OCR of the Document

View the Document >>

California Office of the Attorney General, California Consumer Privacy Act of 2018, Version 2 (Amendments), November 17, 2017. Unclassified.

1 r - oo 3 g AmQtl RECEIVED NOV 20 2017 INITIATIVE COORDINATOR November 17 2017 ATTORNEY GENERAL'S OFFICE VIA MESSENGER Initiative Coordinator Office ofthe Attorney General 1300 I Street 17th Floor Sacramento CA 95814 Re The Consumer Right io Privacy Actof2018 - Version 2 No 17-0039 Filed October 12 2017 Dear Initiative Coordinator Enclosed please find additional amendments to the above-captioned measure submitted pursuant to Elections Code section 9002 b In accordance with the requirements of Elections Code section 900l a I request that the Attorney General prepare circulating title and summary ofthe chief purpose and points ofthe initiative measure entitled The Consumer Right to Privacy Act of2018 Version 2 including the amendments submitted herewith a l Please direct all correspondence and inquiries regarding this measure to James C Harrison Kristen M Rogers Remcho Johansen Purcell LLP 1901 Harrison Street Suite 1550 Oakland CA 94612 Phone 510 346-6200 Fax 510 346-6201 'Enclosure 00324087 I November 17 2017 VIA MESSENGER Initiative Coordinator Office of the Attorney General 1300 I Street 17th Floor Sacramento CA 95814 Re The Consumer Right to Privacy Act of2018 - Version 2 No 17-0039 Filed October 12 2017 Dear Initiative Coordinator Enclosed please find additional amendments to the above-captioned measure submitted pursuant to Elections Code section 9002 b In accordance with the requirements of Elections Code section 9001 a I request that the Attorney General prepare a circulating title and summary of the chief purpose and points of the initiative measure entitled The Consumer Right to Privacy Act of2018 Version 2 including the amendments submitted herewith Please direct all correspondence and inquiries regarding this measure to James C Harrison Kristen M Rogers Remcho Johansen Purcell LLP 1901 Harrison Street Suite 1550 Oakland CA 94612 Phone 510 346-6200 Fax 510 346-6201 Sincerely Enclosure 00324088 1 7 - 0 0 3 9 Arndt# VERSION 2 Amendments THE CALIFORNIA CONSUMER PRIVACY ACT OF 2018 SEC 1 Title This measure shall be known and may be cited as The California Consumer Privacy Act of2018 SEC 2 Findings and Declarations The People of the State of California hereby find and declare all of the following A In 1972 California voters amended the California Constitution to include the right of privacy among the inalienable rights of all people Voters acted in response to the accelerating encroachment on personal freedom and security caused by increased data collection in contemporary society The amendment established a legal and enforceable right of privacy for every Californian Fundamental to this right of privacy is the ability of individuals to control the use including the sale of their personal information As a Californian you retain your reasonable expectation of privacy even when you disclose your personal information to a third party B Since California voters approved the right of privacy the California Legislature has adopted specific mechanisms to safeguard Californians' privacy including the Online Privacy Protection Act the Privacy Rights for California Minors in the Digital World Act and Shine the Light a California law intended to give Californians the who what where and when of how businesses handle consumers' personal information But technology has continued to advance exponentially and business practices have changed dramatically C Many businesses collect personal information from California consumers using hundreds of tracking and collection devices They not only know where you live and how many children you have but also how fast you drive your personality sleep habits biometric and health information financial information current location and social networks to name just a few categories California law has not kept pace with these developments D Businesses drive the market for consumers' personal information and they profit from buying and selling your personal information and using it for commercial purposes E The proliferation of personal information over which consumers lack control has limited Californians' ability to properly protect and safeguard their privacy Businesses use this personal information for their own purposes including selling it to and sharing it with other businesses for their commercial purposes without your knowledge discriminating against you based on price or service level targeting you with ads and compiling information about your location habits and preferences into an extensive electronic dossier on you Some businesses fail to take adequate precautions to protect this personal information from security breaches and identity theft putting your privacy at risk Often you may not even know that these records exist or you cannot determine who has access to them or to whom they are being sold or with whom they are being shared 1 VERSION 2 Amendments F At the same time you are in a position of relative dependence on businesses that collect your information It is almost impossible to apply for a job raise a child drive a car or make an appointment without sharing your personal information Given how much communication and commerce occur online or through apps it is easy for companies to monitor what you do and collect ever-increasing amounts and categories of data about you But it is difficult and in many cases impossible for you to monitor a business's operations and prevent companies from selling your personal information Providing information to a company is not the same as making it available to the public generally and you have a reasonable expectation that businesses will respect your privacy and take reasonable precautions to safeguard your personal information G You should have the right to know what personal information businesses collect about you and your children and what they do with it including to whom they sell it H You should also be able to control the use of your and your children's personal information and be able to stop businesses from selling your information Your decision to request information from a business about its collection and sale of your personal information or to tell a business to stop selling your personal information should not affect the price quality or level of the goods or services you receive It is possible for businesses both to respect your privacy and provide a high level of quality and service and a fair price SEC 3 Purpose and Intent In enacting this Act it is the purpose and intent of the people of the State of California to further the constitutional right of privacy by giving consumers an effective way to control their personal information thereby affording better protection for their own privacy and autonomy by A Giving California consumers the right to know what categories of personal information a business has