(a) On or after July 1, 2001, unless otherwise authorized by the Department of Information Technology pursuant to Executive Order D-3-99, every state agency, including the California State University, that utilizes any method, device, identifier, or other database application on the internet to electronically collect personal information, as defined in subdivision (d), regarding any user shall prominently display the following in at least one anticipated initial point of communication with a potential user, to be determined by each agency, and in instances when the specified information would be collected:

(1) Notice to the user of the usage or existence of the information gathering method, device, identifier, or other database application.

Terms Used In California Government Code 11015.5

  • Public law: A public bill or joint resolution that has passed both chambers and been enacted into law. Public laws have general applicability nationwide.
  • State: means the State of California, unless applied to the different parts of the United States. See California Government Code 18
  • state agency: includes every state office, officer, department, division, bureau, board, and commission. See California Government Code 11000
  • Subdivision: means a subdivision of the section in which the term occurs unless some other section is expressly mentioned. See California Government Code 10

(2) Notice to the user of the type of personal information that is being collected and the purpose for which the collected information will be used.

(3) Notice to the user of the length of time that the information gathering device, identifier, or other database application will exist in the user’s hard drive, if applicable.

(4) Notice to the user that the user has the option of having the user’s personal information discarded without reuse or distribution, provided that the appropriate agency official or employee is contacted after notice is given to the user.

(5) Notice to the user that any information acquired by the state agency, including the California State University, is subject to the limitations set forth in the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code).

(6) Notice to the user that state agencies shall not distribute or sell any electronically collected personal information, as defined in subdivision (d), about users to any third party without the permission of the user.

(7) Notice to the user that electronically collected personal information, as defined in subdivision (d), is exempt from requests made pursuant to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1).

(8) The title, business address, telephone number, and electronic mail address, if applicable, of the agency official who is responsible for records requests, as specified by subdivision (b) of § 1798.17 of the Civil Code, or the agency employee designated pursuant to Section 1798.22 of that code, as determined by the agency, who is responsible for ensuring that the agency complies with requests made pursuant to this section.

(b) A state agency shall not distribute or sell any electronically collected personal information about users to any third party without prior written permission from the user, except as required to investigate possible violations of § 502 of the Penal Code or as authorized under the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code). Nothing in this subdivision shall be construed to prohibit a state agency from distributing electronically collected personal information to another state agency or to a public law enforcement organization in any case where the security of a network operated by a state agency and exposed directly to the internet has been, or is suspected of having been, breached.

(c) A state agency shall discard without reuse or distribution any electronically collected personal information, as defined in subdivision (d), upon request by the user.

(d) For purposes of this section:

(1) “Electronically collected personal information” means any information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, the user’s name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and information that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to individuals who are users serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business.

(2) “User” means an individual who communicates with a state agency or with an agency employee or official electronically.

(e) Nothing in this section shall be construed to permit an agency to act in a manner inconsistent with the standards and limitations adopted pursuant to the California Public Records Act (Division 10 (commencing with Section 7920.000) of Title 1) or the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code).

(Amended by Stats. 2021, Ch. 615, Sec. 157. (AB 474) Effective January 1, 2022. Operative January 1, 2023, pursuant to Sec. 463 of Stats. 2021, Ch. 615.)