Amended  IN  Assembly  March 21, 2024

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill
No. 3080

Introduced by Assembly Member Alanis

February 16, 2024

An act to amend Section 1798.100 add Title 22.1 (commencing with Section 3273.70) to Part 4 of Division 3 of the Civil Code, relating to privacy. consumer protection.


LEGISLATIVE COUNSEL'S DIGEST


AB 3080, as amended, Alanis. California Consumer Privacy Act of 2018. Age verification: obscene and indecent material.
Existing law, beginning January 1, 2025, prohibits a social media platform, as defined, from knowingly facilitating, aiding, or abetting commercial sexual exploitation, as defined. Existing law prohibits a social media platform from being deemed to be in violation of this provision if it demonstrates certain mitigating facts, including that the social media platform instituted and maintained a program of at least biannual audits of its designs, algorithms, practices, affordances, and features to detect designs, algorithms, practices, affordances, or features that have the potential to cause or contribute to violations of that provision, as prescribed. Existing law, the California Consumer Privacy Act of 2018, grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer.
This bill would require a covered platform, as defined, that publishes or distributes material harmful to minors, as defined, to perform reasonable age verification methods, as defined, to verify the age of each individual attempting to access the material and to prevent access by minors to the material. The bill would prohibit a covered platform, or any third party, that performs age verification pursuant to these provisions from retaining any identifying information of the individual after access has been granted to the material, general purpose unless otherwise required by law. The bill would state that its provisions do not apply to, among other things, an internet service provider, a general purpose search engine, or a cloud service provider.
This bill would state that, except as provided, any attempted waiver or estoppel of a person’s right to bring a civil action under these provisions is void as unlawful and against public policy, as specified, and would provide that any contract, agreement, or other arrangement made or entered in violation of these provisions is contrary to law and public policy, void, and unenforceable. The bill would authorize a parent or legal guardian of a minor to bring a civil action, as specified, against any covered platform for violating these provisions with respect to the minor. The bill would also authorize any individual, after access to the material harmful to minors has been granted to the individual, to bring a civil action, as specified, against a covered platform for a violation of the prohibition against retaining any identifying information of the individual.
This bill would state that its provisions are severable.

Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including requiring a business that collects a consumer’s personal information to disclose to that consumer the categories and specific pieces of personal information the business has collected. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA.

This bill would make nonsubstantive changes to those provisions.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Title 22.1 (commencing with Section 3273.70) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 22.1. Age Verification for Internet Websites Containing Obscene and Indecent Material

3273.70.
 For purposes of this title, the following definitions apply:
(a) “Child pornography” has the same meaning as defined in Section 2256 of Title 18 of the United States Code.
(b) “Covered platform” means an entity for which all of the following are true:
(1) The entity makes available an internet website.
(2) It is in the regular course of the trade or business of the entity to create, host, or make available material harmful to minors under subdivision (f).
(3) The material harmful to minors is provided by the entity, user, or other information content provider with the objective of earning a profit.
(c) “Indecent” means any image, video, audio recording, audiovideo file, film, written material, document, software, data file, scripting language, computer code, game, virtual reality technology, interactive and noninteractive streaming service, interactive and noninteractive streaming software, and downloadable application that, consistent with regulations set forth by the Federal Communications Commission in Section 73.3999 of Title 47 of the Code of Federal Regulations, as it read on the date enacting this section, meets any of the following conditions:
(1) Would be found by the average person, applying contemporary statewide standards, to be generally harmful to minors.
(2) Depicts, describes, exposes, or presents sexual conduct in a patently offensive way.
(3) Taken as a whole, lacks serious literary, artistic, or scientific value for the purpose of educating minors.
(d) “Interactive computer service” has the same meaning as defined in Section 230(f)(2) of Title 47 of the United States Code.
(e) “Information content provider” has the same meaning as defined in Section 230(f)(3) of Title 47 of the United States Code.
(f) “Material harmful to minors” means any picture, image, graphic image file, film, videotape, or other visual depiction that is any of the following:
(1) Obscene.
(2) Indecent.
(3) Child pornography.
(g) “Minor” means a person under the age of 18 years of age who meets at least one of the following conditions:
(1) Is a permanent resident of this state.
(2) Has resided in this state for more than one year.
(3) Has been temporarily staying in this state for at least 31 consecutive days.
(h) “Obscene” means any image, video, audio recording, audiovideo file, film, written material, document, software, data file, scripting language, computer code, game, virtual reality technology, interactive and noninteractive streaming service, interactive and noninteractive streaming software, and downloadable application that, consistent with Miller v. California (1973) 413 U.S. 15, meets any of the following conditions:
(1) Would be found by the average person, applying contemporary statewide standards, to appeal to the prurient interest.
(2) Depicts, describes, exposes, or presents sexual conduct in a patently offensive way.
(3) Taken as a whole, lacks serious literary, artistic, or scientific value.
(i) “Reasonable age verification measures” include all of the following:
(1) A state-issued driver’s license.
(2) A state-issued identification card.
(3) A government-issued identification card.
(4) A military identification card.
(5) A credit card, except a credit card that does not require the individual in ownership of the account to be at least 18 years of age.
(6) A debit card, except a debit card that does not require the individual in ownership of the account to be at least 18 years of age.
(7) Bank account information.
(8) Any other means or method that reliably and accurately can determine whether a user of a covered platform is a minor and prevent access by a minor to the content on a covered platform.

