(a) On or after July 1, 2001, unless otherwise authorized by the Department of Information Technology pursuant to Executive Order D-3-99, every state agency, including the California State University, that utilizes any method, device, identifier, or other data base application on the Internet to electronically collect personal information, as defined in subdivision (d), regarding any user shall prominently display the following at least one anticipated initial point of communication with a potential user, to be determined by each agency, and in instances when the specified information would be collected:
(1) Notice to the user of the usage or existence of the information gathering method, device, identifier, or other data base application.
(2) Notice to the user of the type of personal information that is being collected and the purpose for which the collected information will be used.
(3) Notice to the user of the length of time that the information gathering device, identifier, or other data base application will exist in the user’s hard drive, if applicable.
(4) Notice to the user that he or she has the option of having his or her personal information discarded without reuse or distribution, provided that the appropriate agency official or employee is contacted after notice is given to the user.
(5) Notice to the user that any information acquired by the state agency, including the California State University, is subject to the limitations set forth in the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code).
(6) Notice to the user that state agencies shall not distribute or sell any electronically collected personal information, as defined in subdivision (d), about users to any third party without the permission of the user.
(7) Notice to the user that electronically collected personal information, as defined in subdivision (d), is exempt from requests made pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1).
(8) The title, business address, telephone number, and electronic mail address, if applicable, of the agency official who is responsible for records requests, as specified by subdivision (b) of Section 1798.17 of the Civil Code, or the agency employee designated pursuant to Section 1798.22 of that code, as determined by the agency, who is responsible for ensuring that the agency complies with requests made pursuant to this section.
(b) A state agency shall not distribute or sell any electronically collected personal information about users to any third party without prior written permission from the user, except as required to investigate possible violations of Section 502 of the Penal Code or as authorized under the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code). Nothing in this subdivision shall be construed to prohibit a state agency from distributing electronically collected personal information to another state agency or to a public law enforcement organization in any case where the security of a network operated by a state agency and exposed directly to the Internet has been, or is suspected of having been, breached.
(c) A state agency shall discard without reuse or distribution any electronically collected personal information, as defined in subdivision (d), upon request by the user.
(d) For purposes of this section:
(1) “Electronically collected personal information” means any information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and information that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to individuals who are users serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business.
(2) “User” means an individual who communicates with a state agency or with an agency employee or official electronically.
(e) Nothing in this section shall be construed to permit an agency to act in a manner inconsistent with the standards and limitations adopted pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1) or the Information Practices Act of 1977 (Title 1.8 (commencing with Section 1798) of Part 4 of Division 3 of the Civil Code).
(Amended by Stats. 1999, Ch. 784, Sec. 17. Effective October 10, 1999.)