Business and Professions Code section 22948.31
(a)
A survivor, or a designated representative of a survivor, may submit a device protection request to an account manager seeking to terminate a perpetrator’s access to a connected device or associated user account.(b)
A device protection request shall include all of the following:(1)
A verification that the perpetrator has committed or allegedly committed a covered act against the survivor or an individual in the survivor’s care, by providing either of the following:(A)
A copy of a signed affidavit from a licensed medical or mental health care provider, licensed military medical or mental health care provider, licensed social worker, victim services provider, or licensed military victim services provider, a temporary restraining order, an emergency protective order, or a protective order lawfully issued pursuant to Section 527.6 of the Code of Civil Procedure, Part 3 (commencing with Section 6240) or Part 4 (commencing with Section 6300) of Division 10 of the Family Code, or Section 136.2 of the Penal Code.(B)
A copy of a police report, statements provided by police, including military police, to magistrates or judges, charging documents, protective or restraining orders, military protective orders, or any other official record that documents the covered act, including a copy of a written report by a peace officer employed by a state or local law enforcement agency acting in the peace officer’s official capacity stating that the individual has filed a report alleging victimization of an act or crime.(2)
Verification of the survivor’s exclusive legal possession or control of the connected device, including, but not limited to, a dissolution decree, temporary restraining order, protective order, domestic violence restraining order, or other document indicating the survivor’s exclusive use care, possession, or control of the connected device.(3)
Identification of the connected device or devices.(4)
Identification of the person that the requester seeks to deny device or account access.(c)
An account manager shall offer a survivor or a designated representative of a survivor the ability to submit a device protection request under subdivision (b) through secure remote means that are easily navigable. Except as specified under subdivision (b), an account manager shall not require a specific form of documentation to submit a device protection request.(d)
Within two business days of receiving a complete device protection request, the account manager shall do one of the following:(1)
Terminate or disable the identified perpetrator’s access to the connected device or user account, and notify the survivor or their representative that access has been successfully denied.(2)
Inform the survivor, in a clear and conspicuous manner, of any methods to reset the device to factory settings or to a similar state that removes all account holders. A reset method is one that does not require the survivor to possess a personal identification number (PIN), password, or other access credential, and shall be available solely by virtue of the survivor’s physical proximity to the device.(e)
An account manager shall clearly describe the process under this section to submit a device protection request, including required documentation and available remedies, on its internet website and any associated mobile application.(f)
An account manager shall not require any of the following as a condition for processing a device protection request:(1)
Payment of a fee, penalty, or other charge for the survivor or a designated representative of the survivor to submit a request, or for the account manager to carry out the request.(2)
Approval of the device protection request by any person who has device or account access that is not the survivor.(3)
An increase in the rate charged for the account if any subscription fee or other recurring charge for account access applies.(4)
Any other requirement not listed under subdivision (b).(g)
An account manager shall not deny a device protection request due to arrears accrued by the account or associated with the connected device.(h)
An account manager shall not notify the perpetrator of the access termination and shall not disclose any data, credentials, or account changes relating to the survivor or any new account created after the perpetrator’s access is removed.(i)
A survivor shall not be financially responsible for any amount incurred or charged to the connected device or associated account by the perpetrator after the perpetrator’s access has been terminated under this chapter.(j)
(1)An account manager and any officer, director, employee, vendor, or agent thereof shall treat any information submitted by a survivor or a designated representative of a survivor under this section as confidential and securely dispose of the information not later than 90 days after receiving the information.(2)
Nothing in paragraph (1) shall be construed to prohibit an account manager from maintaining, for longer than the period specified in that paragraph, a record that verifies that a survivor or a designated representative of a survivor fulfilled the conditions of a device protection request under subdivision (b).
Source:
Section 22948.31, https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=BPC§ionNum=22948.31. (updated Jan. 1, 2026; accessed Dec. 15, 2025).
