AB 370, as amended, Muratsuchi. Consumers: online tracking.
begin insertExisting law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
end insertbegin insertThis bill would require an operator to disclose whether or not it honors a request from a consumer to disable online tracking, as defined, of the consumer who visits or uses its commercial Web site or online service. The bill would also require an operator to disclose if it does not allow 3rd parties to conduct online tracking on the commercial Web site or online service.
end insertExisting law, subject to specified exceptions, requires a business that discloses a customer’s personal information to a 3rd party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.
end deleteThis bill would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.
end deleteVote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertSection 22575 of the end insertbegin insertBusiness and Professions
2Codeend insertbegin insert is amended to read:end insert
(a) An operator of a commercial Web site or online
4service that collects personally identifiable information through
5the Internet about individual consumers residing in California who
6use or visit its commercial Web site or online service shall
7conspicuously post its privacy policy on its Web site, or in the case
8of an operator of an online service, make that policy available in
9accordance with paragraph (5) of subdivision (b) of Section 22577.
10An operator shall be in violation of this subdivision only if the
11operator fails to post its policy within 30 days after being notified
12of noncompliance.
13(b) The privacy policy required by subdivision (a) shall do all
14of the following:
15(1) Identify the categories of personally identifiable information
16that the operator collects through the Web site or online service
17about individual consumers who use or visit its commercial Web
18site or online service and the categories of third-party persons or
19entities with whom the operator may share that personally
20identifiable information.
21(2) Disclose whether or not the operator honors or complies
22with a Web browser’s signal or other similar mechanism that
23indicates a request to disable online tracking of the individual
24consumer who uses or visits its commercial Web site or online
25service, or, if the operator does not allow third parties to conduct
26online tracking on the Web site or service, to disclose that fact.
27(2)
end delete
28begin insert(3)end insert If the operator maintains a process for an individual
29consumer who uses or visits its commercial Web site or online
30service to review and request changes to any of his or her
P3 1personally identifiable information that is collected through the
2Web site or online service, provide a description of that process.
3(3)
end delete
4begin insert(4)end insert Describe the process by which the operator notifies
5consumers who use or visit its commercial Web site or online
6service of material changes to the operator’s privacy policy for
7that Web site
or online service.
8(4)
end delete9begin insert(5)end insert Identify its effective date.
begin insertSection 22577 of the end insertbegin insertBusiness and Professions Codeend insert
11begin insert is amended to read:end insert
For the purposes of this chapter, the following
13definitions apply:
14(a) The term “personally identifiable information” means
15individually identifiable information about an individual consumer
16collected online by the operator from that individual and
17maintained by the operator in an accessible form, including any
18of the following:
19(1) A first and last name.
20(2) A home or other physical address, including street name and
21name of a city or town.
22(3) An e-mail address.
23(4) A telephone number.
24(5) A social security number.
25(6) Any other identifier that permits the physical or online
26contacting of a specific individual.
27(7) Information concerning a user that the Web site or online
28service collects online from the user and maintains in personally
29identifiable form in combination with an identifier described in
30this subdivision.
31(b) The term “conspicuously post” with respect to a privacy
32policy shall include posting the privacy policy through any of the
33following:
34(1) A Web page on which the actual privacy policy is posted if
35the Web page is the homepage or first significant page after
36entering the Web site.
37(2) An icon that hyperlinks to a Web page on which the actual
38privacy policy is posted, if the icon is located on the homepage or
39the first significant page after entering the Web site, and if the icon
40contains the word “privacy.” The icon shall also use a color that
P4 1contrasts with the background color of the Web page or is
2otherwise distinguishable.
3(3) A text link that hyperlinks to a Web page on which the actual
4privacy policy is posted, if the text link is located on the homepage
5or first significant page after entering the Web site, and if the text
6link does one of the following:
7(A) Includes the word “privacy.”
8(B) Is written in capital letters equal to or greater in size than
9the surrounding text.
10(C) Is written in larger type than
the surrounding text, or in
11contrasting type, font, or color to the surrounding text of the same
12size, or set off from the surrounding text of the same size by
13symbols or other marks that call attention to the language.
14(4) Any other functional hyperlink that is so displayed that a
15reasonable person would notice it.
16(5) In the case of an online service, any other reasonably
17accessible means of making the privacy policy available for
18consumers of the online service.
19(c) The term “operator” means any person or entity that owns
20a Web site located on the Internet or an online service that collects
21and maintains personally identifiable information from a consumer
22residing in California who uses or visits the Web site or online
23service if the Web site or online service is operated for commercial
24purposes. It does not
include any third party that operates, hosts,
25or manages, but does not own, a Web site or online service on the
26owner’s behalf or by processing information on behalf of the
27owner.
28(d) The term “consumer” means any individual who seeks or
29acquires, by purchase or lease, any goods, services, money, or
30credit for personal, family, or household purposes.
31(e) The term “online tracking” means the practice of collecting
32personally identifiable information about an individual consumer’s
33online activities over time and across different Web sites and online
34services.
It is the intent of the Legislature to enact
36legislation that would regulate online behavioral tracking of
37consumers.
O
98