collected about them and their children B Giving California consumers the right to know whether a business has sold this personal information or disclosed it for a business purpose and to whom C Requiring a business to disclose to a California consumer if it sells any of the consumer's personal information and allowing a consumer to tell the business to stop selling the consumer's personal information D Preventing a business from denying changing or charging more for a service if a California consumer requests information about the business's collection or sale of the consumer's personal information or refuses to allow the business to sell the consumer's personal information E Requiring businesses to safeguard California consumers' personal information and holding them accountable if such information is compromised as a result of a security breach arising from the business's failure to take reasonable steps to protect the security of consumers' sensitive information 2 VERSION 2 Amendments SEC 4 The California Consumer Privacy Act of 2018 shall be codified by adding Sections 1798 100 to 1798 115 inclusive to the Civil Code SEC 4 1 Section 1798 100 is added to the Civil Code to read 1798 100 Right to Know What Personal Information is Being Collected 1798 100 a A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the categories of personal information it has collected about that consumer b A business that collects personal information about a consumer shall disclose to the consumer pursuant to paragraph 3 of subdivision a of section 1798 104 the information specified in subdivision a ofthis section upon receipt of a verifiable request from the consumer c A business that collects personal information about consumers shall disclose pursuant to subparagraph B of paragraph 5 of subdivision a of section 1798 104 the categories of personal information it has collected about consumers SEC 4 2 Section 1798 101 is added to the Civil Code to read 1798 101 Right to Know Whether Personal Information is Sold or Disclosed and to Whom 1798 101 a A consumer shall have the right to request that a business that sells the consumer's personal information or that discloses it for a business purpose disclose to that consumer 1 the categories of personal information that the business sold about the consumer and the identity of the third parties to whom such personal information was sold by category or categories of personal information for each third party to whom such personal information was sold and 2 the categories of personal information that the business disclosed about the consumer for a business purpose and the identity of the persons to whom such personal information was disclosed for a business purpose by category or categories of personal information for each person to whom such personal information was disclosed for a business purpose b A business that sells personal information about a consumer or that discloses a consumer's personal information for a business purpose shall disclose pursuant to paragraph 4 of subdivision a of section 1798 104 the information specified in subdivision a of this section to the consumer upon receipt of a verifiable request from the consumer c A business that sells consumers' personal information or that discloses consumers' personal information for a business purpose shall disclose pursuant to subparagraph C of paragraph 5 of subdivision a of section 1798 104 1 the category or categories of consumers' personal information it has sold or if the business has not sold consumers' personal information it shall disclose that fact and 2 the category or categories of consumers' personal information it has disclosed for a business purpose or if the business has not disclosed the consumers' personal information for a business purpose it shall disclose that fact 3 VERSION 2 Amendments SEC 4 3 Section 1798 102 is added to the Civil Code to read 1798 102 Right to Say No to Sale of Personal Information 1798 102 a A consumer shall have the right at any time to direct a business that sells personal information about the consumer not to sell the consumer's personal information This right may be referred to as the right to opt out b A business that sells consumers' personal information shall provide notice to consumers pursuant to subdivision a of section 1798 105 that such information may be sold and that consumers have the right to opt out of the sale of their personal information c A business that has received direction from a consumer not to sell the consumer's personal information shall be prohibited pursuant to paragraph 4 of subdivision a of section 1798 105 from selling the consumer's personal information after its receipt of the consumer's direction unless the consumer subsequently provides express authorization for the sale of the consumer's personal information SEC 4 4 Section 1798 103 is added to the Civil Code to read 1798 103 Right to Equal Service and Price 1798 103 A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798 100 or 1798 101 or because the consumer directed the business not to sell the consumer's personal information pursuant to section 1798 102 or because the consumer exercised the consumer's rights to enforce this Act including but not limited to by a denying goods or services to the consumer b charging different prices or rates for goods or services including through the use of discounts or other benefits or imposing penalties c providing a different level or quality of goods or services to the consumer or d suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services if the consumer exercises the consumer's rights under this Act SEC 4 5 Section 1798 104 is added to the Civil Code to read 1798 104 Compliance with Right to Know and Disclosure Requirements 1798 104 a In order to comply with sections 1798 100 1798 101 and 1798 103 a business shall 1 Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to sections 1798 100 and 1798 101 including at a minimum a toll-free telephone number and if the business maintains a website a website address 2 Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer The business shall promptly take steps to determine whether the request is a verifiable request but this shall not extend the business's duty 4 VERSION 2 Amendments to disclose and deliver the information within 45 days of receipt of the consumer's request The disclosure shall cover the twelve-month period preceding the business's receipt of the verifiable request and shall be made in writing and delivered through the consumer's account with the business if the consumer maintains an account with the business or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business The business shall not require the consumer to create an account with the business in order to make a verifiable request 3 For purposes of subdivision b of section 1798 100 A to identify the consumer associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer and B identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information collected 4 For purposes of subdivision b of section 1798 101 A to identify the consumer associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer B identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information and provide accurate names and contact information for the third parties to whom the consumer's personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information sold for each third party and C identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information and provide accurate names and contact information for the persons to whom the consumer's personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information disclosed for each person The business shall disclose the information required by subparagraphs B and C in two separate lists 5 Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights or if the business does not maintain such policies on its website and update such information at least once every 12 months A A description of a consumer's rights pursuant to sections 1798 100 1798 101 and 1798 103 and one or more designated methods for submitting requests B For purposes of subdivision c of section 1798 100 a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information collected and C For purposes of paragraphs 1 and 2 of subdivision c of section 1798 101 two separate lists i a list of the categories of personal information it has sold about consumers in the 5 VERSION 2 Amendments preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information sold or if the business has not sold consumers' personal information in the preceding 12 months the business shall disclose that fact and ii a list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision c of this section that most closely describe s the personal information disclosed or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months the business shall disclose that fact 6 Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this Act are informed of all requirements in sections 1798 100 1798 101 1798 103 and this section and how to direct consumers to exercise their rights under those sections and 7 Use any personal information collected from the consumer in connection with the business's verification of the consumer's request solely for the purposes of verification b A business is not obligated to provide the information required by sections 1798 100 and 1798 101 to the same consumer more than once in a 12-m onth period c The categories of personal information required to be disclosed pursuant to sections 1798 100 and 1798 101 are all of the following 1 Identifiers such as a real name alias postal address unique identifier internet protocol address electronic mail address account name social security number driver's license number passport number or other similar identifiers 2 All categories of personal information enumerated in Civil Code 1798 80 et seq with specific reference to the category of information that has been collected 3 All categories of personal information relating to characteristics of protected classifications under California or federal law with specific reference to the category of information that has been collected such as race ethnicity or gender 4 Com m ercial information including records of property products or services provided obtained or considered or other purchasing or consuming histories or tendencies 5 Biometric data 6 Internet or other electronic network activity information including but not limited to browsing history search history and information regarding a consumer's interaction with a website application or advertisement 7 Geolocation data 8 Audio electronic visual thermal olfactory or similar information 9 Psychometric information 10 Professional or employment-related information 11 Inferences drawn from any of the information identified above and 12 Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer 6 VERSION 2 Amendments SEC 4 6 Section 1798 105 is added to the Civil Code to read 1798 105 Compliance with Right to Say No and Notice Requirements 1798 105 a A business that is required to comply with section 1798 102 shall 1 Provide a clear and conspicuous link on the business's homepage titled Do Not Sell My Personal Information to a webpage that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer's personal information A business shall not require a consumer to create an account in order to direct the business not to sell the consumer's personal information 2 Include a description of a consumer's rights pursuant to section 1798 102 along with a separate link to the Do Not Sell My Personal Information webpage in A its online privacy policy or policies if the business has an online privacy policy or policies and B any California­ specific description of consumers' privacy rights 3 Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this Act are informed of all requirements in section 1798 102 and this section and how to direct consumers to exercise their rights under those sections 4 For consumers who exercise their right to opt out of the sale of their personal information refrain from selling personal information collected by the business about the consumer 5 For a consumer who has opted out of the sale of the consumer's personal information respect the consumer's decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer's personal information and 6 Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request b Nothing in this Act shall be construed to require a business to comply with the Act by including the required links and text on the homepage that the business makes available to the public generally if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally c A consumer may authorize another person to opt out on the consumer's behalf and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf 7 VERSION 2 Amendments SEC 4 7 Section 1798 106 is added to the Civil Code to read 1798 106 Definitions 1798 106 For purposes of Sections 1798 100 to 1798 115 inclusive the following definitions shall apply a Biometric data means an individual's physiological biological or behavioral characteristics including an individual's deoxyribonucleic acid that can be used singly or in combination with each other or with other identifying data to establish individual identity Biometric data includes but is not limited to imagery of the iris retina fingerprint face hand palm vein patterns and voice recordings from which an identifier template such as a faceprint a minutiae template or a voiceprint can be extracted and keystroke patterns or rhythms gait patterns or rhythms and sleep health or exercise data that contain identifying information b Business means 1 a sole-proprietorship partnership limited-liability company corporation association or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information that does business in the State of California and that satisfies one or more of the following