BILL ANALYSIS �
AB 2297
Page 1
Date of Hearing: May 7, 2002
ASSEMBLY COMMITTEE ON JUDICIARY
Ellen M. Corbett, Chair
AB 2297 (Simitian) - As Amended: May 2, 2002
SUBJECT : PERSONAL AND IDENTIFYING INFORMATION: DISCLOSURE OF
ONLINE PRIVACY POLICY
KEY ISSUE : SHOULD DISCLOSURE REQUIREMENTS BE ENACTED TO PROVIDE
CONSUMERS WITH MORE NOTICE AS TO HOW THEIR PERSONAL AND
IDENTIFYING INFORMATION IS BEING USED AND SHARED BY ENTITIES
WITH WHOM THEY CONDUCT BUSINESS ON THE INTERNET?
SYNOPSIS
This bill reflects the author's continuing efforts and
commitment in this important consumer protection area and arises
out of a recent hearing held by the Assembly Select Committee on
Privacy, of which the author is Chair. This bill requires
entities that conduct business transactions on an Internet Web
site that collects personal and identifying information from Web
browsers to conspicuously post and fully comply with a privacy
policy that identifies the nature of the information collected,
and with whom the entity may share the information. In
addition, the bill requires that an entity's privacy policy
establish a process for a consumer to review and request changes
to his or her personal information collected and also requires
that an historical record of changes to the privacy policy must
also be posted. And, the bill requires that in the case of a
breach of security that results in the disclosure of personal
and identifying information in a manner not covered by the
privacy policy, the entity must notify each affected individual
of specified information.
Supporters argue that the bill provides legal protection
for online privacy in order to safeguard individuals when
they surf the web and in order to stimulate online
commerce. Opponents, on the other hand, note that federal
legislation has been introduced on the issue and worry that
state-by-state legislative requirements could be
inconsistent or contradictory. They also raise concerns
about the bill's provision relating to Business and
Professions Code section 17200.
�
AB 2297
Page 2
SUMMARY : Enacts the Online Privacy and Disclosure Act of 2002.
Specifically, this bill :
1)Requires an entity that conducts business transaction on an
Internet Web site that collects personal and identifying
information from Web browsers to do both of the following:
a) Conspicuously post and fully comply with a privacy
policy that identifies the nature of the information
collected, and with whom the entity may share the
information. The bill also requires that the privacy
policy establish a process for an individual to review and
request changes to his or her personal and identifying
information collected and requires that an historical
record of changes to the privacy policy must also be
posted; and
b) In the case of a breach of security that results in the
disclosure of personal and identifying information in a
manner not covered by the privacy policy, the entity shall
notify each affected individual of: (1) the security
breach; (2) the type of information that was improperly
disclosed; and (3) to whom the information was improperly
disclosed, if known.
2)Provides that, in addition to any other rights or remedies
available at law or in equity, the failure of an entity to
comply with the bill, including a disclosure that is not in
compliance with the entity's posted privacy policy, shall
constitute an unfair business practice for purposes of
Business and Professions Code section 17200.
3)Provides that the Legislature finds and declares that:
a) Each person or entity that engages in on-line business
transactions has a continuing and affirmative obligation to
respect and uphold the privacy of customers and to protect
the security and confidentiality of the customers' personal
and identifying information.
b) It is the intent of the Legislature, in enacting this
act, to provide enhanced consumer protections and remedies
relative to the disclosure of personal and identifying
information obtained through on-line business transactions.
�
AB 2297
Page 3
c) It is the intent of the Legislature to require persons
and entities engaged in on-line business transactions to
provide customers with notice of their on-line privacy
rights and improved and more meaningful choices as to
whether personal and identifying information may be
disclosed, sold, or shared.
d) It is the intent of the Legislature to protect the
constitutionally guaranteed right to privacy of
Californians who spend time or conduct business on the
Internet, while also fostering the continued growth of
electronic commerce.
EXISTING LAW requires financial institutions to disclose their
policies and practices, at the time of establishing a customer
relationship and on an annual basis, including to consumers who
conduct their transactions electronically, with respect to: (1)
the categories of persons to whom nonpublic personal information
is disclosed; (2) the categories of nonpublic personal
information that is collected by the financial institution; and
(3) the policies that the financial institution maintains to
protect the confidentiality and security of nonpublic personal
information. (Gramm-Leach-Bliley Act, P.L. 106-102, section
503. This analysis may alternately refer to this federal law as
the Gramm-Leach-Bliley Act or the GLB Act.)
