Bill Text

Bill Information


Amended  IN  Senate  April 21, 2022
Amended  IN  Senate  March 07, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Senate Bill
No. 1059

Introduced by Senator Becker

February 15, 2022

An act to amend Sections 1798.99.80, 1798.99.81, 1798.99.82, and 1798.99.84 of, and to add Section 1798.99.85 to, the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 1059, as amended, Becker. Privacy: data brokers.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information that is collected or sold by a business, as defined, and also establishes, as approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, the California Privacy Protection Agency and vests it with full administrative power, authority, and jurisdiction to implement and enforce the CCPA.
The California Constitution grants a right of privacy. Existing law requires data brokers to register with, and provide certain information to, the Attorney General. Existing law defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions. Existing law subjects data brokers that fail to register to injunction and liability for civil penalties, fees, and costs in an action brought by the Attorney General, with any recovery to be deposited in the Consumer Privacy Fund, as specified. Existing law imposes a $100 civil penalty for each day a data broker fails to register.
This bill would include in the definition of data broker a business that knowingly collects and shares, as defined, certain personal information to third parties. The bill would transfer all authority and responsibilities under the provisions relating to data broker registration from the Attorney General to the CCPA, including by requiring data brokers to annually register with the CPPA on or before January 31. However, the bill would authorize the Attorney General to also bring an action against a data broker that fails to register. The bill would require data brokers to provide additional information to the CPPA during the registration process would increase the civil penalty for failing to register to $200 for each day the data broker fails to register. The bill would require the CPPA to adopt regulations in compliance with the Administrative Procedure Act on or before January 1, 2024. Act. The bill would also make other technical changes.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.99.80 of the Civil Code is amended to read:

1798.99.80.
 For purposes of this title:
(a) “Breach” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

(a)

(b) “Business” has the meaning provided in Section 1798.140.

(b)

(c) “Collect” and “collected” have the meaning provided in Section 1798.140.

(c)

(d) “Consumer” has the meaning provided in Section 1798.140.

(d)

(e) “Data broker” means a business that knowingly collects and either sells or shares to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:
(1) A consumer reporting agency to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(2) A financial institution to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations.
(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 1791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

(e)

(f) “Personal information” has the meaning provided in Section 1798.140.

(f)

(g) “Sale” or “sold” have the meaning provided in Section 1798.140.

(g)

(h) “Sensitive personal information” has the meaning provided in Section 1798.140.

(h)

(i) “Shares” or “shared” have the meaning provided in Section 1798.140.

(i)

(j) “Third party” has the meaning provided in Section 1798.140.

SEC. 2.

 Section 1798.99.81 of the Civil Code is amended to read:

1798.99.81.
  A fund to be known as the “Data Brokers’ Registry Fund” is hereby created within the State Treasury. All registration fees received pursuant to paragraph (1) of subdivision (b) of Section 1798.99.82 shall be deposited into the Data Brokers’ Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset costs of establishing and maintaining the informational internet website described in Section 1798.99.84.

SEC. 3.

 Section 1798.99.82 of the Civil Code is amended to read:

1798.99.82.
 (a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.
(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:
(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84. Registration fees shall be deposited in the Data Brokers’ Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.
(2) Provide the following information:
(A) The name of the data broker and its primary physical, email, and internet website addresses.
(B) Whether the data broker has been breached and, if yes, additional details of each breach.
(C) Whether the data broker collects data of minors.
(D) Instructions on how consumers may exercise their rights to do any of the following:
(i) Delete personal information, as described in Section 1798.105.
(ii) Correct inaccurate personal information, as described in Section 1798.106.
(iii) Know what personal information is being collected and how to access that personal information, as described in Section 1798.110.
(iv) Know what personal information is being sold or shared, and to whom, as described in Section 1798.115.
(v) How to opt-out of the sale or sharing of personal information, as described in Section 1798.120.
(vi) How to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.
(E) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
(c) A data broker that fails to register as required by this section is subject to injunction and is liable for civil penalties, fees, and costs in an action brought by the California Privacy Protection Agency or in the name of the people of the State of California by the Attorney General as follows:
(1) A civil penalty of two hundred dollars ($200) for each day the data broker fails to register as required by this section.
(2) An amount equal to the fees that were due during the period it failed to register.
(3) Expenses incurred by the California Privacy Protection Agency or Attorney General, as applicable, in the investigation and prosecution of the action as the court deems appropriate.
(d) Any penalties, fees, and expenses recovered in an action prosecuted under subdivision (c) shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160, with the intent that they be used to fully offset costs incurred by the state courts, California Privacy Protection Agency, and the Attorney General in connection with this title.

SEC. 4.

 Section 1798.99.84 of the Civil Code is amended to read:

1798.99.84.
  The California Privacy Protection Agency shall create a page on its internet website where the information provided by data brokers under this title shall be accessible to the public.

SEC. 5.

 Section 1798.99.85 is added to the Civil Code, to read:

1798.99.85.
 On or before January 1, 2024, the The California Privacy Protection Agency shall adopt regulations in compliance with the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to further the purposes of this title.

SEC. 6.

 The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020 by ensuring consumers’ rights, including the constitutional right to privacy, are protected by centralizing privacy rights enforcement with the California Privacy Protection Agency.