BILL NUMBER: AB 242 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY JANUARY 6, 2014
INTRODUCED BY Assembly Member Chau
FEBRUARY 6, 2013
An act to amend Section Sections
22575 , 22576, 22577, and 22578 of the Business and
Professions Code, relating to privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 242, as amended, Chau. Privacy: Internet.
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet, about individual consumers residing in
California who use or visit its commercial Web site or online
service, to make its privacy policy available to consumers, as
specified.
This bill would require the privacy policy to be no more than 100
words, be written in clear and concise language, be written at no
greater than an 8th grade reading level, and to include a statement
indicating whether the personally identifiable information may be
sold or shared with others, and if so, how and with whom the
information may be shared.
This bill would eliminate references to "privacy policy," and
instead refer to a privacy policy as a "policy." The bill would
require these policies to include hyperlinks to the Web pages where a
consumer may file a complaint, as specified, if an operator collects
personal information about an individual consumer.
Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 22575 of the Business and
Professions Code is amended to read:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
(b) The privacy policy required by subdivision (a) shall do all of
the following:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.
(c) The privacy policy required by this section shall be no more
than 100 words and shall be written in clear and concise language at
no greater than an eighth grade reading level. The privacy policy
shall include a statement indicating whether the personally
identifiable information may be sold or shared with others, and if
so, how and with whom the information may be shared.
SECTION 1. Section 22575 of the
Business and Professions Code is amended to read:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy a policy on its Web
site, or in the case of an operator of an online service, make that
policy available in accordance with paragraph (5) of subdivision (b)
of Section 22577. An operator shall be in violation of this
subdivision only if the operator fails to post its policy within 30
days after being notified of noncompliance.
(b) The privacy policy required by subdivision
(a) shall do all of the following:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy
for that Web site or online service.
(4) Identify its effective date.
(5) Disclose how the operator responds to Web browser "do not
track" signals or other mechanisms that provide consumers the ability
to exercise choice regarding the collection of personally
identifiable information about an individual consumer's online
activities over time and across third-party Web sites or online
services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally
identifiable information about an individual consumer's online
activities over time and across different Web sites when a consumer
uses the operator's Web site or service.
(7) An operator may satisfy the requirement of paragraph (5) by
providing a clear and conspicuous hyperlink in the operator's privacy
policy to an online location containing a description, including the
effects, of any program or protocol the operator follows that offers
the consumer that choice.
(8) If an operator collects personal information about an
individual consumer, include hyperlinks to the Web pages where the
consumer may file a complaint with the Attorney General and the
Federal Trade Commission.
SEC. 2. Section 22576 of the Business
and Professions Code is amended to read:
22576. An operator of a commercial Web site or online service
that collects personally identifiable information through the Web
site or online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following
ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
SEC. 3. Section 22577 of the Business
and Professions Code is amended to read:
22577. For the purposes of this chapter, the following
definitions apply:
(a) The term "personally identifiable information" means
individually identifiable information about an individual consumer
collected online by the operator from that individual and maintained
by the operator in an accessible form, including any of the
following:
(1) A first and last name.
(2) A home or other physical address, including street name and
name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online
contacting of a specific individual.
(7) Information concerning a user that the Web site or online
service collects online from the user and maintains in personally
identifiable form in combination with an identifier described in this
subdivision.
(b) The term "conspicuously post" with respect to a
privacy policy shall include posting the privacy
policy through any of the following:
(1) A Web page on which the actual privacy
policy is posted if the Web page is the homepage or first significant
page after entering the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located
on the homepage or the first significant page after entering the Web
site, and if the icon contains the word "privacy."
words "using your information." The icon shall also use a
color that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is
located on the homepage or first significant page after entering the
Web site, and if the text link does one of the following:
(A) Includes the word "privacy." words
"using your information."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy
available for consumers of the online service.
(c) The term "operator" means any person or entity that owns a Web
site located on the Internet or an online service that collects and
maintains personally identifiable information from a consumer
residing in California who uses or visits the Web site or online
service if the Web site or online service is operated for commercial
purposes. It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the
owner's behalf or by processing information on behalf of the owner.
(d) The term "consumer" means any individual who seeks or
acquires, by purchase or lease, any goods, services, money, or credit
for personal, family, or household purposes.
SEC. 4. Section 22578 of the Business
and Professions Code is amended to read:
22578. It is the intent of the Legislature that this chapter is a
matter of statewide concern. This chapter supersedes and preempts
all rules, regulations, codes, ordinances, and other laws adopted by
a city, county, city and county, municipality, or local agency
regarding the posting of a privacy policy on an
Internet Web site.