1798.100. - (a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to1798.105. - (a) A consumer shall have the right to request that a business delete any personal information about the consumer which1798.110. - (a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose1798.115. - (a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that1798.120. - (a) A consumer shall have the right, at any time, to direct a business that sells personal information about the1798.125. - (a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under1798.130. - (a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, in a form that is reasonably accessible1798.135. - (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to1798.140. - For purposes of this title:1798.145. - (a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:1798.150. - (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision1798.155. - Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with1798.160. - (a) A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in1798.175. - This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal1798.180. - This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws1798.185. - (a) On or before January 1, 2020, the Attorney General shall solicit broad public participation to adopt regulations to further1798.190. - If a series of steps or transactions were component parts of a single transaction intended from the beginning to be1798.192. - Any provision of a contract or agreement of any kind that purports to waive or limit in any way a1798.194. - This title shall be liberally construed to effectuate its purposes.1798.196. - This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is1798.198. - (a) Subject to limitation provided in subdivision (b), this title shall be operative January 1, 2020.
(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(9) Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.
(c) This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.
(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’ determination that a request for information received by a consumer is a verifiable request, including treating a request submitted through a password protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’ authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.