3273.71.
 A covered platform that publishes or distributes material harmful to minors shall do the following:
(a) Perform reasonable age verification methods to verify the age of each individual attempting to access the material.
(b) Prevent access by minors to the material.

3273.72.
 Unless otherwise required by law, a covered platform, or any third party, that performs age verification pursuant to this title shall not retain any identifying information of the individual after access has been granted to the material.

3273.73.
 (a) This title shall not apply to an internet service provider, or its affiliate or subsidiary that is not a covered platform, a general purpose search engine, or a cloud service provider.
(b) This title does not subject a covered platform to any cause of action or liability to the extent that the covered platform is protected from causes of action or liability by federal law.
(c) Compliance with this chapter shall not excuse any person from any other legal duties or relieve a person from any other legal remedies.
(d) Notwithstanding any other law, the requirements of this title shall be enforced exclusively through the private civil actions described herein.
(e) The prohibitions in this title shall not apply in a case to the extent that they would violate the doctrine of the dormant Commerce Clause of the United States Constitution as enunciated by the Supreme Court of the United States.

3273.74.
 (a) Except as provided in subdivision (b), any attempted waiver or estoppel of a person’s right to bring a civil action under this title, or of any remedy or any other protection provided by this title, is void as unlawful and against public policy. Notwithstanding any choice-of-law rules that would apply the laws of another jurisdiction, a court or arbitrator shall neither enforce nor give effect to such a waiver or estoppel.
(b) The waiver and estoppel prohibitions described in subdivision (a) shall not apply to contractual waivers to the extent that any application of the prohibition would impair the obligation of contracts in violation of the state and federal constitutions.
(c) The prohibitions on estoppel and contractual or other waivers described in subdivision (a) is a public policy limitation of the highest importance and interest to California, and the State of California is exercising and enforcing this prohibition to the full extent permitted by the state and federal constitutions.
(d) Any contract, agreement, or other arrangement made or entered in violation of this title is contrary to law and public policy, void, and unenforceable.

3273.75.
 (a) (1) A parent or legal guardian of a minor may bring a civil action against any covered platform for violating this title with respect to the minor.
(2) Any individual may bring a civil action against a covered platform for a violation of Section 3273.72 after access to the material harmful to minors has been granted to the individual.
(b) (1) A violation of subdivision (a) of Section 3273.71 is subject to civil damages in the amount of five thousand dollars ($5,000) per violation.
(2) A violation of subdivision (b) of Section 3273.71 is subject to civil damages in the amount of ten thousand dollars ($10,000) per image sent to a minor.
(c) A prevailing plaintiff under this title shall recover court costs and reasonable attorney’s fees.
(d) An individual may bring an action under this title regardless of whether another court has declared any provision of this title unconstitutional unless that court decision is binding on the court in which the action is brought.
(e) Nonmutual issue preclusion or nonmutual claim preclusion shall not be a defense to an action brought under this title.
(f) In any jury trial brought under this title, the jury shall decide both guilt and any damages.

3273.76.
 The provisions of this title are severable. If any provision of this title or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

SECTION 1.Section 1798.100 of the Civil Code is amended to read:
1798.100.

General Duties of Businesses that Collect Personal Information

(a)A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers of all of the following:

(1)The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.

(2)If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.

(3)The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

(b)A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.

(c)A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

(d)A business that collects a consumer’s personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that does all of the following:

(1)Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.

(2)Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.

(3)Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.

(4)Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.

(5)Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

(e)A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

(f)Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.