thresholds A has annual gross revenues in excess of $50 000 000 as adjusted pursuant to paragraph 5 of subdivision a of section 1798 115 or B annually sells alone or in combination the personal information of 100 000 or more consumers or devices or C derives 50 percent or more of its annual revenues from selling consumers' personal information and 2 any entity that controls or is controlled by a business as defined in paragraph 1 of this subdivision and that shares common branding with the business Control or controlled means ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a business control in any manner over the election of a majority of the directors or of individuals exercising similar functions or the power to exercise directly or indirectly a controlling influence over the management or policies of a company Common branding means a shared name servicemark or trademark c Business purpose means the use of personal information for the business's operational purposes provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which it is specifically permitted Unreasonable or disproportionate use shall not be considered a business purpose Business purposes are 1 Auditing related to a current interaction with the consumer and concurrent transactions including but not limited to counting ad impressions to unique visitors verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards 2 Detecting security incidents protecting against malicious deceptive fraudulent or illegal activity and prosecuting those responsible for such activity 8 VERSION 2 Amendments 3 Debugging to identify and repair errors that impair existing intended functionality 4 Short-term transient use provided the personal information is not disclosed to another person and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction including but not limited to the contextual customization of ads shown as part of the same interaction and 5 Performing services on behalf of the business including maintaining or servicing accounts providing customer service processing or fulfilling orders and transactions verifying customer information processing payments providing financing providing advertising or marketing services providing analytic services or providing similar services on behalf of the business d Clear and conspicuous means 1 in a color that contrasts with the background color or is otherwise distinguishable 2 written in larger type than the surrounding text and in a fashion that calls attention to the language and 3 prominently displayed so that a reasonable viewer would be able to notice read and understand it e Commercial purposes means to advance a person's commercial or economic interests such as by inducing another person to buy rent lease join subscribe to provide or exchange products goods property information or services or enabling or effecting directly or indirectly a commercial transaction Commercial purposes do not include for the purpose of engaging in speech that state or federal courts have recognized as non-commercial speech including political speech and journalism f Collects collected or collection means buying renting gathering obtaining storing using monitoring accessing or making inferences based upon any personal information pertaining to a consumer by any means g Consumer means a natural person who is a California resident as defined in the California Code of Regulations title 18 section 17014 as that section read on September 1 2017 however identified including by any unique identifier h De-identified means information that cannot reasonably identify relate to describe reference be capable of being associated with or be linked directly or indirectly to a particular consumer or device provided that a business that uses de-identified information 1 has implemented technical safeguards that prohibit re-identification of the consumer s to whom the information may pertain 2 has implemented business processes that specifically prohibit re­ identification of the information 3 has implemented business processes to prevent inadvertent release of de-identified information and 4 makes no attempt to re-identify the information i Designated methods for submitting requests means a mailing address e-mail address web page web portal toll-free telephone number or other applicable contact information whereby consumers may submit a request or direction under this Act and any new consumer-friendly means of contacting a business as approved by the Attorney General pursuant to section 1798 115 If the consumer does not maintain an account with the business the business shall provide an opportunity for the consumer to designate whether the consumer wishes to receive the 9 VERSION 2 Amendments information required to be disclosed pursuant to sections 1798 100 and 1798 101 by mail or electronically at the consumer's option G Homepage means the introductory page of a website and any webpage where personal information is collected In the case of an online service such as a mobile application homepage means the application's platform page a link within the application such as from the application configuration About Information or settings page and any other location that allows consumers to review the notice required by subdivision a of section 1798 105 including but not limited to before downloading the application k Infer or inference means the derivation of information data assumptions or conclusions from facts evidence or another source of information or data 1 Person means an individual proprietorship firm partnership joint venture syndicate business trust company corporation limited liability company association committee and any other organization or group of persons acting in concert m Personal information means information that identifies relates to describes references is capable of being associated with or could reasonably be linked directly or indirectly with a particular consumer or device including but not limited to 1 Identifiers such as a real name alias postal address unique identifier internet protocol address electronic mail address account name social security number driver's license number passport number or other similar identifiers 2 Any categories of personal information enumerated in Civil Code 1798 80 et seq 3 Characteristics of protected classifications under California or federal law 4 Commercial information including records of property products or services provided obtained or considered or other purchasing or consuming histories or tendencies 5 Biometric data 6 Internet or other electronic network activity information including but not limited to browsing history search history and information regarding a consumer's interaction with a website application or advertisement 7 Geolocation data 8 Audio electronic visual thermal olfactory or similar information 9 Psychometric information 10 Professional or employment-related information 11 Inferences drawn from any of the information identified above