BILL NUMBER: SB 328 AMENDED
BILL TEXT
AMENDED IN SENATE APRIL 9, 2007
INTRODUCED BY Senator Corbett
FEBRUARY 16, 2007
An act to amend Sections 1798.80 and 1798.84 of, and to add
Section 1798.83.5 to, the Civil Code, relating to personal
information.
LEGISLATIVE COUNSEL'S DIGEST
SB 328, as amended, Corbett. Personal information: prohibited
practices.
Existing law requires a business to ensure the privacy of a
customer's personal information, as defined, contained in records, as
defined, by destroying, or arranging for the destruction of, the
records. Existing law requires, subject to certain exceptions, a
business that discloses a customer's personal information, including
information relating to income or purchases, to a 3rd party for
direct marketing purposes to provide the customer, within 30 days
after the customer's request, as specified, in writing or by e-mail
the names and addresses of the recipients of that information and
specified details regarding the information disclosed, except as
specified. Existing law requires a person or business that owns or
licenses computerized data that include personal information to
disclose any breach of the security of its system, as specified.
Existing law requires a business, other than one of specified
entities, that owns or licenses personal information about a
California resident to implement and maintain reasonable security
procedures and practices to protect personal information from
unauthorized access, destruction, use, modification, or disclosure.
Any customer injured by a business' violation of these provisions is
entitled to recover damages, a civil penalty, attorney's fees,
injunctive relief, and other remedies.
This bill would include a telephone calling pattern record or list
, as defined, in the definition of "personal information"
for purposes of the above-described provisions. The bill would also
prohibit any person, as defined, from, among other things, obtaining
or attempting to obtain, or causing or attempting to cause the
disclosure of, personal information about a customer or employee
contained in the records of a business through specified methods,
such as by making false, fictitious, or fraudulent statements or
representations, with specified exceptions. The bill would provide
civil remedies for the violation thereof, and would make related and
conforming changes in that regard.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.80 of the Civil Code is amended to read:
1798.80. The following definitions apply to this title:
(a) "Business" means a sole proprietorship, partnership,
corporation, association, or other group, however organized and
whether or not organized to operate at a profit, including a
financial institution organized, chartered, or holding a license or
authorization certificate under the law of this state, any other
state, the United States, or of any other country, or the parent or
the subsidiary of a financial institution. The term includes an
entity that destroys records.
(b) "Customer" means an individual who provides personal
information to a business for the purpose of purchasing or leasing a
product or obtaining a service from the business.
(c) "Individual" means a natural person.
(d) "Person" means an individual, business association,
partnership, limited partnership, corporation, limited liability
company, trust, estate, cooperative association, or other entity.
(e) "Personal information" means any information that identifies,
relates to, describes, or is capable of being associated with, a
particular individual, including, but not limited to, his or her
name, signature, social security number, physical characteristics or
description, address, telephone number, telephone calling pattern
record or list, passport number, driver's license or state
identification card number, insurance policy number, education,
employment, employment history, bank account number, credit card
number, debit card number, or any other financial information.
(f) "Records" means any material, regardless of the physical form,
on which information is recorded or preserved by any means,
including in written or spoken words, graphically depicted, printed,
or electromagnetically transmitted. "Records" does not include
publicly available directories containing information an individual
has voluntarily consented to have publicly disseminated or listed,
such as name, address, or telephone number.
(g) "Telephone calling pattern record or list" means information
retained by a telephone company that relates to the telephone number
dialed by the subscriber, or other person using the subscriber's
telephone with permission, or the incoming number of a call directed
to the subscriber, or other data related to those calls typically
contained on a subscriber telephone bill, including the time the call
started and ended, the duration of the call, any charges applied,
and any information described in subdivision (a) of Section 2891 of
the Public Utilities Code whether the call was made from or to a
telephone connected to the public switched telephone network, a
cordless telephone, as defined in Section 632.6, a telephony device
operating over the Internet utilizing voice-over Internet protocol, a
satellite telephone, or commercially available interconnected mobile
phone service that provides access to the public switched telephone
network via a mobile communication device employing radiowave
technology to transmit calls, including cellular radiotelephone,
broadband Personal Communications Services, and digital Specialized
Mobile Radio.
