: | |
| 117 | 111 | ||
| 118 | 112 | (i) Details how consumers may exercise their privacy rights by doing all of the following: | |
| 119 | 113 | ||
| 120 | 114 | (I) Deleting personal information, as described in Section 1798.105. | |
| 121 | 115 | ||
| 122 | 116 | (II) Correcting inaccurate personal information, as described in Section 1798.106. | |
| 123 | 117 | ||
| 124 | 118 | (III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110. | |
| 125 | 119 | ||
| 126 | 120 | (IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115. | |
| 127 | 121 | ||
| 128 | 122 | (V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120. | |
| 129 | 123 | ||
| 130 | 124 | (VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121. | |
| 131 | 125 | ||
| 132 | 126 | (ii) Does not make use of any dark patterns. | |
| 133 | 127 | ||
| 134 | - | ( | |
| 128 | + | (H) | |
| 135 | 129 | ||
| 136 | 130 | ||
| 137 | 131 | ||
| 138 | - | ( | |
| 132 | + | (N) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following: | |
| 139 | 133 | ||
| 140 | 134 | (i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.). | |
| 141 | 135 | ||
| 142 | 136 | (ii) The Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations. | |
| 143 | 137 | ||
| 144 | 138 | (iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code). | |
| 145 | 139 | ||
| 146 | 140 | (iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191). | |
| 147 | 141 | ||
| 148 | - | ( | |
| 142 | + | (I) | |
| 149 | 143 | ||
| 150 | 144 | ||
| 151 | 145 | ||
| 152 | - | ( | |
| 146 | + | (O) Any additional information or explanation the data broker chooses to provide concerning its data collection practices. | |
| 153 | 147 | ||
| 154 | 148 | (c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows: | |
| 155 | 149 | ||
| 156 | 150 | (1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section. | |
| 157 | 151 | ||
| 158 | 152 | (2) An amount equal to the fees that were due during the period it failed to register. | |
| 159 | 153 | ||
| 160 | 154 | (3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate. | |
| 161 | 155 | ||
| 162 | 156 | (d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows: | |
| 163 | 157 | ||
| 164 | 158 | (1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86. | |
| 165 | 159 | ||
| 166 | 160 | (2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action. | |
| 167 | 161 | ||
| 168 | 162 | (e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title. | |
| 169 | 163 | ||
| 170 | 164 | SEC. 2. The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers. | |
| 171 | 165 | ||
| 172 | 166 | SEC. 2. The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers. | |
| 173 | 167 | ||
| 174 | 168 | SEC. 2. The Legislature finds and declares that this act advances the purposes and intent of the California Privacy Rights Act of 2020 by strengthening the constitutional right to privacy and safeguarding consumers rights. To achieve this, the act expands disclosure requirements for data brokers, thereby enhancing transparency for consumers. | |
| 175 | 169 | ||
| 176 | 170 | ### SEC. 2. |