and 12 Any of the categories of information set forth in this subdivision as they pertain to the minor children of the consumer Personal information does not include information that is publicly available or that is de­ identified n Probabilistic identifier means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in or similar to the categories enumerated in subdivision m 10 VERSION 2 Amendments o Psychometric information means information derived or created from the use or application of psychometric theory or psychometrics whereby through the use of any method model tool or formula observable phenomena such as actions or events are connected measured assessed or related to a consumer's attributes including but not limited to psychological trends preferences predispositions behavior attitudes intelligence abilities and aptitudes p Publicly available means information that is lawfully made available from federal state or local government records or that is available to the general public Publicly available does not mean biometric information collected by a business about a consumer without the consumer's knowledge q l Sell selling sale or sold means A selling renting releasing disclosing disseminating making available transferring or otherwise communicating orally in writing or by electronic or other means a consumer's personal information by the business to a third party for valuable consideration or B sharing orally in writing or by electronic or other means a consumer's personal information with a third party whether for valuable consideration or for no consideration for the third party's commercial purposes 2 For purposes of this Act a business does not sell personal information when A A consumer uses the business i to intentionally disclose personal information or ii to intentionally interact with a third party An intentional interaction occurs when the consumer intends to interact with the third party via one or more deliberate interactions Hovering over muting pausing or closing a given piece of content does not constitute a consumer's intent to interact with a third party or B The business uses an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information r Service or services means work labor and services including services furnished in connection with the sale or repair of goods s Third party means any person who is not 1 The business that collects personal information from consumers under this Act or 2 A person to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract provided that the contract A Prohibits the person receiving the personal information from i selling the personal information ii retaining using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract including retaining using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract and iii retaining using or disclosing the information outside of the direct business relationship between the person and the business and 11 VERSION 2 Amendments B Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph A and will comply with them A person covered by paragraph 2 that violates any of the restrictions set forth in this Act shall be liable for such violations under this Act A business that discloses personal information to a person covered by paragraph 2 in compliance with paragraph 2 shall not be liable under this Act if the person receiving the personal information uses it in violation of the restrictions set forth in this Act provided that at the time of disclosing the personal information the business does not have actual knowledge or reason to believe that the person intends to commit such a violation t Unique identifier means a persistent identifier that can be used to recognize a consumer or a device over time and across different services including but not limited to a device identifier Internet Protocol address es cookies beacons pixel tags mobile ad identifiers or similar technology customer number unique pseudonym or user alias telephone numbers or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device u Verifiable request means a request that 1 is made by a consumer by a consumer on behalf of the consumer's minor child or by a person authorized by the consumer to act on the consumer's behalf and 2 that the business has verified pursuant to regulations adopted by the Attorney General pursuant to paragraph 7 of subdivision a of section 1798 115 to be the consumer about whom the business has collected personal information A business is not obligated to provide information to the consumer pursuant to sections 1798 100 and 1798 101 if the business cannot verify pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph 7 of subdivision a of section 1798 115 that the consumer making the request is the consumer about whom the business has collected information SEC 4 8 Section 1798 107 is added to the Civil Code to read 1798 107 Exemptions 1798 107 a The obligations imposed on businesses by sections 1798 100 through 1798 105 shall not restrict a business's ability to 1 comply with federal state or local laws 2 comply with a civil criminal or regulatory investigation or subpoena or summons by federal state or local authorities 3 cooperate with law enforcement agencies concerning conduct or activity that the business reasonably and in good faith believes may violate federal state or local law or 4 collect and sell a consumer's personal information if every aspect of such commercial conduct takes place wholly outside of California For purposes of this Act commercial conduct takes place wholly outside of California if the business collected such information while the consumer was outside of California no part of the sale of the consumer's personal information 12 VERSION 2 Amendments occurred in California and no personal information collected while the consumer was in California is sold b The obligations imposed on businesses by sections 1798 100 through 1798 105 shall not apply where compliance by the business with the Act would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication c This Act shall not apply to protected health information that is collected by a covered entity governed by the medical privacy and security rules issued by the Federal Department of Health and Human Services Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the Health Insurance Portability and Availability Act of 1996 HIP AA For purposes of this subdivision the definitions of protected health information and covered entity from the federal privacy rule shall apply d This Act shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in or used to generate a consumer report as defined by subdivision d of Section 1681 a of Title 15 of the United States Code and use of that information is limited by the federal Fair Credit Reporting Act 15 U S C § 1681 et seq SEC 4 9 Section 1798 108 is added to the Civil Code to read 1798 108 Enforcement By Consumers Who Have Suffered An Injury In Fact 1798 108 a A consumer who has suffered