BILL ANALYSIS �
------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 68|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 445-6614 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
THIRD READING
Bill No: AB 68
Author: Simitian (D)
Amended: 9/3/03 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 5-1, 7/8/03
AYES: Escutia, Cedillo, Ducheny, Kuehl, Sher
NOES: Ackerman
NO VOTE RECORDED: Morrow
ASSEMBLY FLOOR : 48-25, 5/12/03 - See last page for vote
SUBJECT : Online Privacy Protection Act of 2003
SOURCE : Author
DIGEST : This bill would require the operator of a web
site that collects personally identifiable information to
conspicuously post a privacy policy on the web site and
comply with that policy. The bill would require the policy
to, at a minimum, identify the categories of information
collected and how that information may be shared. The bill
contains and operative date of July 1, 2004.
Senate Floor Amendments of 9/3/03, (1) extend the grace
period for compliance with the bill's requirement that a
privacy policy be posted, from 10 to 30 days, and (2)
contain a variety of technical changes to ensure
consistency in the use of terms throughout the bill, and
clarify that the operator of an online service who makes a
privacy policy reasonably accessible has complied with the
CONTINUED
�
AB 68
Page
2
conspicuous posting equipment.
ANALYSIS : Existing law does not directly regulate the
privacy practices of online business entities.
Existing law requires that businesses notify consumers of
the unauthorized release of personal information through a
security breach.
This bill:
1.Would require the operator of a commercial web site or on
line services, that collects personally identifiable
information through the Internet about individual
consumers residing in California who use or visit its
commercial web site or online services, to conspicuously
post its privacy policy on the web site, or in the case
of an operator of online services, in accordance with
other specified provisions of law.
2.Would require that the policy identify the categories of
information the web site collects and the persons or
entities with whom the operator may share the
information. The bill would also require that the
policy: (1) disclose whether the operator maintains a
process for a user to review and request changes to his
or her personally identifiable information, (2) describe
the process by which the operator notifies consumers who
use or visit the commercial web site, and (3) the
effective date of the policy.
3.Would require that the operator or online service that
collects personally identifiable information through the
web site or online service from individual consumers who
use or visit the commercial web site or online service,
and who reside in California, shall be in violation of
this section if the operator fails to comply with the
provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) knowingly and willfully, and (2) negligently and
materially.
4.Would define "personally identifiable information" as
identifiable information collected online by the operator
�
AB 68
Page
3
from that individual and maintained by the operator in an
accessible form, including name, address, email address,
telephone number, social security number, or any other
identifier that permits the physical or online contacting
of the individual.
5.Would define "conspicuous posting" as any hyperlink that
is so displayed that a reasonable person would notice it.
The bill sets forth a variety of methods that would
constitute compliance with the conspicuous posting
requirement, all of which involve a link from a homepage
to the text of the privacy policy.
6.Would define "operator" as any person or entity that owns
a commercial web site or online service located on the
Internet that collects and maintains personally
identifiable information from a consumer residing in
California who uses or visits the web site or online
service. It does not include any third party that
operates, hosts, or manages, but does not own, a web site
on online service on the owner's behalf or by processing
information on behalf of the owner. The term "consumer"
means any individual who seeks or acquires, by purchase
or lease, any goods, services, money, or credit for
personal, family, or household purposes.
7.Would provide that its posting requirement is not
violated unless an operator fails to cure the violation
within 30 days of being notified of noncompliance.
8.Provides that the provisions of the bill become operative
on July 1, 2004.
Background
Last year, the Legislature passed AB 2297 (Simitian) which
would have required web site operators to post privacy
policies and comply with those policies. That bill was
vetoed by Governor Davis. This bill seeks to address the
concerns stated in the Governor's veto message, which
included concerns over ambiguity in AB 2297's definitions
and some provisions which the Governor felt would be too
burdensome on business.
�
AB 68
Page
4
AB 2297 of 2002 (Simitian), contained provisions similar to
this bill. The bill was vetoed by Governor Davis, who
wrote that:
While this bill is well intended, it is too vague and
does not clearly define what entities are covered.
