SENATE BILL No.

30

Introduced by Senator Simitian

December 4, 2006

An act to add and repeal Article 4 (commencing with Section

1798.10) of Chapter 1 of Title 1.8 of Part 4 of Division 3 of the Civil
Code, and to add and repeal Article 13 (commencing with Section
11147) of Chapter 1 of Part 1 of Division 3 of Title 2 of the Government
Code, relating to privacy.

legislative counsel’s digest

SB 30, as introduced, Simitian. Identity Information Protection Act
of 2007.
(1)  Existing law, the Information Practices Act of 1977, regulates
the collection and disclosure of personal information regarding
individuals by state agencies, except as specified. The intentional
disclosure of medical, psychiatric, or psychological information in
violation of the disclosure provisions of the act is punishable as a
misdemeanor if the wrongful disclosure results in economic loss or
personal injury to the individual to whom the information pertains.
This bill would enact the Identity Information Protection Act of 2007.
Until December 31, 2013, or as otherwise specified, the act would
require identification documents, as defined and with specified
exceptions, that are created, mandated, purchased, or issued by various
public entities that use radio waves to transmit data, or to enable data
to be read remotely, to meet specified requirements. The bill would
provide that a person or entity that knowingly discloses, or causes to
be disclosed, operational system keys, as described, shall be punished
by imprisonment in a county jail for up to one year, a fine of not more
than $5,000, or both that fine and imprisonment. The bill would further

99
SB 30 —2—

authorize declaratory or injunctive relief or a writ of mandate and

attorney’s fees and costs under specified circumstances.
In addition, because the intentional disclosure of medical, psychiatric,
or psychological information in violation of the disclosure provisions
of the Information Practices Act of 1977, which would include this act,
is punishable as a misdemeanor if the wrongful disclosure results in
economic loss or personal injury to the individual to whom the
information pertains, and because operational system keys would be
punishable as a misdemeanor, this bill would create a new crime, thereby
imposing a state-mandated local program.
(2)  Existing law establishes in the Department of Consumer Affairs,
the Office of Privacy Protection for the purpose of protecting the privacy
of individuals’ personal information and developing fair information
practices for state agencies. Existing law establishes in the California
State Library, the California Research Bureau with responsibilities to
conduct research on various policy issues.
This bill would require the California Research Bureau to submit a
report to the Legislature on security and privacy for government-issued,
remotely readable identification documents. The bill would require the
bureau to submit the report within 270 days of receiving a request from
the Office of the President pro Tempore of the Senate or the Office of
the Speaker of the Assembly, or before June 30, 2008, whichever is
earlier. The bill would require the bureau to establish an advisory board,
to be comprised of specified government officials and representatives
from industry and privacy rights organizations, to make
recommendations and provide technical advice to the bureau in
preparing the report.
(3)  The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the state.
Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act
for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.

The people of the State of California do enact as follows:

1 SECTION 1. This act shall be known and may be cited as the

2 Identity Information Protection Act of 2007.

99
 —3— SB 30

1 SEC. 2. The Legislature hereby finds and declares all of the

2 following:
3 (a)  The right to privacy is a personal and fundamental right
4 protected by Section 1 of Article I of the California Constitution
5 and by the United States Constitution. All individuals have a right
6 of privacy in information pertaining to them.
7 (b)  This state has previously recognized the importance of
8 protecting the confidentiality and privacy of an individual’s
9 personal information contained in identification documents such
10 as drivers’ licenses.
11 (c)  It is the intent of the Legislature that the privacy and security
12 protections in this article that apply to remotely readable
13 identification documents created, mandated, purchased, or issued
14 by a state, county, or municipal government, or subdivision or
15 agency thereof, are interim measures until subsequent legislation
16 or regulations are enacted based on new information, including,
17 but not limited to, information provided by the California Research
18 Bureau.
19 (d)  Notwithstanding any other provision of this act, it is the
20 intent of the Legislature that the interim measures contained herein
21 be replaced by a statewide legislative or regulatory framework in
22 the most timely and expeditious fashion possible following the
23 issuance of recommendations by the California Research Bureau.
24 SEC. 3. Article 4 (commencing with Section 1798.10) is added
25 to Chapter 1 of Title 1.8 of Part 4 of Division 3 of the Civil Code,
26 to read:
27
28 Article 4. Identity Documents
29
30 1798.10. (a)  Except as provided in subdivision (b), all
31 identification documents created, mandated, purchased, or issued
32 by a state, county, or municipal government, or subdivision or
33 agency thereof, that use radio waves to transmit data or to enable
34 data to be read remotely shall meet these requirements:
35 (1)  In order to prevent duplication, forgery, or cloning of the
36 identification document, the identification document shall
37 incorporate tamper-resistant features.
38 (2)  In order to determine to a reasonable certainty that the
39 identification document was legitimately issued by the issuing
40 entity, is not cloned, and is authorized to be read, the identification

