AB 257, as introduced, Hall. Privacy: mobile devices.
Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service to make its privacy policy available to the consumers, as specified.
This bill would define an online service for purposes of these provisions to include mobile applications designed to be downloaded to and installed on a mobile device. This bill would require the operator of a mobile application to satisfy various requirements, including specified privacy policy requirements, procedures to allow a consumer to access their own personally identifiable information collected and retained, safeguards to protect personally identifiable information, a requirement that the operator provide a supplemental privacy policy if an application collects information not essential to the application’s basic function, and a requirement that the operator provide a special notice if the application accesses specified devices and information. The bill would require a mobile application market, as defined, to comply with specified procedures allowing access to an application’s privacy policy and a means for users to report applications in violation of the applicable terms of service or law. The bill would also establish specified requirements for an advertising network delivering an advertisement through a mobile application, including a privacy policy requirement, a requirement that the network obtain prior consent to display an advertisement in specified circumstances, a requirement that advertisements be clearly attributable to the host application in specified circumstances, and required procedures for identifying a consumer and transmitting information.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 22575.1 is added to the Business and
2Professions Code, to read:
(a) The privacy policy for a mobile application shall
4specify and limit practices regarding information retention and
5collection, including the types of information collected, the use
6and retention period for each category of information, the
7categories of third parties with whom personally identifiable
8information will be shared, and the choices a consumer has
9regarding the collection, use, and sharing of personally identifiable
10information.
11(b) The operator of a mobile application shall:
12(1) Provide consumers access to their own personally identifiable
13information that the application collects and retains.
14(2) Use
security safeguards to protect personally identifiable
15information from unauthorized access, use, disclosure,
16modification, or destruction.
17(3) Provide a supplemental privacy policy with enhanced
18measures if an application collects personally identifiable
19information that is not essential to the application’s basic function.
20(4) Provide consumers with a special notice if the application
21accesses text messages, call logs, the camera, the dialer, or the
22microphone, or collects location information, financial information,
23medical information, or passwords. A special notice shall deliver
24notice to the consumer of the information collection. A special
25notice shall explain the intended uses of the information and
26disclose the type of third parties to whom the information may be
27disclosed.
P3 1(c) The requirements for a mobile
application privacy policy
2are in addition to the requirements specified elsewhere in this
3chapter.
Section 22575.2 is added to the Business and
5Professions Code, to read:
(a) In the application submission process for a new
7or updated mobile application, a mobile application market shall
8include either of the following:
9(1) An optional data field for a hyperlink to the application’s
10privacy policy or a statement describing the application’s privacy
11practices.
12(2) An optional data field for the text of the application’s privacy
13policy or a statement describing the application’s privacy practices.
14(b) A mobile application market shall:
15(1) Implement a means for users to report applications that do
16not comply with the
applicable terms of service or law.
17(2) Implement a process for responding to reported instances
18of noncompliance with applicable terms of service or law.
Section 22575.3 is added to the Business and
20Professions Code, to read:
An advertising network delivering an advertisement
22through a mobile application shall:
23(a) Include a privacy policy governing the collection, use,
24disclosure, and retention of personally identifiable information.
25This policy shall be made available to users of mobile applications
26and application developers.
27(b) Obtain prior consent before displaying an advertisement
28delivered through an application and displayed outside the context
29of the application.
30(c) Provide clear attribution of the host application responsible
31for an advertisement delivered through an application and displayed
32outside the context of the application.
33(d) Obtain prior consent before accessing personally identifiable
34information.
35(e) Use application-specific or temporary device identifiers, not
36unchangeable device-specific identifiers.
37(f) Transmit user data securely, using encryption for permanent
38unique device identifiers and personal information.
Section 22577 of the Business and Professions Code
40 is amended to read:
For the purposes of this chapter, the following
2definitions apply:
3(a) The term “personally identifiable information” means
4individually identifiable information about an individual consumer
5collected online by the operator from that individual and
6maintained by the operator in an accessible form, including any
7of the following:
8(1) A first and last name.
9(2) A home or other physical address, including street name and
10name of a city or town.
11(3) An e-mail address.
12(4) A telephone number.
13(5) A social security number.
14(6) Any other identifier that permits the physical or online
15contacting of a specific individual.
16(7) Information concerning a user that the Web site or online
17service collects online from the user and maintains in personally
18identifiable form in combination with an identifier described in
19this subdivision.
20(b) The term “conspicuously post” with respect to a privacy
21policy shall include posting the privacy policy through any of the
22following:
23(1) A Web page on which the actual privacy policy is posted if
24the Web page is the homepage or first significant page after
25entering the Web site.
26(2) An icon
that hyperlinks to a Web page on which the actual
27privacy policy is posted, if the icon is located on the homepage or
28the first significant page after entering the Web site, and if the icon
29contains the word “privacy.” The icon shall also use a color that
30contrasts with the background color of the Web page or is
31otherwise distinguishable.
32(3) A text link that hyperlinks to a Web page on which the actual
33privacy policy is posted, if the text link is located on the homepage
34or first significant page after entering the Web site, and if the text
35link does one of the following:
36(A) Includes the word “privacy.”
37(B) Is written in capital letters equal to or greater in size than
38the surrounding text.
39(C) Is written in larger type than the surrounding text, or
in
40contrasting type, font, or color to the surrounding text of the same
P5 1size, or set off from the surrounding text of the same size by
2symbols or other marks that call attention to the language.
3(4) Any other functional hyperlink that is so displayed that a
4reasonable person would notice it.
5(5) In the case of an online service, any other reasonably
6accessible means of making the privacy policy available for
7consumers of the online servicebegin insert, except for a mobile application,
8which shall follow the requirements in Section 22575.1end insert.
9(c) The term “operator” means any person or entity that owns
10a Web site located on the Internet or an online service that collects
11and maintains personally identifiable information from
a consumer
12residing in California who uses or visits the Web site or online
13service if the Web site or online service is operated for commercial
14purposes. It does not include any third party that operates, hosts,
15or manages, but does not own, a Web site or online service on the
16owner’s behalf or by processing information on behalf of the
17owner.
18(d) The term “consumer” means any individual who seeks or
19acquires, by purchase or lease, any goods, services, money, or
20credit for personal, family, or household purposes.
21(e) The term “online service” includes, but shall not be limited
22to, a mobile application.
23(f) The term “mobile
application” means an application
24designed to be downloaded to and installed on a mobile device,
25such as a mobile phone, a tablet, or a smart phone.
26(g) The term “mobile application market” means a computerized
27system where a person can purchase a mobile application and
28download the mobile application directly to a mobile device.
O
99