a violation of this Act may bring an action for statutory damages For purposes of Business and Professions Code section 17204 and any other applicable law a violation of this Act shall be deemed to constitute an injury in fact to the consumer who has suffered the violation and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this Act b l Any consumer who suffers an injury in fact as described in subdivision a of this section shall recover statutory damages in the amount of one thousand dollars $1 000 or actual damages whichever is greater for each violation from the business or person responsible for the violation except that in the case of a knowing and willful violation by a business or person an individual shall recover statutory damages of not less than one thousand dollars $1 000 and not more than three thousand dollars $3 000 or actual damages whichever is greater for each violation from the business or person responsible for the violation 2 In assessing the amount of statutory damages the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including but not limited to the following the nature and seriousness of the misconduct the number of violations the persistence of the misconduct the length of time over which the misconduct occurred the willfulness of the defendant's misconduct and the defendant's assets liabilities and net worth c Notwithstanding any other law whenever a judgment including any consent judgment decree or settlement agreement is approved by the court in a class action based on a violation of this Act any cy pres award unpaid cash residue or unclaimed or abandoned class member funds 13 VERSION 2 Amendments attributable to a violation of this Act shall be distributed exclusively to one or more nonprofit organizations to support projects that will benefit the class or similarly situated persons further the objectives and purposes of the underlying class action or cause of action or promote the law consistent with the objectives and purposes of the underlying class action or cause of action unless for good cause shown the court makes a specific finding that an alternative distribution would better serve the public interest or the interests of the class If not specified in the judgment the court shall set a date when the parties shall submit a report to the court regarding a plan for the distribution of any moneys pursuant to this subdivision d The remedies provided by this section are cumulative to each other and to the remedies or penalties available under all other laws of this State SEC 4 10 Section 1798 109 is added to the Civil Code to read 1798 109 Enforcement by Public Entities 1798 109 a Any business or person that violates this Act shall be liable for a civil penalty as provided in section 17206 of the Business and Professions Code in a civil action brought in the name of the people of the State of California by the Attorney General by any district attorney by any county counsel authorized by agreement with the district attorney in actions involving a violation of a county ordinance by any city attorney of a city having a population in excess of750 000 by any city attorney of any city and county or with the consent of the district attorney by a city prosecutor in any city having a full-time city prosecutor in any court of competent jurisdiction b Notwithstanding section 17206 of the Business and Professions Code any person or business that intentionally violates this Act may be liable for a civil penalty ofup to $7 500 for each violation c Notwithstanding section 17206 of the Business and Professions Code any civil penalty assessed pursuant to section 17206 for a violation of this Act and the proceeds of any settlement of an action brought pursuant to subdivision a of this section shall be allocated as follows 1 20 percent to the Consumer Privacy Fund created within the General Fund pursuant to subdivision a of section 1798 110 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this Act 2 80 percent to the jurisdiction on whose behalf the action leading to the civil penalty was brought d The Legislature shall adjust the percentages specified in subdivision c of this section and in subdivision b of section 1798 111 as necessary to ensure that any civil penalties assessed for a violation of this Act fully offset any costs incurred by the state courts and the Attorney General in connection with this Act including a sufficient amount to cover any deficit from a prior fiscal year The Legislature shall not direct a greater percentage of assessed civil penalties to the Consumer Privacy Fund than reasonably necessary to fully offset any costs incurred by the state courts and the Attorney General in connection with this Act 14 VERSION 2 Amendments SEC 4 11 Section 1798 110 is added to the Civil Code to read 1798 110 Consumer Privacy Fund 1798 110 a A special account to be known as the Consumer Privacy Fund is hereby created within the General Fund in the State Treasury and notwithstanding Government Code section 13340 is continuously appropriated without regard for fiscal year to offset any costs incurred by the state courts in connection with actions brought to enforce this Act and any costs incurred by the Attorney General in carrying out the Attorney General's duties under this Act b Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this Act Such funds shall not be subject to appropriation or transfer by the Legislature for any other purpose unless the Director of Finance determines that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this Act in which case the Legislature may appropriate excess funds for other purposes SEC 4 12 Section 1798 111 is added to the Civil Code to read 1798 111 Whistleblower Enforcement 1798 111 a Any person who becomes aware based on non-public information that a person or business has violated this Act may file a civil action for civil penalties pursuant to section 1798 109 if prior to filing such action the person files with the Attorney General a written request for the Attorney General to commence the action The request shall include a clear and concise statement of the grounds for believing a cause of action exists The person shall make the non-public information available to the Attorney General upon request 1 If the Attorney General files suit within 90 days from receipt of the written request to commence the action no other action may be brought unless the action brought by the Attorney General is dismissed without prejudice 2 If the Attorney General does not file suit within 90 days from receipt of the written request to commence the action the person requesting the action may proceed to file a civil action 3 The time period within which a civil action shall be commenced shall be tolled from the date ofreceipt by the Attorney General of the written request to either the date that the civil action is dismissed without prejudice or for 150 days whichever is later but only for a civil action brought by the person