99
SB 30 —4—

1 document and authorized reader, in conjunction with related,

2 functionally integrated software, shall implement an authentication
3 process.
4 (3)  If personally identifiable information is transmitted remotely
5 from the identification document, the identification document and
6 authorized reader, in conjunction with related, functionally
7 integrated software, shall not only meet the requirements of
8 paragraph (2) but also shall implement mutual authentication in
9 order to prevent the transmission of personally identifiable
10 information between identification documents and unauthorized
11 readers.
12 (4)  If personally identifiable information is transmitted remotely
13 from the identification document, the identification document shall
14 make the data unreadable and unusable by an unauthorized person
15 through means such as encryption of the data during transmission,
16 access controls, data association, encoding, obfuscation, or any
17 other measures, or combination of measures, that are effective to
18 ensure the confidentiality of the data transmitted between the
19 identification document and authorized reader.
20 (5)  If personally identifiable information is transmitted remotely
21 from the identification document, the identification document shall
22 implement an access control protocol that enables the holder to
23 exercise direct control over any transmission of the data using
24 radio waves. This requirement may be satisfied by the
25 implementation of one or more means including, but not limited
26 to, the following:
27 (A)  An access control protocol requiring the machine-readable
28 or other nonradio frequency reading of information from the
29 identification document prior to each transmission of data using
30 radio waves, without which the identification document will not
31 transmit data using radio waves.
32 (B)  A data-carrying device, such as an integrated circuit or
33 computer chip, that is normally not remotely readable, accessible,
34 or otherwise operational under any circumstances, and only
35 remotely readable, accessible, or operational while being
36 temporarily switched on or otherwise intentionally activated by a
37 person in physical possession of the identification document. The
38 device shall only be remotely readable while the person
39 intentionally enables the identification document to be read.

99
 —5— SB 30

1 (C)  Another access control protocol that enables the holder to

2 exercise direct control over any transmission of the data using
3 radio waves, not including a detachable shield device or bag.
4 (6)  If a unique personal identifier number that is used to provide
5 an individual with access to more than one type of application or
6 service is transmitted remotely from the identification document,
7 the issuing entity of the identification document shall do one or
8 more of the following, commensurate with the sensitivity of the
9 applications:
10 (A)  Implement a secondary verification and identification
11 procedure that does not use radio waves, including, but not limited
12 to, the manual entry of a personal identification number on a
13 keypad or the placement of an authorized individual at locations
14 at which the identification document is to be read for a purpose
15 other than facilitating secured access to a secured public building
16 or parking area, in order to determine the authenticity of the
17 document or the identity of the person.
18 (B)  Implement the security protections described in paragraph
19 (3).
20 (C)  Implement the security protections described in paragraph
21 (4).
22 (D)  Implement the security protections described in paragraph
23 (5).
24 (7)  If the identification document remotely transmits a unique
25 personal identifier number for the purposes of recording the
26 attendance of a pupil at a public school, the issuing entity of the
27 identification document shall meet the requirements of paragraph
28 (6).
29 (8)  If the identification document remotely transmits a unique
30 personal identifier number for the purposes of accessing public
31 transit services, is issued to a member of the public, as defined in
32 Section 6252 of the Government Code, and is either required by
33 the issuing public entity or confers a benefit that is unique to that
34 class of remotely readable identification document, the issuing
35 entity of the identification document shall meet the requirements
36 of paragraph (6).
37 (9)  The issuing entity of the identification document shall
38 communicate in writing to the person to whom the document is
39 issued at or before the time the document is issued, all of the
40 following:

99
SB 30 —6—

1 (A)  That the identification document can transmit data or enable

2 data to be read remotely without his or her knowledge.
3 (B)  That countermeasures, such as shield devices or switches,
4 may be used to help the person control the risk that his or her data
5 will be read remotely without his or her knowledge.
6 (C)  The location of readers used or intended to be used by the
7 issuing authority to read the data on the identification document.
8 This requirement shall be satisfied by doing one or more of the
9 following:
10 (i)  Posting or displaying a clear and conspicuous sign, placard,
11 poster, or other similar written notice at each reader’s actual
12 location indicating that the issuing authority has placed an
13 identification document reader at that location, that the reader is
14 being used to read identification documents remotely using radio
15 waves, and the commonly understood name of each document.
16 (ii)  Providing each document holder with a list of the location
17 of all readers used or intended to be used by the issuing authority
18 to read the data on the identification document.
19 (iii)  Providing each document holder with a direct Internet link
20 to a Web page that clearly and conspicuously lists the location of
21 all readers used or intended to be used by the issuing authority to
22 read the data on the identification document. This Web page shall
23 be updated regularly.
24 (D)  All circumstances under which the issuing authority plans
25 or intends to read the identification document and the reasons
26 behind those circumstances.
27 (E)  Any information, such as time and location, that is being
28 collected or stored regarding the individual in a database at the
29 time the identification document is being read.
30 (b)  Subdivision (a) shall not apply to:
31 (1)  Any contactless identification document system that began
32 implementation prior to January 1, 2008, or for which a state,
33 county, or municipal government request for proposal has been
34 publicly issued prior to September 30, 2007, or for which a contract
35 has been executed prior to September 30, 2007.
36 (2)  An identification document issued to a person who is
37 incarcerated in the state prison or a county jail, detained in a
38 juvenile facility operated by the Division of Juvenile Facilities in
39 the Department of Corrections and Rehabilitation, or housed in a
40 mental health facility, pursuant to a court order after having been

99
 —7— SB 30

1 charged with a crime, or to a person pursuant to court-ordered

2 electronic monitoring.
3 (3)  An identification document issued to a person employed by
4 a state prison, county jail, or juvenile facility operated by the
5 Division of Juvenile Facilities in the Department of Corrections
6 and Rehabilitation if the document is not removed from the facility
7 and the requirements of paragraph (9) of subdivision (a) apply.
8 (4)  An identification document issued to a law enforcement
9 officer or emergency response personnel if the document is used
10 only while the law enforcement officer or emergency response
11 personnel is on active duty and the requirements of paragraph (9)
12 of subdivision (a) apply.
13 (5)  An identification document issued to a patient who is in the
14 care of a government-operated or government-owned hospital,
15 ambulatory surgery center, or oncology or dialysis clinic if all of
16 the following requirements are met:
17 (A)  The identification document is valid for only a single
18 episode of care.
19 (B)  The identification document may be removed and reattached
20 when used on a nonemergency outpatient.
21 (C)  The identification document does not transmit or enable the
22 remote reading using radio waves of personally identifiable
23 information.
24 (D)  The patient returning for a new episode of care is assigned
25 a new unique personal identifier number.
26 (E)  The patient or the person who has been legally entrusted to
27 make medical decisions on behalf of the patient is notified, in
28 writing, that the identification document transmits data using radio
29 waves.
30 (F)  The patient is not compelled or encouraged to wear, or keep
31 on his or her person, the identification document beyond the facility
32 property.
33 (6)  An identification document issued to a person who is in the
34 care of a skilled nursing facility operated or owned by the
35 government, if all of the following requirements are met:
36 (A)  The patient has been diagnosed by a doctor with dementia
37 or other cognitive impairment that involves substantial limitation
38 in function.

