CALIFORNIA CODE OF REGULATIONS

TITLE 2. ADMINISTRATION
DIVISION 7. SECRETARY OF STATE
CHAPTER 1. VOTER REGISTRATION

ARTICLE 1. ACCESS TO VOTER REGISTRATION INFORMATION

19001. Definitions.

As used in this Article, the following terms have the following meanings:

  1. “Agent” means a person authorized by a beneficiary to use voter registration information on that person’s behalf including, but not limited to, employees and volunteers.
  2. “Applicant” means a person who completes and submits an application to a source agency for the purpose of obtaining voter registration information. If an applicant submits the application on their own behalf, they are also the beneficiary. If an applicant submits the application on behalf of another person, the other person is the beneficiary.
  3. “Beneficiary” means a person, including a vendor, who receives voter registration information either directly or indirectly from a source agency.
  4. “Person” includes any individual, firm, association, organization, partnership, business trust, committee, political organization, corporation, or company.
  5. “Source agency” means the Secretary of State or a county elections official, both of which maintain voter registration information and provide access to such information pursuant to Elections Code sections 2188 and 2194.
  6. “Specific voter registration record” means voter registration information of an individual named voter for whom the applicant provides all required identifying information such as date of birth. Specific voter registration information does not include requests of unidentified individuals meeting certain criteria, such as any voters living on a certain street in a certain city.
  7. “Vendor” means a person that obtains voter registration information from a source agency for another person’s use, including, but not limited to, political parties, political campaigns, political committees, and data aggregators that prepare voter registration information for beneficiaries.
  8. “Voter registration information” means information on registered voters that may be provided to an authorized applicant by a source agency under the provisions of this Article, Elections Code section 2194, and Government Code section 6254.4. This information includes the following for each voter, to the extent that it is included in any individual voter’s record: registration county, unique registration identification number, name, residential address, mailing address, phone number, email address, language preference, date of birth, gender, party preference, registration status, registration date, precinct, registration method, place of birth, registration status reason (reason for the most recent update to the registration), voting assistance request status, permanent vote-by-mail status, county voter identification number, and voting participation history (election date and voting method).

Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

19002. Application of this Article.

  1. This Article shall apply to any person who directly or indirectly receives voter registration information from any source agency.
  2. This Article shall not apply to any voter requesting their own voter registration information through a publicly available voter record lookup tool. However, when a voter requests additional information about their own specific voter record than is available on such a tool, they must submit an application for specific voter registration record pursuant to this Article.

Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4, 12172.5, Government Code. Reference: Sections 2188, 2194, Elections Code.

19003. Permissible Uses.

  1. Voter registration information obtained from a source agency shall be used solely for the following purposes:
    1. Election: for any person to communicate with voters in connection with an election by means that shall include, but shall not be limited to, the following:
      1. Communicating with voters for or against any candidate or ballot measure in any election;
      2. Communicating with voters regarding the circulation or support of, or opposition to, any recall, initiative, or referendum petition;
      3. Surveying voters in connection with any specific election campaign or specific potential election campaign in which any voter registered to vote may vote;
      4. Surveying voters in connection with an election-related exploratory committee;
      5. Soliciting contributions or services as part of any election campaign on behalf of any candidate for public office or any political party or in support of or opposition to any ballot measure, initiative, or referendum petition.
    2. Scholarly: students working on theses, professors researching voting patterns, and other academics involved in research related to political or election activities.
    3. Journalistic: members of the press for any purpose related to political or election activities.
    4. Political: for any person to communicate with voters to influence public opinion related to political or election activities. The content of such communications shall include, but shall not be limited to: news and opinions of candidates, elections, education related to political matters, political party developments, ballot measures, initiatives, referendum positions, and related political matters.
    5. Governmental: Any request from a governmental agency or for a use related to a governmental function by means including, but not limited to:
      1. Encouraging participation in the United States Census;
      2. Conducting any survey of opinions of voters by any government agency or its contractors;
      3. Any official use by any local, state, or federal governmental agency, which shall include use in connection with any judicial proceeding or investigation involving or being conducted by any local, state, or federal governmental agency.
    6. Record review: For any person to conduct an audit of voter registration lists for election, scholarly, journalistic, political, or governmental purposes. Record review includes, but is not limited to, detecting voter registration fraud, evaluating voter registration information accuracy, and evaluating compliance with applicable Federal and California laws.
    7. Vendor: By any vendor to compile and/or organize voter registration information for another person’s use consistent with this Article.
  2. Requests for voter registration information for a purpose not specifically listed in subdivision (a), and not prohibited by section 19004, shall be evaluated for compliance with the Elections Code by the source agency.
  3. A source agency shall review each application for compliance with the Elections Code and this Article independent of decisions made on other applications.

Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

19004. Impermissible Uses.

  1. Using voter registration information in a manner contrary to the authorized uses specified in Elections Code section 2194 is impermissible. Impermissible uses include, but shall not be limited to:
    1. Any communication for any personal, private, or commercial purpose other than for those purposes permitted by Section 19003.
    2. Solicitation of contributions or services for any personal, private, or commercial purpose.
    3. Conducting any survey of opinions of voters other than for those purposes permitted by Section 19003, subdivision (a).
    4. Using the voter registration information to harass any voter or the voter’s household, including, but not limited to, any conduct prohibited by Elections Code sections 18540 and 18543.
  2. Voter registration information shall not be sent outside of the United States, as specified in Elections Code section 2188.5.
  3. Notwithstanding section 19003, a source agency may reject a request for voter registration information based on a reasonable belief or determination that it is being requested for use in a manner prohibited by law, including, but not limited to, uses contrary to the prohibitions or authorized uses specified in Elections Code sections 2188.5 and 2194 or that is contrary to Elections Code section 10. An impermissible purpose may include requests for voter registration information for an impermissible purpose submitted for fraudulent purposes or in bad faith or for the purpose of harassing or defrauding a person or entity. In such instances, the source agency shall provide the applicant its reasons for refusal. An applicant whose application is rejected shall not be prohibited from filing a new application.

Note: Authority cited: Sections 2188.2 and 2188.5, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

19005. Transfers.

  1. Only a vendor may transfer voter registration information to another person, as described in subdivision (c).
  2. A beneficiary, including a vendor, may share voter registration information with their agent(s) without prior written authorization from a source agency.
    1. An agent may only use the voter registration information for the purposes specified in the approved application.
    2. LA beneficiary sharing voter registration information with an agent must exercise reasonable care that the agent uses the voter registration only for purposes approved by the source agency and report any unauthorized use as described in Section 19012 of this Article.
    3. A beneficiary remains responsible for the actions of their agent with respect to the use of the voter registration information.
  3. A vendor may provide voter registration information to another person, other than its agent as described in subdivision (b), only upon providing written notification to the Secretary of State.
    1. This is intended to mean that the Secretary of State can approve the transfer of voter registration information obtained from both the Secretary of State and other source agencies.
    2. This notification shall include the name, address, phone number, and email address of the person to whom the information is provided. If applicable, the notification shall also include the business name and address of the person to whom the information is provided.
    3. A vendor that provides voter registration information to another person must share, in writing, the information security requirements in Section 19012 with that person and acknowledge, in writing, that they provided this information in the notification.
    4. A vendor who fails to provide the notification or transfers voter registration information to another person for an impermissible purpose shall be issued a warning by the Secretary of State for the first violation. For a second violation, a vendor will be barred from providing voter registration information to any person for the remainder of that presidential election cycle, defined as the period beginning on a presidential election day through the next presidential election day.
    5. This Article shall apply to any person who receives voter registration information from a vendor, as if that person had received the voter registration information directly from a source agency.

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

    19006. Charges; Deposits.

    1. The fee to obtain voter registration information from the Secretary of State is $15.00 per one thousand records, up to a maximum of $100.00. The minimum fee is $15.00.
    2. The fee to obtain a specific voter registration record is $30.00 per record, up to a maximum of $100.00. Each request for specific voter registration records is limited to 10 records.
    3. A source agency (other than the Secretary of State) may designate the fee to obtain voter registration information and specific voter registration record(s).

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4, 12172.5, Government Code. Reference: Sections 2188, 2194, Elections Code.

