(a) The legislature hereby finds:
- (1) that it is an important and substantial state interest to protect the private, personal data in STATE;
- (2) that with the increasing use of technology and data in everyday life, there is an increasing amount of private, personal data being shared by consumers with businesses as a part of everyday transactions and online and other activities;
- (3) that the increasing collection, storage, use and sale of personal data creates increased risks of identity theft, financial loss, and other misuse of private personal data;
- (4) and that many consumers do not know, understand, or have appropriate authority over the distribution, use, sale or disclosure of their personal data.
(b) Consumers shall have the right to:
- (1) know what personal information is being collected about them.
- (2) know whether their personal information is sold or disclosed and to whom.
- (3) decline or opt-out of the sale of their personal information.
- (4) to access their personal information that has been collected.
- (5) equal service and price, even if they exercise their above rights.
(c) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:
- (1) The categories of personal information it has collected about that consumer.
- (2) The categories of sources from which the personal information is collected.
- (3) The business or commercial purpose for collecting or selling personal information.
- (4) The categories of third parties with whom the business shares personal information.
- (5) The specific pieces of personal information it has collected about that consumer.
(d) A business that collects personal information about a consumer shall disclose to the consumer, the information specified in section (c) above upon receipt of a verifiable request from the consumer. This section does not require a business to (1) retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained, or (2) reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
(e) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- (1) The categories of personal information that the business collected about the consumer.
- (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- (3) The categories of personal information that the business disclosed about the consumer for a business purpose.
(f) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.
- (1) A business that collects personal information about consumers shall disclose, pursuant to subsection (o) the consumer’s rights to request the deletion of the consumer’s personal information.
- (2) A business that receives a verifiable request from a consumer to delete the consumer’s personal information shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
- (3) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:
- (A) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
- (B) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- (C) Debug to identify and repair errors that impair existing intended functionality.
- (D) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- (E) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
- (F) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
- (G) Comply with a legal obligation.
(g) A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose the information specified in section (e) above to the consumer upon receipt of a verifiable request from the consumer.
(h) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.
(i) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
(j) A business that sells consumers’ personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale of their personal information.
(k) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
(l) Notwithstanding subdivisions (i) and (k), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
(m) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
- (1) Denying goods or services to the consumer.
- (2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
- (3) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title.
- (4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
(n) Nothing in section (l) prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.
(0) In order to comply with the notice requirements of the above sections, a business shall,
- (1) In a form that is reasonably accessible to consumers, make available to consumers two or more designated methods for submitting requests for information required to be disclosed including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.
- (2) In a form that is reasonably accessible to consumers, disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.
- (3) In a form that is reasonably accessible to consumers, provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.
- (4) Include a description of a consumer’s rights along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:
- (ii) Any STATE-specific description of consumers’ privacy rights.
- (5) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices are informed of all requirements in of these sections and how to direct consumers to exercise their rights.
- (6) For consumers who exercise their right to opt out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.
- (7) For a consumer who has opted out of the sale of the consumer’s personal information, respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
- (8) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.
- (9) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to STATE consumers and that includes the required links and text, and the business takes reasonable steps to ensure that STATE consumers are directed to the homepage for STATE consumers and not the homepage made available to the public generally.
(p) For purposes of the above sections, “business” means:
- (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in STATE, and that satisfies one or more of the following thresholds:
- (i) Has annual gross revenues in excess of ten million dollars ($15,000,000).
- (ii) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- (iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
- (2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(q) For purposes of the above sections, “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including, but not limited to:
- (1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- (2) Characteristics of protected classifications under STATE or federal law.
- (3) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- (4) Biometric information.
- (5) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- (7) Audio, electronic, visual, thermal, olfactory, or similar information.
- (8) Professional or employment-related information.
- (9) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- (10) Inferences drawn from any of the information identified in this section to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- (11) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, as restricted by any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.
(r) The obligations imposed on businesses by the above sections shall not restrict a business’s ability to:
- (i) Comply with federal, state, or local laws.
- (ii) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
- (iii) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
- (iv) Exercise or defend legal claims.
- (v) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
- (vi) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of STATE. For purposes of this title, commercial conduct takes place wholly outside of STATE if the business collected that information while the consumer was outside of STATE, no part of the sale of the consumer’s personal information occurred in STATE, and no personal information collected while the consumer was in STATE is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in STATE and then collecting that personal information when the consumer and stored personal information is outside of STATE.
(s) Any consumer whose nonencrypted or nonredacted personal information, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
- (1) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater;
- (2) Injunctive or declaratory relief;
- (3) Any other relief the court deems proper.
- (4) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.
- (5) Actions pursuant to this section may be brought by a consumer if all of the following requirements are met:
- (i) Prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer shall provide a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.
(t) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.
(u) A business shall be in violation of the above sections if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be liable for a civil penalty in a civil action brought in the name of the people of STATE by the Attorney General of up to seven thousand five hundred dollars ($7,500) for each violation.
(v) This is a matter of statewide concern and the above sections supersede and preempt all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.
(w) before the above sections become operative, the Attorney General shall solicit broad public participation to adopt regulations to further their purposes.
(x) Effective date. The above sections shall take effect immediately, and shall be operational for businesses and consumers as of January 1, 2020.