99
SB 30 —8—

1 (B)  The identification document does not transmit or enable the

2 remote reading using radio waves of personally identifiable
3 information.
4 (C)  The patient or the person who has been legally entrusted to
5 make medical decisions on behalf of the patient is notified, in
6 writing, that the identification document transmits data using radio
7 waves.
8 (D)  The patient is not compelled or encouraged to wear or keep
9 on his or her person the identification document beyond the facility
10 property.
11 (E)  The patient or the person who has been legally entrusted to
12 make medical decisions on behalf of the patient has consented to
13 the issuance of the identification document.
14 (7)  An identification document issued to a patient by emergency
15 medical services for triage or medical care during a disaster and
16 immediate hospitalization or immediate outpatient care directly
17 related to a disaster, as defined by the local emergency medical
18 services agency organized under Section 1797.200 of the Health
19 and Safety Code.
20 (8)  An identification document that is issued to a person for the
21 limited purpose of facilitating secured access by the identification
22 document holder to a secured public building or parking area, if
23 the requirements of paragraph (9) of subdivision (a) are met and
24 the identification document does not transmit or enable the remote
25 reading using radio waves of personally identifiable information.
26 (9)  A license, certificate, registration, or other authority for
27 engaging in a business or profession regulated under the Business
28 and Professions Code, if the requirements of paragraph (9) of
29 subdivision (a) are met and the identification document does not
30 transmit or enable the remote reading using radio waves of
31 personally identifiable information.
32 1798.11. Except as provided in subdivision (d), a state, county,
33 or municipal government, or subdivision or agency thereof, that
34 creates, mandates, purchases, or issues an identification document
35 in compliance with subdivision (a) of Section 1798.10:
36 (a)  Shall not, under any circumstances, disclose any operational
37 system keys used pursuant to paragraphs (3) and (4) of subdivision
38 (a) of Section 1798.10, either publicly or to any nongovernmental
39 entity or other third party, including, but not limited to, contractors,

99
 —9— SB 30

1 officers, and employees of other government agencies, that is not

2 authorized under subdivision (d).
3 (b)  Shall take all reasonable measures to keep any operational
4 system keys used pursuant to paragraphs (3) and (4) of subdivision
5 (a) of Section 1798.10 secure and unavailable to any third party
6 that is not authorized under subdivision (d).
7 (c)  Shall not, under any circumstances, act in any way to allow
8 a third party that is not authorized under subdivision (d) to read
9 the data transmitted remotely by the identification document using
10 radio waves.
11 (d)  A state, county, or municipal government, or subdivision or
12 agency thereof, that creates, mandates, purchases, or issues an
13 identification document in compliance with subdivision (a) of
14 Section 1798.10 may disclose any operational system keys used
15 pursuant to paragraphs (3) and (4) of subdivision (a) of Section
16 1798.10 to authorized third parties that in the stream of commerce
17 have a bona fide business relationship with the agency, or its
18 contractors or subcontractors, and that are necessary to the
19 operation, testing, or installation of the identification system, and
20 to emergency response personnel for the sole purposes of locating
21 and identifying a person or persons in the case of a disaster, as
22 defined by the local Emergency Medical Services agency organized
23 under Section 1797.200 of the Health and Safety Code.
24 (1)  Any authorized third party that receives a disclosure pursuant
25 to this exception is subject to the prohibitions of subdivisions (a)
26 to (c), inclusive.
27 (2)  Any authorized third party that receives a disclosure pursuant
28 to this exception shall adopt procedures restricting access to the
29 operational system keys and securing the keys from tampering and
30 unauthorized access. These procedures shall include administrative,
31 technical, and physical safeguards to protect against any reasonably
32 anticipated threats or hazards to the privacy of the information,
33 and unauthorized uses or disclosures of the information.
34 (3)  All information received pursuant to this exception shall be
35 destroyed when the purpose of the disclosure is completed.
36 1798.115. A person or entity that knowingly discloses, or
37 causes to be disclosed, the operational system keys described in
38 Section 1798.11 in violation of Section 1798.11 shall be punished
39 by imprisonment in a county jail for up to one year, a fine of not