FISCAL EFFECT : The bill as currently in print is keyed
non-fiscal.
COMMENTS : This bill reflects the author's continuing efforts
and commitment in this important consumer protection area and
arises out of a hearing held by the Assembly Select Committee on
Privacy, of which the author is Chair, on February 19, 2002. In
support of the measure, the author states:
My bottom line goal is, of course, to enhance the privacy
protection of Californians who spend time and do business
online; but I am mindful that there are other legitimate
considerations: cost, competitiveness, simplicity, the
role and responsibility of the federal government,
industry best practices and the need to foster the
continued growth of E-commerce, to name just a few. I do
not believe that these are mutually exclusive
considerations. I hope that a thoughtful dialogue will
�
AB 2297
Page 4
suggest the means by which legitimate competing interests
may be appropriately balanced.
Intersection between the bill and Gramm-Leach- Bliley. This
bill requires entities that conduct business transactions on an
Internet Web site that collects personal and identifying
information from Web browsers to conspicuously post and fully
comply with a privacy policy that identifies the nature of the
information collected, and with whom the entity may share the
information. A similar requirement currently exists for
financial institutions under the Gramm-Leach-Bliley Act.
While this bill does not touch upon the "opt-in" v. "opt-out"
debate in the sense that it is primarily a disclosure bill and
does not require that consumers either opt-in to or opt-out of
the sharing of their information, it is important to understand
the disclosure requirements of the GLB Act with respect to
financial institutions.
Under the GLB Act, a financial institution is required to
disclose its policies and practices with respect to: (1) the
categories of persons to whom nonpublic personal information is
disclosed; (2) the categories of nonpublic personal information
that is collected by the financial institution; and (3) the
policies that the financial institution maintains to protect the
confidentiality and security of nonpublic personal information.
These disclosures must be made at the time of establishing a
customer relationship and on an annual basis. In addition, the
disclosures required apply also to consumers who conduct their
transactions electronically.
Unlike the GLB Act, however, this bill is not limited to
disclosures by financial institutions. Instead, its disclosure
requirements apply to all entities that "conduct business
transactions on an Internet Web site that collects personal and
identifying information from Web browsers."
Congressional action on the issue. Because some opponents of
this measure argue that the bill raises the potential for
differing privacy statutes throughout the United States and note
that federal legislation has been introduced to create a
national standard for online privacy, it is important to briefly
discuss the Congressional proposals.
Several measures have been introduced in the U.S. Congress on
�
AB 2297
Page 5
this issue. For example S.2201, by Senator Hollings, and a
companion bill introduced in the U.S. House of Representatives,
enact the Online Personal Privacy Act which provides, among
other things, that an operator of a commercial website on the
Internet may not collect personally identifiable information
from a user, or disclose personally identifiable information
about a user unless the website operator provides clear and
conspicuous notice that discloses the type of information that
is collected and to whom the information is disclosed. The
measures also require that a consumer provide either an opt-in
or opt-out, depending on the type of information disclosed.
In addition, Representative Eshoo has introduced the Consumer
Internet Privacy Enhancement Act which requires a commercial
website operator to provide notice to the user of the operator's
policy regarding the collection and sharing of personally
identifiable information. The measure also requires website
operators to give the user an opportunity to limit the use of
his or her information for marketing purposes or limit
disclosure to third parties.
While these measures are currently pending, it is arguably not
inconsistent for California to act as final passage and
enactment of legislation at the national level has not yet come
to pass.
ARGUMENTS IN SUPPORT : The Privacy Rights Clearinghouse (PRC)
supports the bill, stating:
[The bill] takes a reasonable approach to protecting
California citizens when they use the Internet and
visit commercial web sites. Surveys have determined
that fear of privacy intrusions is the major reason for
individuals to not conduct business online. There must
be legal protection for online privacy in order to
safeguard individuals when they surf the web and in
order to stimulate online commerce.
The American Civil Liberties Union supports the measure,
stating:
This measure imposes common-sense privacy protections
on businesses that conduct business transactions on an
internet web site that collects personal and
identifying information from web browsers. ? This bill
�
AB 2297
Page 6
protects individuals' reasonable expectation of privacy
by giving people notice of what the privacy policy is
and setting forth the entities that will receive their
information. In addition, it ensures that when there
has been a breach of security that individuals affected
will be notified.
