BILL NUMBER: SB 1666 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY AUGUST 7, 2006
AMENDED IN ASSEMBLY JUNE 21, 2006
AMENDED IN ASSEMBLY JUNE 8, 2006
AMENDED IN SENATE MARCH 28, 2006
INTRODUCED BY Senator Bowen
(Coauthors: Senators Kuehl and Romero)
(Coauthors: Assembly Members Koretz, Laird, and Pavley)
FEBRUARY 24, 2006
An act to amend Sections 1798.80 and 1798.84 of, and to add
Section 1798.83.5 to, the Civil Code, relating to personal
information.
LEGISLATIVE COUNSEL'S DIGEST
SB 1666, as amended, Bowen Personal information: prohibited
practices.
Existing law requires a business to ensure the privacy of a
customer's personal information, as defined, contained in records, as
defined, by destroying, or arranging for the destruction of, the
records. Existing law requires, subject to certain exceptions, a
business that discloses a customer's personal information, including
information relating to income or purchases, to a 3rd party for
direct marketing purposes to provide the customer, within 30 days
after the customer's request, as specified, in writing or by e-mail
the names and addresses of the recipients of that information and
specified details regarding the information disclosed, except as
specified. Existing law requires a person or business that owns or
licenses computerized data that include personal information to
disclose any breach of the security of its system, as specified.
Existing law requires a business, other than specified entities, that
own or license personal information about a California resident to
implement and maintain reasonable security procedures and practices
to protect personal information from unauthorized access,
destruction, use, modification, or disclosure. Any customer injured
by a business' violation of these provisions is entitled to recover
damages, a civil penalty, attorney's fees, injunctive relief, and
other remedies.
This bill would include a telephone calling pattern record or
list in the definition of "personal information" for purposes of the
above-described provisions. The bill would also prohibit any person,
as defined, from, among other things, obtaining or attempting to
obtain, or causing or attempting to cause the disclosure of, personal
information about a customer or employee contained in the
records of a business through specified methods, such as by
making false, fictitious, or fraudulent statements or
representations, with specified exceptions. The bill would provide
civil remedies for the violation thereof, and would make related and
conforming changes in that regard.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.80 of the Civil Code is amended to read:
1798.80. The following definitions apply to this title:
(a) "Business" means a sole proprietorship, partnership,
corporation, association, or other group, however organized, and
whether or not organized to operate at a profit, including a
financial institution organized, chartered, or holding a license or
authorization certificate under the law of this state, any other
state, the United States, or of any other country, or the parent or
the subsidiary of a financial institution. The term includes an
entity that destroys records.
(b) "Customer" means an individual who provides personal
information to a business for the purpose of purchasing or leasing a
product or obtaining a service from the business.
(c) "Individual" means a natural person.
(d) "Person" means an individual, business association,
partnership, limited partnership, corporation, limited liability
company, trust, estate, cooperative association or other entity.
(e) "Personal information" means any information that identifies,
relates to, describes, or is capable of being associated with, a
particular individual, including, but not limited to, his or her
name, signature, social security number, physical characteristics or
description, address, telephone number, telephone calling pattern
record or list, passport number, driver's license or state
identification card number, insurance policy number, education,
employment, employment history, bank account number, credit card
number, debit card number, or any other financial information.
(f) "Records" means any material, regardless of the physical form,
on which information is recorded or preserved by any means,
including in written or spoken words, graphically depicted, printed,
or electromagnetically transmitted. "Records" does not include
publicly available directories containing information an individual
has voluntarily consented to have publicly disseminated or listed,
such as name, address, or telephone number.
SEC. 2. Section 1798.83.5 is added to the Civil Code, to read:
1798.83.5. (a) No person shall obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be disclosed, personal
information about a customer or employee contained in the
records of a business using any of the following methods:
(1) By making a false, fictitious, or fraudulent statement or
representation to an officer, employee, or agent of a business.
(2) By making a false, fictitious, or fraudulent statement or
representation to a customer of a business.
(3) By providing any document to an officer, employee, or agent of
a business, knowing that the document is forged, counterfeit, lost,
or stolen, was fraudulently obtained, or contains a false,
fictitious, or fraudulent statement or representation.
(b) No person shall request a person to obtain personal
information about a customer or employee contained in the
records of a business, knowing that the person will obtain, or
attempt to obtain, the information in any manner described in
subdivision (a).
(c) No provision of this section shall be construed to prevent any
action by a law enforcement agency, or any officer, employee, or
agent of that agency, to obtain personal information about a customer
or employee contained in the records of a business, as
permitted by law in connection with the performance of the official
duties of the agency.
(d) No provision of this section shall be construed to prevent any
business, or any officer, employee, or agent of that business, from
obtaining personal information about a customer or employee
contained in the records of the business, in the course of any
of the following:
(1) Testing the security procedures or systems of the business,
for maintaining the confidentiality of personal information about a
customer or employee.
(2) Investigating allegations of misconduct or negligence on the
part of any officer, employee, or agent of the business.
(3) Recovering personal information about a customer or employee
of the business, which was obtained or received by another person in
any manner described in subdivision (a) or (b).
(4) Analyzing its customer records for patterns of activity in an
effort to identify fraud or identity theft.
(e) Any personal information that is obtained in violation of
subdivision (a) or (b) shall be inadmissible as evidence in any
judicial, administrative, legislative, or other proceeding, except
when that information is offered as proof in an action for a
violation of this title.
(f) No provision of this section shall be construed to prevent any
person from obtaining personal information pursuant to a lawfully
issued and noticed subpoena or court order.
(g) The rights and remedies of a customer or employee for a
violation of this section are the remedies provided in Section
1798.84.
SEC. 3. Section 1798.84 of the Civil Code is amended to read:
1798.84. (a) Any waiver of a provision of this title is contrary
to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83 or 1798.83.5, a customer may recover a civil
penalty not to exceed three thousand dollars ($3,000) per violation;
otherwise, the customer may recover a civil penalty of up to five
hundred dollars ($500) per violation for a violation of Section
1798.83 or 1798.83.5.
(d) Unless the violation is willful, intentional, or reckless, a
business that is alleged to have not provided all the information
required by subdivision (a) of Section 1798.83, to have provided
inaccurate information, failed to provide any of the information
required by subdivision (a) of Section 1798.83, or failed to provide
information in the time period required by subdivision (b) of Section
1798.83, may assert as a complete defense in any action in law or
equity that it thereafter provided regarding the information that was
alleged to be untimely, all the information, or accurate
information, to all customers who were provided incomplete or
inaccurate information, respectively, within 90 days of the date the
business knew that it had failed to provide the information, timely
information, all the information, or the accurate information,
respectively.
(e) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section
1798.83 or 1798.83.5 shall also be entitled to recover his or her
reasonable attorney's fees and costs.
(g) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.
(h) The term "customer," as used in this section, with respect to
a violation of Section 1798.83.5 only, includes a customer or
employee of a business.