99
SB 30 — 10 —

1 more than five thousand dollars ($5,000), or both that fine and
2 imprisonment.
3 1798.12. A state, county, or municipal government, or a
4 political subdivision or agency thereof, that uses radio waves to
5 transmit data or to enable data to be read remotely pursuant to
6 subdivision (a) of Section 1798.10 or the authorized third parties
7 with whom the governmental entity has a bona fide business
8 relationship shall not disclose any data or information regarding
9 the location of a person derived from the use of the radio waves,
10 unless the disclosure comports with any of the following:
11 (a)  The disclosure is made pursuant to an exigent circumstance
12 and all of the following occur:
13 (1)  The information that is requested is necessary to locate and
14 respond to a person who is in immediate danger of death or serious
15 bodily injury or a minor who is in immediate danger.
16 (2)  The information that is disclosed solely regards the location
17 of a person or an identification document and the time at which
18 that person was or is at that location.
19 (3)  The request by emergency response personnel to a
20 governmental entity to which this section applies includes, at a
21 minimum, all of the following information:
22 (A)  The name and title of the emergency response personnel.
23 (B)  The office location and telephone number for the emergency
24 response personnel.
25 (C)  The name and telephone number of the emergency response
26 personnel’s supervisor or the person who has the ultimate
27 operational responsibility at the time.
28 (D)  The assertion by the emergency response personnel that an
29 exigent circumstance exists.
30 (4)  The governmental entity provides the emergency response
31 personnel with the requested location information upon verification
32 of the information required by paragraph (3) with the emergency
33 response personnel’s supervisor or the person who has ultimate
34 operational responsibility at the time. No governmental entity, or
35 official or employee thereof, shall be subject to liability when it
36 acts in a reasonable manner upon receiving the information required
37 by paragraph (3).
38 (5)  The governmental entity maintains for a period of not less
39 than one year all requests from public safety or emergency response

99
 — 11 — SB 30

1 agencies for location information that are made under exigent

2 circumstances.
3 (6)  Individuals whose location information has been released
4 pursuant to this subdivision are notified in writing by the
5 governmental entity within a reasonable period of time that their
6 information has been released and the notice shall include the
7 information required in paragraph (3). The notification required
8 by this paragraph may be delayed if a law enforcement agency
9 determines that the notification will impede a criminal
10 investigation. The notification required by this paragraph shall be
11 made after the law enforcement agency determines that it will not
12 compromise the investigation.
13 (7)  The location information obtained as the result of a request
14 pursuant to this section is used solely for the purpose of rendering
15 emergency aid by emergency response personnel to the person
16 during the exigent circumstances forming the basis of the request.
17 (b)  The disclosure is made pursuant to a request by law
18 enforcement personnel in the course of a legitimate investigation
19 and the information is derived only from the use of employee
20 identification documents to facilitate secured access to public
21 buildings or parking areas.
22 (c)  The disclosure is required pursuant to a search warrant.
23 1798.125. Any interested person may institute proceedings
24 against a governmental entity for injunctive or declaratory relief
25 or a writ of mandate in any court of competent jurisdiction for the
26 purpose of preventing or stopping any violation of this article, if
27 all of the following occur:
28 (a)  The person provides to the governmental entity, written
29 notice of the alleged violation by certified mail.
30 (b)  The governmental entity fails, for at least 30 days after
31 receipt of that written notice, to fix the alleged violation, to comply
32 with the provisions of the article, and to inform the demanding
33 party in writing of its actions to fix the alleged violation or its
34 decision not to correct the alleged violation.
35 1798.126. (a)  In any proceedings brought pursuant to Section
36 1798.125, the court may assess against the governmental entity
37 reasonable attorney’s fees and other litigation costs reasonably
38 incurred in any proceedings under this article in which the
39 complainant has prevailed.