SEC. 2. Section 1798.83.5 is added to the Civil Code, to read:
1798.83.5. (a) A person shall not obtain or attempt to obtain, or
cause to be disclosed or attempt to cause to be disclosed, personal
information about a customer or employee contained in the records of
a business using any of the following methods:
(1) By making a false, fictitious, or fraudulent statement or
representation to an officer, employee, or agent of a business.
(2) By making a false, fictitious, or fraudulent statement or
representation to a customer of a business.
(3) By providing any document to an officer, employee, or agent of
a business, knowing that the document is forged, counterfeit, lost,
or stolen, was fraudulently obtained, or contains a false,
fictitious, or fraudulent statement or representation.
(b) A person shall not request a person to obtain personal
information about a customer or employee contained in the records of
a business, knowing that the person will obtain, or attempt to
obtain, the information in any manner described in subdivision (a).
(c) No provision of this section shall be construed to prevent any
action by a law enforcement agency, or any officer, employee, or
agent of that agency, to obtain personal information about a customer
or employee contained in the records of a business, as permitted by
law in connection with the performance of the official duties of the
agency.
(d) No provision of this section shall be construed to prevent any
business, or any officer, employee, or agent of that business, from
obtaining personal information about a customer or employee contained
in the records of the business, in the course of any of the
following:
(1) Testing the security procedures or systems of the business,
for maintaining the confidentiality of personal information about a
customer or employee.
(2) Investigating allegations of misconduct or negligence on the
part of any officer, employee, or agent of the business.
(3) Recovering personal information about a customer or employee
of the business, which was obtained or received by another person in
any manner described in subdivision (a) or (b).
(4) Analyzing its customer records for patterns of activity in an
effort to identify fraud or identity theft.
(e) Any personal information that is obtained in violation of
subdivision (a) or (b) shall be inadmissible as evidence in any
judicial, administrative, legislative, or other proceeding, except
when that information is offered as proof in an action for a
violation of this title.
(f) No provision of this section shall be construed to prevent any
person from obtaining personal information pursuant to a lawfully
issued and noticed subpoena or court order.
(g) The rights and remedies of a customer or employee for a
violation of this section are the remedies provided in Section
1798.84.
SEC. 3. Section 1798.84 of the Civil Code is amended to read:
1798.84. (a) Any waiver of a provision of this title is contrary
to public policy and is void and unenforceable.
(b) Any customer injured by a violation of this title may
institute a civil action to recover damages.
(c) In addition, for a willful, intentional, or reckless violation
of Section 1798.83 or 1798.83.5, a customer may recover a civil
penalty not to exceed three thousand dollars ($3,000) per violation;
otherwise, the customer may recover a civil penalty of up to five
hundred dollars ($500) per violation for a violation of Section
1798.83 or 1798.83.5.
(d) Unless the violation is willful, intentional, or reckless, a
business that is alleged to have not provided all the information
required by subdivision (a) of Section 1798.83, to have provided
inaccurate information, failed to provide any of the information
required by subdivision (a) of Section 1798.83, or failed to provide
information in the time period required by subdivision (b) of Section
1798.83, may assert as a complete defense in any action in law or
equity that it thereafter provided regarding the information that was
alleged to be untimely, all the information, or accurate
information, to all customers who were provided incomplete or
inaccurate information, respectively, within 90 days of the date the
business knew that it had failed to provide the information, timely
information, all the information, or the accurate information,
respectively.
(e) Any business that violates, proposes to violate, or has
violated this title may be enjoined.
(f) A prevailing plaintiff in any action commenced under Section
1798.83 or 1798.83.5 shall also be entitled to recover his or her
reasonable attorney's fees and costs.
(g) The rights and remedies available under this section are
cumulative to each other and to any other rights and remedies
available under law.
(h) The term "customer," as used in this section, with respect to
a violation of Section 1798.83.5 only, includes a customer or
employee of a business.