1798.100. - (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to1798.105. - (a) A consumer shall have the right to request that a business delete any personal information about the consumer which1798.110. - (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose1798.115. - (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that1798.120. - (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the1798.125. - (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under1798.130. - (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible1798.135. - (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to1798.140. - For purposes of this title:1798.145. - (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:1798.150. - (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision1798.155. - Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with1798.160. - (a) A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in1798.175. - This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal1798.180. - This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws1798.185. - (a) On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further1798.190. - If a series of steps or transactions were component parts of a single transaction intended from the beginning to be1798.192. - Any provision of a contract or agreement of any kind that purports to waive or limit in any way a1798.194. - This title shall be liberally construed to effectuate its purposes.1798.196. - This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is1798.198. - (a) Subject to limitation provided in subdivision (b), this title shall be operative January 1, 2020.
(f) The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft, and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.
(d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12month period.
(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45day period. The disclosure shall cover the 12month period preceding the business’s receipt of the verifiable request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable request.
(b) “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(v) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.
(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’ determination that a request for information received by a consumer is a verifiable request, including treating a request submitted through a password protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’ authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.