who requested the Attorney General to commence the action b Notwithstanding subdivision c of section 1798 109 if a judgment is entered against the defendant or defendants in an action brought pursuant to this section or the matter is settled amounts received as civil penalties or pursuant to a settlement of the action shall be allocated as follows 1 If the action was brought by the Attorney General upon a request made by a person pursuant to subdivision a the person who made the request shall be entitled to 15 percent of the civil 15 VERSION 2 Amendments penalties and the remaining proceeds shall be deposited in the Consumer Privacy Fund within the General Fund 2 If the action was brought by the person who made the request pursuant to subdivision a of this section that person shall receive an amount the court determines is reasonable for collecting the civil penalties on behalf of the government The amount shall be not less than 25 percent and not more than 50 percent of the proceeds of the action and shall be paid out of the proceeds The remaining proceeds shall be deposited in the Consumer Privacy Fund within the General Fund c For purposes of this section non-public information means information that has not been disclosed in a criminal civil or administrative proceeding in a government investigation report or audit or by the news media or other public source of information and that was not obtained in violation of the law SEC 4 13 Section 1798 112 is added to the Civil Code to read 1798 112 Security Breach 1798 112 A business that suffers a breach of the security of the system as defined in subdivision g of section 1798 82 involving consumers' personal information as defined in subdivision h of section 1798 82 shall be deemed to have violated this Act and may be held liable for such violation or violations under sections 1798 108 1798 109 and 1798 111 if the business has failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized disclosure SEC 4 14 Section 1798 113 is added to the Civil Code to read 1798 113 Construction 1798 113 This Act is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information including but not limited to the California Internet Privacy Act chapter 22 of Division 8 of the Business and Professions Code commencing with section 22575 and the California Shine the Light Act Title 1 81 of Part 4 of Division 3 of the Civil Code commencing with section 1798 80 The provisions of this Act are not limited to information collected electronically or over the Internet but apply to the collection and sale of all personal information collected by a business from consumers Wherever possible existing law relating to consumers' personal information should be construed to harmonize with the provisions of this Act but in the event of a conflict between existing law and the provisions of this Act the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control SEC 4 15 Section 1798 114 is added to the Civil Code to read 1798 114 Imposition of Additional Privacy Safeguards 1798 114 Nothing in this Act shall prevent a city county city and county municipality or local agency from safeguarding the constitutional right of privacy by imposing additional 16 VERSION 2 Amendments requirements on businesses regarding the collection and sale of consumers' personal information by businesses provided that the requirement does not prevent a person or business from complying with this Act SEC 4 16 Section 1798 115 is added to the Civil Code to read 1798 115 Regulations 1798 115 a The Attorney General shall adopt regulations in the following areas to further the purposes of this Act 1 Adding additional categories to those enumerated in subdivision c of section 1798 104 and subdivision m of section 1798 106 in order to address changes in technology data collection practices obstacles to implementation and privacy concerns In addition upon receipt of a request made by a California city attorney or district attorney to add a new category or categories the Attorney General shall promulgate a regulation to add such category or categories unless the Attorney General concludes based on factual or legal findings that there is a compelling reason not to add the category or categories The Attorney General may also add additional categories to those enumerated in subdivision c of section 1798 104 and subdivision m of section 1798 106 in response to a petition filed pursuant to section 11340 6 of the Government Code 2 Adding additional items to the definition of unique identifiers to address changes in technology data collection obstacles to implementation and privacy concerns and additional categories to the definition of designated methods for submitting requests to facilitate a consumer's ability to obtain information from a business pursuant to section 1798 104 3 Establishing any exceptions necessary to comply with state or federal law 4 Establishing rules and procedures A to facilitate and govern the submission of a request by a consumer and by an authorized agent of the consumer to opt out of the sale of personal information pursuant to paragraph 1 of subdivision a of section 1798 105 B to govern a business's compliance with a consumer's opt-out request and C for the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information 5 Adjusting the monetary threshold in subparagraph A of paragraph 1 of subdivision b of section 1798 106 in January of every odd-numbered year to reflect any increase in the Consumer Price Index 6 Establishing rules procedures and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this Act are provided in a manner so as to be easily understood by the average consumer are accessible to consumers with disabilities and are available in the language primarily used to interact with the consumer 7 Establishing rules and procedures to further the purposes of sections 1798 100 and 1798 1 Of and to facilitate a consumer or the consumer's authorized agent's ability to obtain information pursuant to section 1798 104 with the goal of minimizing the administrative burden on 17 VERSION 2 Amendments consumers taking into account available technology security concerns and the burden on the business to govern a business's determination that a request for information received by a consumer is a verifiable request including treating a request submitted through a password­ protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business's authentication of the consumer's identity 8 Defining the term valuable consideration as used in in paragraph 1 of subdivision q of section 1798 106 to ensure that a business that discloses except as permitted by this Act a consumer's personal information to a third party including through a series of transactions involving multiple third parties in exchange for any economic benefit is subject to this Act and to include business practices involving the disclosure of personal information in exchange for something of value Valuable consideration does