99
SB 30 — 12 —

1 (b)  Nothing in this section affects or is intended to limit or

2 supplant any other remedies that may be available in law or equity.
3 1798.135. For purposes of this article, the following definitions
4 shall apply:
5 (a)  “Access controls” means granting or denying permission to
6 access information.
7 (b)  “Authentication” means the process of applying a
8 machine-readable process to data or identification documents, or
9 both, so as to accomplish either of the following:
10 (1)  Establish that the data and the identification document
11 containing the data were issued by the responsible issuing state or
12 local governmental body.
13 (2)  Ensure that a reader, as defined in subdivision (p), is
14 permitted under California law to access that data or identification
15 document.
16 (c)  “Authorized reader” means a reader, as defined in
17 subdivision (p), that, with respect to a particular identification
18 document, (1) is permitted under California law to remotely read
19 the data transmitted by that identification document, (2) is being
20 used for a lawful purpose, and (3) is fully in accord with the
21 requirements of subdivision (a) of Section 1798.10.
22 (d)  “Contactless identification document system” means a group
23 of identification documents issued and operated under a single
24 authority that use radio waves to transmit data remotely to readers
25 intended to read that data. In a contactless identification document
26 system, every reader must be able to read every identification
27 document in the system.
28 (e)  “Data” means information stored on an identification
29 document in machine-readable form including, but not limited to,
30 personally identifiable information and other unique personal
31 identifier numbers.
32 (f)  “Data association” means storing information in separate
33 locations so that the information is not resident in a single location
34 and is not usable if only one of such locations is accessed.
35 (g)  “Emergency response personnel” means any of the
36 following:
37 (1)  “Emergency medical technician,” as defined in Sections
38 1797.80 and 1797.82 of the Health and Safety Code.
39 (2)  “Firefighter,” as defined in Section 1797.182 of the Health
40 and Safety Code.

99
 — 13 — SB 30

1 (3)  “Mobile intensive care nurse,” as defined in Section 1797.56

2 of the Health and Safety Code.
3 (4)  “Paramedic,” as defined in Section 1797.84 of the Health
4 and Safety Code.
5 (5)  “Peace officer,” as defined in Sections 830.1 and 830.2 of
6 the Penal Code.
7 (h)  “Encoding” means use of a mechanism that allows the
8 message elements to be substituted for other elements.
9 (i)  “Encryption” means the protection of data in electronic form
10 in storage or while being transmitted using an encryption algorithm
11 implemented within a cryptographic module that has been adopted
12 or approved by the National Institute of Standards and Technology,
13 the Institute of Electrical and Electronics Engineers, Inc., the
14 Internet Engineering Task Force, the International Organization
15 for Standardization, the Organization for the Advancement of
16 Structured Information Standards, or any other similar standards
17 setting body, rendering that data indecipherable in the absence of
18 associated cryptographic keys necessary to enable decryption of
19 that data. That encryption shall include appropriate management
20 and safeguards of those keys to protect the integrity of the
21 encryption.
22 (j)  “Exigent circumstance” means a reasonable belief by
23 emergency response personnel that either of the following
24 situations exists:
25 (1)  There is immediate danger of death or serious bodily injury
26 to the person whose location information is being sought or to
27 another individual who could be located through the reading of
28 that identification document.
29 (2)  There is immediate danger to a minor whose location
30 information is being sought or to another minor who could be
31 located through the reading of that identification document.
32 (k)  (1)  “Identification document” means any document
33 containing data that is issued to an individual and which that
34 individual, and only that individual, uses alone or in conjunction
35 with any other information for the primary purpose of establishing
36 his or her identity. Identification documents specifically include,
37 but are not limited to, the following:
38 (A)  Driver’s licenses or identification cards issued pursuant to
39 Section 13000 of the Vehicle Code.
40 (B)  Identification cards for employees or contractors.

99
SB 30 — 14 —

1 (C)  Identification cards issued by educational institutions.

