SECTION 1 (TITLE):
This act shall be known as the STATE Consumer Data Privacy Act.

SECTION 2 (PURPOSE):
To enhance protection of private online data.

SECTION 3 (PROVISIONS):

(a) The legislature hereby finds:

(b) Consumers shall have the right to:

(c) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(d) A business that collects personal information about a consumer shall disclose to the consumer, the information specified in section (c) above upon receipt of a verifiable request from the consumer. This section does not require a business to (1) retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained, or (2) reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

(e) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

(f) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(g) A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose the information specified in section (e) above to the consumer upon receipt of a verifiable request from the consumer.

(h) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

(i) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.

(j) A business that sells consumers’ personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale of their personal information.

(k) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.

(l) Notwithstanding subdivisions (i) and (k), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”

(m) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:

(n) Nothing in section (l) prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

(0) In order to comply with the notice requirements of the above sections, a business shall,

(p) For purposes of the above sections, “business” means:

(q) For purposes of the above sections, “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including, but not limited to:

(r) The obligations imposed on businesses by the above sections shall not restrict a business’s ability to:

(s) Any consumer whose nonencrypted or nonredacted personal information, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(t) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

(u) A business shall be in violation of the above sections if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty in a civil action brought in the name of the people of STATE by the Attorney General of up to seven thousand five hundred dollars ($7,500) for each violation.

(v) This is a matter of statewide concern and the above sections supersede and preempt all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

(w) before the above sections become operative, the Attorney General shall solicit broad public participation to adopt regulations to further their purposes.

(x) Effective date. The above sections shall take effect immediately, and shall be operational for businesses and consumers as of January 1, 2020.