not include the exchange of value in a transaction involving non-commercial speech such as journalism and political speech and 9 Further intrepret the terms de-identified sell third party and business purpose as set forth in section 1798 106 to address changes in technology data collection obstacles to implementation and privacy concerns and to ensure compliance with the purposes of this Act provided that such regulations do not reduce consumer privacy or the ability of consumers to stop the sale of their personal information b The Attorney General shall be precluded from adopting regulations that limit or reduce the number or scope of categories of personal information enumerated in subdivision c of section 1798 104 and subdivision m of section 1798 106 or that limit or reduce the number or scope of categories added pursuant to paragraph 1 of subdivision a of this section except as necessary to comply with paragraph 3 of subdivision a of this section The Attorney General shall also be precluded from reducing the scope of the definition of unique identifiers except as necessary to comply with paragraph 3 of subdivision a of this section c To the extent the Attorney General determines that it is necessary to adopt certain regulations in order implement this Act the Attorney General shall adopt any such regulations within six months of the date of the election at which this Act is adopted Notwithstanding the California Administrative Procedure Act APA and in order to facilitate the implementation of this Act the Attorney General may adopt interim regulations without compliance with the procedures set forth in the AP A The interim regulations shall remain in effect for 270 days unless earlier superseded by regulations adopted pursuant to the AP A d The Attorney General may adopt additional regulations as necessary to further the purposes of this Act SEC 5 Amendment a The provisions of this Act may not be amended before the measure is approved by the voters The provisions of this Act may be amended after its approval by the voters by a statute that is passed by a vote of seventy percent of the members of each house of the Legislature and signed by the Governor provided that such amendments are consistent with and further the intent of this Act to protect the right of Californians to learn about the collection and use of their personal 18 VERSION 2 Amendments information to control the sale of their personal information and to protect their personal information against security breaches b Notwithstanding subdivision a of this section the Legislature may by a statute that is passed by a majority vote of the members of each house of the Legislature and signed by the Governor 1 amend subdivision c of section 1798 109 and subdivision b of section 1798 111 as specified in subdivision d of section 1798 109 and 2 impose additional requirements on businesses regarding the collection and sale of consumers' personal information by businesses including but not limited to a requirement that restricts or limits the collection retention use accessing aggregation sale or sharing for commercial or other purposes by a business of a consumer's personal information without a prior express voluntary and revocable opt-in or affording consumers greater protection of their right of privacy SEC 6 Severability If any provision of this measure or part of this measure or the application of any provision or part to any person or circumstances is for any reason held to be invalid the remaining provisions or applications of provisions shall not be affected but shall remain in full force and effect and to this end the provisions of this measure are severable If a court were to find in a final unreviewable judgment that the exclusion of one or more entities or activities from the applicability of the Act renders the Act unconstitutional those exceptions should be severed and the Act should be made applicable to the entities or activities formerly exempt from the Act It is the intent of the voters that this Act would have been enacted regardless of whether any invalid provision had been included or any invalid application had been made SEC 7 Conflicting Initiatives a In the event that this measure and another measure addressing the privacy of personal information shall appear on the same statewide ballot the provisions of the other measure or measures shall be deemed to be in conflict with this measure In the event that this measure receives a greater number of affirmative votes than a measure deemed to be in conflict with it the provisions of this measure shall prevail in their entirety and the other measure or measures shall be null and void b If this measure is approved by the voters but superseded by law by any other conflicting measure approved by voters at the same election and the conflicting ballot measure is later held invalid this measure shall be self-executing and given full force and effect SEC 8 Standing Notwithstanding any other provision of law if the State or any of its officials fail to defend the constitutionality of this Act following its approval by the voters any other government agency of this State shall have the authority to intervene in any court action challenging the constitutionality of this Act for the purpose of defending its constitutionality whether such action is in state or federal trial court on appeal or on discretionary review by the Supreme Court of California and or the Supreme Court of the United States The reasonable fees and costs of defending the action shall be a charge on funds appropriated to the California Department of Justice which shall be satisfied promptly 19 VERSION 2 Amendments SEC 9 Anti-Avoidance Provision If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this Act including the disclosure of information by a business to a third party in order to avoid the definition of sell a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this Act SEC 10 Non-Waiver Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this Act including but not limited to any right to a remedy or means of enforcement shall be deemed contrary to public policy and shall be void and unenforceable This section shall not prevent a consumer from declining to request information from a business declining to opt out of a business's sale of the consumer's personal information or authorizing a business to sell the consumer's personal information after previously opting out SEC 11 Liberal Construction This Act shall be liberally construed to effectuate its purposes SEC 12 Savings Clause This Act is intended to supplement federal and state law where permissible but shall not apply where such application is preempted by or in conflict with federal law or the California Constitution SEC 13 Effective Date This Act shall take effect the day after the election at which it is adopted but shall only apply to personal information collected or sold by a business on or after nine months from the effective date 20