2 (D)  Health insurance or benefit cards.
3 (E)  Benefit cards issued in conjunction with any
4 government-supported aid program.
5 (F)  Licenses, certificates, registration, or other means to engage
6 in a business or profession regulated by the Business and
7 Professions Code.
8 (G)  Library cards issued by any public library.
9 (2)  Identification documents do not include devices issued to
10 persons for the limited purpose of collecting funds for the use of
11 a toll bridge or toll road, such as devices used by the FasTrak
12 system, if the device is not issued for the exclusive use of an
13 individual and does not transmit or enable the remote reading using
14 radio waves of personally identifiable information.
15 (l)  “Key” means a string of bits of information used as part of
16 a cryptographic algorithm used in encryption.
17 (m)  “Mutual authentication” means a process by which
18 identification documents and authorized readers securely challenge
19 each other to verify authenticity and authorization of both readers
20 and documents before any data is exchanged, except such data as
21 is necessary to carry out mutual authentication. Mutual
22 authentication accomplishes both of the following:
23 (1)  Authorized readers, as defined in subdivision (c), can
24 accurately assess whether the identification document and data
25 stored are issued by the responsible issuing state or local
26 governmental body to an authorized holder.
27 (2)  Authorized identification documents can accurately assess
28 whether a reader accessing them is authorized to read the
29 documents, and authorized to then access data stored on the
30 documents.
31 (n)  “Obfuscation of information” means the transformation of
32 information without the use of an encryption algorithm or key into
33 a form in which the information is rendered unusable or unreadable.
34 (o)  “Personally identifiable information” includes any of the
35 following data elements to the extent that they are used alone or
36 in conjunction with any other information to identify an individual:
37 (1)  First or last name.
38 (2)  Address.
39 (3)  Telephone number.
40 (4)  E-mail address.

99
 — 15 — SB 30

1 (5)  Date of birth.
2 (6)  Driver’s license number or California identification card
3 number.
4 (7)  Any unique personal identifier number contained or encoded
5 on a driver’s license or identification card issued pursuant to
6 Section 13000 of the Vehicle Code.
7 (8)  Bank, credit card, or other financial institution account
8 number.
9 (9)  Credit or debit card number.
10 (10)  Any unique personal identifier number contained or
11 encoded on a health insurance, health benefit, or benefit card issued
12 in conjunction with any government-supported aid program.
13 (11)  Religion.
14 (12)  Ethnicity or nationality.
15 (13)  Photograph.
16 (14)  Fingerprint or other biometric identification.
17 (15)  Social security number.
18 (p)  “Reader” means a scanning device that is capable of using
19 radio waves to communicate with an identification document and
20 read the data transmitted by that identification document.
21 (q)  “Remotely” means that no physical contact between the
22 identification document and a reader is necessary in order to
23 transmit data using radio waves.
24 (r)  “Shield devices” mean physical or technological protections
25 available to stop the transmission of data programmed on or into
26 an identification document using radio waves.
27 (s)  “Single episode of care” means an inpatient hospital stay
28 through discharge or specific course of therapy or treatment for
29 outpatient care.
30 (t)  “Unique personal identifier number” means a randomly
31 assigned string of numbers or symbols that is encoded onto the
32 identification document and is intended to identify the identification
33 document that has been issued to a particular individual.
34 1798.136. The provisions of this article shall become
35 inoperative on December 31, 2013, or when alternative statewide
36 regulations pertaining to the privacy and security of remotely
37 readable identification documents are enacted or promulgated
38 pursuant to later legislation, whichever is earlier.

