AB 257 Assembly Bill

BILL NUMBER: AB 257	INTRODUCED
	BILL TEXT


INTRODUCED BY   Assembly Member Hall

                        FEBRUARY 7, 2013

   An act to amend Section 22577 of, and to add Sections 22575.1,
22575.2, and 22575.3 to, the Business and Professions Code, relating
to privacy.



	LEGISLATIVE COUNSEL'S DIGEST


   AB 257, as introduced, Hall. Privacy: mobile devices.
   Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its commercial Web site or online service
to make its privacy policy available to the consumers, as specified.

   This bill would define an online service for purposes of these
provisions to include mobile applications designed to be downloaded
to and installed on a mobile device. This bill would require the
operator of a mobile application to satisfy various requirements,
including specified privacy policy requirements, procedures to allow
a consumer to access their own personally identifiable information
collected and retained, safeguards to protect personally identifiable
information, a requirement that the operator provide a supplemental
privacy policy if an application collects information not essential
to the application's basic function, and a requirement that the
operator provide a special notice if the application accesses
specified devices and information. The bill would require a mobile
application market, as defined, to comply with specified procedures
allowing access to an application's privacy policy and a means for
users to report applications in violation of the applicable terms of
service or law. The bill would also establish specified requirements
for an advertising network delivering an advertisement through a
mobile application, including a privacy policy requirement, a
requirement that the network obtain prior consent to display an
advertisement in specified circumstances, a requirement that
advertisements be clearly attributable to the host application in
specified circumstances, and required procedures for identifying a
consumer and transmitting information.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 22575.1 is added to the Business and
Professions Code, to read:
   22575.1.  (a) The privacy policy for a mobile application shall
specify and limit practices regarding information retention and
collection, including the types of information collected, the use and
retention period for each category of information, the categories of
third parties with whom personally identifiable information will be
shared, and the choices a consumer has regarding the collection, use,
and sharing of personally identifiable information.
   (b) The operator of a mobile application shall:
   (1) Provide consumers access to their own personally identifiable
information that the application collects and retains.
   (2) Use security safeguards to protect personally identifiable
information from unauthorized access, use, disclosure, modification,
or destruction.
   (3) Provide a supplemental privacy policy with enhanced measures
if an application collects personally identifiable information that
is not essential to the application's basic function.
   (4) Provide consumers with a special notice if the application
accesses text messages, call logs, the camera, the dialer, or the
microphone, or collects location information, financial information,
medical information, or passwords. A special notice shall deliver
notice to the consumer of the information collection. A special
notice shall explain the intended uses of the information and
disclose the type of third parties to whom the information may be
disclosed.
   (c) The requirements for a mobile application privacy policy are
in addition to the requirements specified elsewhere in this chapter.
  SEC. 2.  Section 22575.2 is added to the Business and Professions
Code, to read:
   22575.2.  (a) In the application submission process for a new or
updated mobile application, a mobile application market shall include
either of the following:
   (1) An optional data field for a hyperlink to the application's
privacy policy or a statement describing the application's privacy
practices.
   (2) An optional data field for the text of the application's
privacy policy or a statement describing the application's privacy
practices.
   (b) A mobile application market shall:
   (1) Implement a means for users to report applications that do not
comply with the applicable terms of service or law.
   (2) Implement a process for responding to reported instances of
noncompliance with applicable terms of service or law.
  SEC. 3.  Section 22575.3 is added to the Business and Professions
Code, to read:
   22575.3.  An advertising network delivering an advertisement
through a mobile application shall:
   (a) Include a privacy policy governing the collection, use,
disclosure, and retention of personally identifiable information.
This policy shall be made available to users of mobile applications
and application developers.
   (b) Obtain prior consent before displaying an advertisement
delivered through an application and displayed outside the context of
the application.
   (c) Provide clear attribution of the host application responsible
for an advertisement delivered through an application and displayed
outside the context of the application.
   (d) Obtain prior consent before accessing personally identifiable
information.
   (e) Use application-specific or temporary device identifiers, not
unchangeable device-specific identifiers.
   (f) Transmit user data securely, using encryption for permanent
unique device identifiers and personal information.
  SEC. 4.  Section 22577 of the Business and Professions Code is
amended to read:
   22577.  For the purposes of this chapter, the following
definitions apply:
   (a) The term "personally identifiable information" means
individually identifiable information about an individual consumer
collected online by the operator from that individual and maintained
by the operator in an accessible form, including any of the
following:
   (1) A first and last name.
   (2) A home or other physical address, including street name and
name of a city or town.
   (3) An e-mail address.
   (4) A telephone number.
   (5) A social security number.
   (6) Any other identifier that permits the physical or online
contacting of a specific individual.
   (7) Information concerning a user that the Web site or online
service collects online from the user and maintains in personally
identifiable form in combination with an identifier described in this
subdivision.
   (b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
   (1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
   (2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
   (3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
   (A) Includes the word "privacy."
   (B) Is written in capital letters equal to or greater in size than
the surrounding text.
   (C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
   (4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
   (5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service  , except for a mobile application, which
shall follow the requirements in Section 22575.1  .
   (c) The term "operator" means any person or entity that owns a Web
site located on the Internet or an online service that collects and
maintains personally identifiable information from a consumer
residing in California who uses or visits the Web site or online
service if the Web site or online service is operated for commercial
purposes. It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the
owner's behalf or by processing information on behalf of the owner.
   (d) The term "consumer" means any individual who seeks or
acquires, by purchase or lease, any goods, services, money, or credit
for personal, family, or household purposes. 
   (e) The term "online service" includes, but shall not be limited
to, a mobile application.  
   (f) The term "mobile application" means an application designed to
be downloaded to and installed on a mobile device, such as a mobile
phone, a tablet, or a smart phone.  
   (g) The term "mobile application market" means a computerized
system where a person can purchase a mobile application and download
the mobile application directly to a mobile device.