Additionally, the bill requires an entity posting a
privacy policy to post the past three privacy policies
it used which will most certainly lead to confusion to
consumers attempting to view the privacy policy.
Prior legislation
AB 2297 of 2002 (Simitian) passed the Senate Floor on
8/28/02, 21-17. The bill was vetoed by Governor Davis.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No
Local: No
SUPPORT : (Verified 9/4/03)
American Civil Liberties Union
Privacy Rights Clearinghouse
OPPOSITION : (Verified 9/4/03)
Amazon.com
American Insurance Association
California Chamber of Commerce
Information Technology Association of American (ITAA)
ARGUMENTS IN SUPPORT : According to the Author's office,
this bill:
Requires that all individuals or entities that operate
a web site or online service that collects personal
information through the internet from California
residents to conspicuously post a privacy policy
stating what information they collect and the
categories of individuals with whom they share the
information.
This bill also requires that these web site operators
follow the policy that they post.
�
AB 68
Page
5
The author's office also states that the bill is needed
because:
Many consumers refuse to do business online because
they have little protection against abuse. The bill
provides meaningful privacy protections that will help
foster the continued growth of the internet economy?
Currently, state law is unclear on what recourse
individuals have, if any, when somebody chooses not to
honor their posted privacy policy. The only sure
method of recourse is to literally make a federal case
of the matter by filing a complaint with the Federal
Trade Commission (FTC). This bill provides for
meaningful and accessible enforcement under California
law.
Before anyone can feel comfortable regarding what
occurs with his or her personal information, he or she
must know how it is being used. This bill does just
that.
ARGUMENTS IN OPPOSITION : Opponent Amazon.com writes
that:
This bill could be the first patch in a crazy quilt of
state by state legislative requirements that could be
inconsistent or worse, contradictory. National or
global entities would find it difficult if not
impossible to comply with such a maze of statutory or
regulatory requirements.
Since web sites by their very nature are accessible to
internet users around the country and around the
world, opponents are correct that they may be subject
to the laws of many states and nations. If those many
states and nations were to enact legislation regarding
online privacy, opponents are probably correct in
arguing that there will be considerable compliance
difficulties. However, the American legal system has
developed a complex but thorough body of law regarding
state jurisdiction and conflict of laws that is
intended to address such issues. In this regard,
�
AB 68
Page
6
commercial web site operators appear to be no
different than other national or international
business entities that are subject to varying forms of
regulation, except that unlike non-internet companies,
web site operators tend to operate nationally from the
moment they are created.
The California Chamber of Commerce states that:
This bill is unnecessary. According to the Federal
Trade Commission, companies conducting 95 percent of
all Internet activities already have privacy policies
in place. It is impractical to regulate companies
doing business with California but located outside the
borders of the state.
This bill opens the door to endless lawsuits and
harassment for online businesses that contribute much
to the economy of the state.
ASSEMBLY FLOOR :
AYES: Berg, Bermudez, Calderon, Canciamilla, Chavez, Chu,
Cohn, Corbett, Correa, Daucher, Diaz, Dutra, Dymally,
Firebaugh, Frommer, Goldberg, Hancock, Jerome Horton,
Jackson, Kehoe, Koretz, Laird, Leno, Leslie, Levine,
Lieber, Liu, Longville, Lowenthal, Matthews, Montanez,
Mullin, Nakano, Nation, Negrete McLeod, Nunez, Parra,
Pavley, Reyes, Ridley-Thomas, Salinas, Simitian,
Steinberg, Vargas, Wiggins, Wolk, Yee, Wesson
NOES: Aghazarian, Bates, Benoit, Bogh, Campbell, Cogdill,
Cox, Dutton, Harman, Haynes, Keene, La Malfa, La Suer,
Maldonado, Maze, McCarthy, Mountjoy, Nakanishi, Pacheco,
Richman, Runner, Samuelian, Spitzer, Strickland, Wyland
RJG:nl 9/4/03 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****