99
SB 30 — 16 —

1 SEC. 4. Article 13 (commencing with Section 11147) is added

2 to Chapter 1 of Part 1 of Division 3 of Title 2 of the Government
3 Code, to read:
4
5 Article 13. Report on Security and Privacy for
6 Government-Issued Identification Documents
7
8 11147. The California Research Bureau in the California State
9 Library, within 270 days of receiving a request from the Office of
10 the President pro Tempore of the Senate or the Office of the
11 Speaker of the Assembly, or before June 30, 2008, whichever is
12 earlier, shall submit to the Legislature a report on security and
13 privacy for government-issued, remotely readable identification
14 documents.
15 11147.1. In preparing the report required by Section 11147,
16 the bureau shall, at a minimum, do all of the following:
17 (a)  Establish an advisory board that makes recommendations,
18 provides technical advice, answers bureau questions, and outlines
19 the strengths and weaknesses of potential approaches to privacy
20 and security proposals for government-issued, remotely readable
21 identification documents. The advisory board shall be composed
22 of all of the following members:
23 (1)  The State Chief Information Officer or his or her designee.
24 (2)  The Chief of the Office of Privacy Protection or his or her
25 designee.
26 (3)  The Attorney General or his or her designee.
27 (4)  A representative from the Office of Emergency Services.
28 (5)  A representative from either the University of California or
29 the California State University system.
30 (6)  A representative from the Department of Motor Vehicles.
31 (7)  A representative from the California State Information
32 Security Office.
33 (8)  A representative selected by the bureau from the California
34 School Boards Association.
35 (9)  A representative selected by the bureau from city or county
36 government.
37 (10)  One representative selected by the bureau, from each of
38 the following industries:
39 (A)  Remotely readable identification card manufacturers.
40 (B)  Remotely readable identification chip manufacturers.

99
 — 17 — SB 30

1 (C)  Remotely readable identification reader manufacturers.

2 (D)  Remotely readable component manufacturers.
3 (E)  Enterprise or network information technology companies.
4 (11)  Five representatives selected by the bureau from among
5 privacy rights groups, including, but not limited to, the American
6 Civil Liberties Union, the Electronic Frontier Foundation, and the
7 Privacy Rights Clearinghouse.
8 (12)  Other representatives selected by the bureau that would be
9 necessary for the bureau to complete the report required by Section
10 11147.
11 (b)  Review and document existing state and federal laws relating
12 to privacy, security, and safeguards for remotely readable
13 identification documents.
14 (c)  Review privacy and security safeguards and technologies
15 that are currently available or in development for remotely readable
16 identification documents.
17 (d)  Review best practices that have been established or that are
18 under consideration to prevent identity theft, privacy invasion, and
19 criminal use of personal and other data to determine their
20 applicability to government-issued identification documents.
21 (e)  Consider requirements for a privacy impact assessment and
22 a security risk assessment conducted by issuing entities that would
23 clearly define what personal information is to be collected, how
24 the information will and could be used, who may and who could
25 access the information, how the information will be protected from
26 unauthorized access, and how an individual may control use of
27 and update his or her information.
28 (f)  Identify, develop, and evaluate options for the Legislature
29 to review and consider for action for a legislative and regulatory
30 framework that would ensure the safety and security of information
31 contained on remotely readable identification documents and the
32 privacy of the individuals to whom the documents are issued.
33 11147.2. The bureau shall be solely responsible for preparing
34 the report required by this article. The report shall include
35 information, suggestions, and comments from the advisory board.
36 In making recommendations, the bureau shall maintain an approach
37 that, when appropriate, is neutral with respect to specific
38 technologies and methods, shall consider the multitude of ways
39 of ensuring privacy and security, and shall consider the impact of
40 any recommendations on innovation. The report may include

99
SB 30 — 18 —

1 additional research and commentary that the bureau believes is

2 necessary to prepare a complete and thorough report.
3 11147.3. The provisions of this article shall become inoperative
4 on December 31, 2013, or when alternative statewide regulations
5 pertaining to the privacy and security of remotely readable
6 identification documents are enacted or promulgated pursuant to
7 later legislation, whichever is earlier.
8 SEC. 5. No reimbursement is required by this act pursuant to
9 Section 6 of Article XIIIB of the California Constitution because
10 the only costs that may be incurred by a local agency or school
11 district will be incurred because this act creates a new crime or
12 infraction, eliminates a crime or infraction, or changes the penalty
13 for a crime or infraction, within the meaning of Section 17556 of
14 the Government Code, or changes the definition of a crime within
15 the meaning of Section 6 of Article XIII B of the California
16 Constitution.

99