ARGUMENTS IN OPPOSITION : The Civil Justice Association of
California (CJAC) is opposed to the measure, unless amended. In
explaining its position, CJAC states:
Our opposition relates to the measure's provision
(proposed Sec. 22575(b)), making the failure of an
entity to comply with the measure "an unfair business
practice for purposes of B&P Code Section 17200." As
Section 17200 is currently interpreted, this provision
is virtually certain to encourage opportunistic
lawsuits filed by private lawyers misusing California's
unfair competition law (B&P Code Section 17200, et
seq.) in an effort to win fees in settlements.
Our problem with AB 2297 can be solved by amending
subsection (b) to provide that failure of an entity to
comply with this section is actionable under Section
17200 by an action brought exclusively by the Attorney
General or any district attorney or by any county
counsel authorized by agreement with the district
attorney in actions involving violation of a county
ordinance, or any city attorney of a city, or city and
county, having a population in excess of 750,000, and,
with the consent of the district attorney, by a city
prosecutor in any city having a full time city
prosecutor or, with the consent of the district
attorney, by a city attorney in any city and county in
the name of the people of the State of California upon
their own complaint or upon the complaint of any board,
officer, person, corporation or association. Any
individual who suffers any damage as a result of the
failure of an entity to comply with this section may
seek recovery under the provisions of Section 1750 of
the Civil Code (the Consumer Legal Remedies Act). We
further suggest amending Section 1770 of the Civil Code
to add a violation of AB 2297 as a new subdivision 24.
The Internet Alliance opposes the measure, writing:
�
AB 2297
Page 7
SB 2297 imposes duties on web-site owners to both allow
access to personal data and to report breaches of
security with respect to that data, even for data that
is already publicly available. Because of the
prevalence of identity theft, and the impossibility of
100% accurate identification of every person seeking
access, every access request that is granted
constitutes a possible security breach. Access and
security are contradictory concepts. To provide one
risks violating the other. Thus the bill imposes
conflicting responsibilities on web-site owners and
encourages class action lawsuits against companies that
violate either of those responsibilities, when, by
their very nature, fulfilling one responsibility
violates the other. ?
Perhaps the biggest problem is that the bill completely
undermines industry efforts to empower users to protect
their own privacy. The industry has developed a
standard (P3P), which is now available in the latest
versions of web browsers, designed to let users inform
their web browsers about the user's privacy preferences
and to then have the browser check web sites to see if
their privacy policies do or do not match the user's
preferences. Thus if a web-site's privacy policy is
compliant with the user's preferences, the user can
confidently proceed without concern. This process,
once set up, is designed not to interfere with the
user's Internet browsing experience unless a
non-compliant site is encountered. Because it is
designed to be transparent to the user when the privacy
policy is acceptable to the user, the P3P system would
fail the conspicuousness requirement of this
legislation. Instead, even when the user knows that
the site's privacy policy is fine, the policy would
have to be conspicuously displayed. What AB 2297 would
do is mandate that the user be repeatedly annoyed by
undesired notices. The legislation provides no
mechanism by which the user can decline to be presented
with these annoying notices; indeed the legislation
would make any such a mechanism illegal.
Amazon.com opposes the bill arguing that it "could be the first
patch in a crazy quilt of state by state legislative
�
AB 2297
Page 8
requirements that could be inconsistent or worse, contradictory.
? The bill would impose requirements on internet websites but
would not cover off line or 'brick and mortar' companies. We
firmly believe that any privacy law passed should treat on line
and off line practices in the same manner."
Double referral. This bill has been double referred to the
Assembly Business and Professions Committee.
Prior Related Legislation. AB 1793 (Wayne) of 2000, which
enacted the Internet Privacy Protection Act and was amended to
declare Legislative intent to enact legislation to protect the
privacy of Internet users, died in the Assembly Committee on
Consumer Protection, Governmental Efficiency, and Economic
Development.
AB 1007 (Wayne) of 1999, which provided that no Internet service
provider shall disclose any personally identifying information
about a California subscriber to a third party for marketing or
other purposes without the knowledge and affirmative consent of
that subscriber, died in the Assembly Committee on Consumer
Protection, Governmental Efficiency, and Economic Development.
REGISTERED SUPPORT / OPPOSITION :
Support
American Civil Liberties Union
Privacy Rights Clearinghouse
Opposition
Amazon.com
California Cable and Telecommunications Committee
Civil Justice Association of California (oppose unless amended)
Internet Alliance
Analysis Prepared by : Saskia Kim / JUD. / (916) 319-2334