BILL NUMBER: AB 2297 ENROLLED
BILL TEXT
PASSED THE ASSEMBLY AUGUST 30, 2002
PASSED THE SENATE AUGUST 28, 2002
AMENDED IN SENATE AUGUST 26, 2002
AMENDED IN SENATE AUGUST 12, 2002
AMENDED IN SENATE AUGUST 5, 2002
AMENDED IN ASSEMBLY MAY 29, 2002
AMENDED IN ASSEMBLY MAY 13, 2002
AMENDED IN ASSEMBLY MAY 2, 2002
AMENDED IN ASSEMBLY APRIL 29, 2002
INTRODUCED BY Assembly Member Simitian
FEBRUARY 21, 2002
An act to add Chapter 15.5 (commencing with Section 22575) to
Division 8 of the Business and Professions Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 2297, Simitian. Online Privacy and Disclosure Act of 2002.
Existing law does not regulate the security and confidentiality of
consumer personal and identifying information obtained by persons
and entities engaged in online business transactions.
This bill, beginning on July 1, 2003, would require an operator,
defined as a person or entity that collects personal and identifying
information from California residents through the Internet or online
service for commercial purposes, to conspicuously post a privacy
policy on its Web site and to comply with that policy. The bill
would require that the privacy policy identify the categories of
information that the operator collects about individuals and with
whom the operator may share the information. The bill would provide
that individuals or entities with fewer than 25 employees and who do
less than 10% of their business with individuals located in
California are exempt from the bill. The bill would declare that its
provisions preempt and supersede laws of specified local government
entities regarding the posting of a privacy policy on an Internet Web
site.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. This act shall be known as, and may be cited as, the
Online Privacy and Disclosure Act of 2002.
SEC. 2. The Legislature finds and declares all of the following:
(a) Each person or entity that engages in online business has a
continuing and affirmative obligation to respect and uphold the
privacy of individuals and to protect the security and
confidentiality of the individuals' personal and identifying
information.
(b) It is the intent of the Legislature, in enacting this act, to
provide enhanced consumer protections and remedies relative to the
disclosure of personal and identifying information obtained online.
(c) It is the intent of the Legislature to require persons and
entities engaged in online business to provide individuals with
notice of their online privacy rights and improved and more
meaningful choices as to whether personal and identifying information
may be disclosed, sold, or shared.
(d) It is the intent of the Legislature to protect the
constitutionally guaranteed right to privacy of Californians who
spend time or conduct business on the Internet. While this act does
not fully fulfill California's constitutional guarantee of privacy,
giving meaningful and reliable notice to consumers will empower them
to make knowledgeable choices about how to safeguard their personal
and identifying information.
(e) It is the intent of the Legislature that Internet service
providers or similar entities responsible for transmitting data shall
have no obligations under this act relative to disclosures related
to personal and identifying information that they do not collect,
maintain, or store.
SEC. 3. Chapter 15.5 (commencing with Section 22575) is added to
Division 8 of the Business and Professions Code, to read:
CHAPTER 15.5. INTERNET PRIVACY REQUIREMENTS
22575. (a) An operator that collects personal and identifying
information through the Internet about individuals located in
California shall conspicuously post and comply with a privacy policy
on its Web site that identifies the categories of information that it
collects about individuals through the Internet and the categories
of persons or entities with whom the operator may share the
information.
(b) The privacy policy shall also do all of the following:
(1) Disclose whether or not the operator maintains a process for
an individual to review and request changes to his or her personal
and identifying information that is collected in this manner, and if
so, include a description of that process.
(2) Explicitly state that the operator reserves the right to
change its privacy policy without notice to the individual, if the
operator, in fact, reserves that right.
(3) Identify its effective date and provide a hyperlink to at
least three of the most recent privacy policies that were
substantially different in some form or fashion from the current
privacy policy:
22576. An operator shall post or provide upon request, previous
privacy policies that were either posted by it in the past two years
or that were retained and remain available, consistent with the
operator's record retention policy, for a period greater than two
years. This chapter, however, shall not create a duty to reconstruct
and post past privacy policies that were in existence prior to the
operative date of this chapter.
22577. For the purposes of this chapter, the following
definitions apply:
(a) The term "personal and identifying information" means
individually identifiable information about an individual collected
online, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and
name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online
contacting of a specific individual.
(7) Information concerning a user that the Web site collects
online from the user and combines with an identifier described in
this subdivision.
(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web site on which the actual
privacy policy is posted, if the icon is located on the home page or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page.
(3) A text link that hyperlinks to a Web site on which the actual
privacy policy is posted, if the text link is located on the home
page or first significant page after entering the Web site, and if
the text link does one of the following:
(A) Includes the word "privacy" in a type size no smaller than the
type size of the majority of the remainder of the page, and is
located either at the bottom of the page or in the left-most column.
(B) Is written in capital letters equal to or greater in size than
the surrounding text, or in contrasting type, font, or color to the
surrounding text of the same or lesser size.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(c) The term "operator" means any person or entity that operates a
Web site located on the Internet or that operates an online service
that collects or maintains personal information from or about a
California resident who uses or visits the Web site or online service
if the Web site or online service is operated for commercial
purposes, including any person or entity offering a product or
service for sale through that Web site or online service.
22578. (a) An operator who fails or refuses to conspicuously post
a privacy policy on its Web site within 60 days after being notified
of its failure to comply with that requirement, shall be in
violation of Section 22575.
(b) An operator who either knowingly and willfully or negligently
fails to comply with the provisions of its privacy policy shall be in
violation of Section 22575.
22579. Individuals or entities with fewer than 25 employees and
who do less than 10 percent of their business with individuals
located in this state are exempt from this chapter.
22580. It is the intent of the Legislature that this chapter is a
matter of statewide concern. This chapter supersedes and preempts
all rules, regulations, codes, ordinances, and other laws adopted by
a city, county, city and county, municipality, or local agency
regarding the posting of a privacy policy on an Internet Web site.
22581. This chapter shall become operative on July 1, 2003.