    19008. Application.

    1. Every applicant shall execute and deliver to the source agency an application that contains all of the following information:
      1. The full name of the applicant, and, if applicable, the full name of the beneficiary of the requested voter registration information.
      2. The applicant’s telephone and email address.
      3. The applicant’s complete business address.
      4. The applicant’s complete mailing address, if different from the business address.
      5. If applicable, the complete business address of the beneficiary of the requested voter registration information.
      6. The purpose(s) or type(s) of business, organization, or committee that the applicant represents.
      7. The purpose(s) for which the request for voter registration information is made and the specific intended use(s) of this information or data in accordance with Section 19003.
        1. If the intended use of the requested voter registration information is for political purposes, the applicant shall submit documentation establishing compliance with section 19003(a)(4), for example a letter establishing an affiliation with a political organization.
        2. If the intended use of the requested voter registration information is for scholarly purposes, the applicant shall submit a letter from the representative of the institution (professor, administrator, etc.) on the institution’s letterhead stating that the applicant is authorized to receive the information.
        3. If the intended use of the requested voter registration information is for journalistic purposes, the applicant shall submit a clear copy of the applicant’s press pass or media credential. In the event the applicant does not have a press pass or media credential, the applicant shall submit other evidence that they are a journalist. The source agency shall determine whether submitted press passes, media credentials, or other evidence properly establish a journalistic purpose.
      8. A detailed explanation of how the requested voter registration information will be maintained securely and confidentially consistent with Section 19012.
      9. The type of information requested. Examples include voter history, precinct to district information, whether voter registration information is requested for a specific jurisdiction, and specific voter registration information.
      10. Shipping instructions for the source agency to deliver the requested voter registration information.
      11. If applicable, detailed identifying information on a specific voter for a request of a single voter’s voter registration information.
      12. A completed agreement section, which contains spaces where the applicant must place their initials acknowledging the following statements:
        1. Applicant and beneficiary, if applicable, hereby agree that the information set forth in the voter registration information will be used for the approved purposes, consistent with state law, as defined by Elections Code section 2194, this Article, and Government Code section 6254.4.
        2. Applicant and beneficiary, if applicable, further agree not to sell, lease, loan, or deliver possession of the registration information, or a copy thereof, in any form or format, to any person, organization, or agency except as prescribed in Section 19005.
        3. Applicant and beneficiary, if applicable, agree to maintain information in a secure and confidential manner using the best practices identified in Section 19010 of this Article, and will notify the Secretary of State immediately of any violation, exposure, and/or breach of voter registration information or suspected violation, exposure, and/or breach of voter registration information and will cooperate with the Secretary of State’s office or any investigative agency efforts related to any resulting investigation.
        4. Applicant and beneficiary, if applicable, understand that it is a misdemeanor for a person in possession of voter registration information to use or permit the use of all or any part of the information for any purpose other than is permitted by law.
        5. Applicant and beneficiary, if applicable, agree to pay the State of California, as compensation for any unauthorized use of each individual’s registration information, a penalty as described in Section 19007 of this Article.
    2. The applicant shall certify the content of the application as to its truthfulness and correctness, under penalty of perjury, with the applicant’s signature and the date and place of signing.

    Note: Authority cited: Sections 2188.2 and 2188.3, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188, 2194, and 18109, Elections Code.

    19009. Application Submission and Processing.

    1. The applicant must submit the completed application for voter registration information in the following manner:
      1. The applicant must deliver it to the source agency in person or by U.S. mail or other delivery/courier service. A wet signature is required on the application; therefore, a source agency shall not accept emailed and faxed applications for voter registration information.
      2. The applicant must include a clear copy of their current photo identification issued by a federal or state government agency with the completed application.
      3. The applicant must submit the appropriate fee with the completed application.
    2. All source agencies, including the Secretary of State, shall process applications in the following manner:
      1. The source agency shall process requests for voter registration information in the order received.
      2. The source agency shall log all applications received, including whether each application was approved or denied and the contact information of each applicant, and maintain in this log all applications received, at a minimum, in the past five years.
      3. If the application is denied, the source agency shall inform the applicant of the reasons for denial, and shall return all application materials, including any payment. Payment will not be processed for denied applications.
        1. The Secretary of State shall inform the applicant of the reasons for denial in writing. Other source agencies may, but are not required to inform the applicant of the reasons for denial in writing.
    3. Applicants may re-submit denied applications after addressing the reason(s) for denial.

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

    19010. Requests for Specific Voter Records.

    1. If specific voter registration record(s) are requested, the source agency shall only use the exact information provided by the applicant to locate the record(s). The applicant shall provide as much detail as is possible, including, but not limited to, the full name, date of birth, and present and/or former residence address of the specific voter that is the subject of the request.
    2. The source agency will only use the exact information provided (full name, date of birth, county of residence, and residence address, etc.) to identify specific voter registration record(s).
    3. In the event there are insufficient details for the source agency to fulfill the request for a specific voter registration record, the source agency shall communicate that fact to the applicant to determine if additional criteria to identify the voter(s) is available.
    4. If the request cannot be filled, the source agency shall send a letter to the applicant stating such. Payment will not be processed for requests that cannot be filled.
    5. An applicant may request up to 10 specific voter registration records per application. A variant of a name shall be considered a part of one request.

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4, 12172.5, Government Code. Reference: Sections 2188, 2194, Elections Code.

    19011. End User Technical Support

    A source agency that provides voter registration information under this Article is not responsible for end-user technical support for processing purchased data or for assistance on converting provided data for usage.

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and 12172.5, Government Code. Reference: Section 2194, Elections Code.

    19012. Requirements for Storage and Security of Voter Registration Information

    1. Any person who has directly or indirectly obtained voter registration information from a source agency must exercise due diligence in maintaining and securing the voter registration information in order to reduce the risk of information exposure and/or breach.
    2. Any person who has directly or indirectly obtained voter registration information from a source agency shall:
      1. Use a strong and unique password (“strong password hygiene”) per account with access to the voter registration information or privileges to grant access.
      2. Apply security best practices, which includes the following:
        1. Obtaining training on security awareness to avoid social engineering and phishing attacks.
        2. Practice the principles of “least privilege” By restricting user access to the minimum need based on users’ job necessity.
        3. Ensure user accounts are logged off or the session is locked after a period of inactivity, which shall be no more than 15 minutes.
        4. Remove, deactivate, or disable accounts or default credentials.
        5. Erase or wipe voter registration information that is no longer needed for its retention and sanitized following National Institute of Standards and Technology (NIST) 800-88 Guidelines for media sanitization.
        6. Restrict physical access by not leaving your computer in places unlocked and unattended.
        7. Limit the use of portable devices. If a portable device is used, strong storage encryption procedures must be applied utilizing Federal Information Processing Standards (FIPS) 197, commonly referred to as “Advanced Encryption Standard” or “AES.”
        8. Use wireless technology securely with Wi-Fi Protected Access 2 (WPA2) or better.
    3. In addition to the requirements set forth in (b) above, any vendor shall:
      1. Apply additional security best practices, which include the following:
        1. Use strong identity and access management, preferring multi-factor authentication for any and all privilege accounts and/or accounts with access to voter registration data.
        2. Initiate an account lockout after a pre-defined number of failed attempts, no more than 10. Any automated account unlock actions must wait no less than 30 minutes from the lockout event.
        3. Force password changes on a pre-defined basis, but not less than 365 days.
        4. Backups of voter registration information shall be securely stored separately and utilizing FIPS 197 encryption at rest.
      2. Implement security log management, which includes the following:
        1. Enable logging on all systems and network devices with sufficient information collection that answers the following:
          1. What activity was performed?
          2. Who or what performed the activity, including where or on what system the activity was performed?
          3. What activity was the action performed on?
          4. What tool(s) were used to perform or performed the activity?
          5. What was the status, outcome, or results of the activity?
        2. Review log(s) regularly for any errors, abnormal activities and any system configuration changes.
        3. Securely store log files separately from the systems monitored, archived, and protect from unauthorized modification, access, or destruction.
        4. Use log monitoring tools to send real-time alerts and notifications.
        5. Utilize multiple synchronized United States-based time sources.
      3. Employ system hardening techniques, which include the following:
        1. Update and install all firmware and patches from a trusted and verifiable source.
        2. Use only the most up-to-date and certified version of vendor software.
        3. Install and maintain active malware and anti-virus software.
        4. Implement firewalls, also known as host-based firewalls, and/or port filtering tools with host-based intrusion protection services.
        5. Encrypt voter registration information using FIPS 197 at rest.
        6. Encrypt voter registration information in transit such as Transport Layer Security (TLS) 1.2 or better with a valid certificate and certificate chain.
        7. Do not use self-signed certificates.
        8. Conduct regular vulnerability scanning and testing for known or unknown weaknesses.
        9. Use application whitelisting on all endpoints and systems.

    Note: Authority cited: Section 2188.2, Elections Code; Sections 6254.4 and12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.

    19013. Reporting Requirement for Unauthorized Use and Data Breaches

    Any person who has obtained voter registration information from a source agency shall report detected unauthorized use, suspected breach, or denial of service attack on the voter registration information or the system containing the voter registration information to the Secretary of State Elections Division Help Desk within twenty-four (24) hours of discovery.

    Note: Authority cited: Section 2188.3, Elections Code. Reference: Sections 2188 and 2194, Elections Code.