Amended in Assembly March 19, 2013

California Legislature—2013–14 Regular Session

Assembly BillNo. 370


Introduced by Assembly Member Muratsuchi

February 14, 2013


An actbegin insert to amend Sections 22575 and 22577 of the Business and Professions Code,end insert relating to consumers.

LEGISLATIVE COUNSEL’S DIGEST

AB 370, as amended, Muratsuchi. Consumers: online tracking.

begin insert

Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

end insert
begin insert

This bill would require an operator to disclose whether or not it honors a request from a consumer to disable online tracking, as defined, of the consumer who visits or uses its commercial Web site or online service. The bill would also require an operator to disclose if it does not allow 3rd parties to conduct online tracking on the commercial Web site or online service.

end insert
begin delete

Existing law, subject to specified exceptions, requires a business that discloses a customer’s personal information to a 3rd party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.

end delete
begin delete

This bill would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.

end delete

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1begin insert

begin insertSECTION 1end insertbegin insert.end insert  

end insert

begin insertSection 22575 of the end insertbegin insertBusiness and Professions
2Code
end insert
begin insert is amended to read:end insert

3

22575.  

(a) An operator of a commercial Web site or online
4service that collects personally identifiable information through
5the Internet about individual consumers residing in California who
6use or visit its commercial Web site or online service shall
7conspicuously post its privacy policy on its Web site, or in the case
8of an operator of an online service, make that policy available in
9accordance with paragraph (5) of subdivision (b) of Section 22577.
10An operator shall be in violation of this subdivision only if the
11operator fails to post its policy within 30 days after being notified
12of noncompliance.

13(b) The privacy policy required by subdivision (a) shall do all
14of the following:

15(1) Identify the categories of personally identifiable information
16that the operator collects through the Web site or online service
17about individual consumers who use or visit its commercial Web
18site or online service and the categories of third-party persons or
19entities with whom the operator may share that personally
20identifiable information.

begin insert

21(2) Disclose whether or not the operator honors or complies
22with a Web browser’s signal or other similar mechanism that
23indicates a request to disable online tracking of the individual
24consumer who uses or visits its commercial Web site or online
25service, or, if the operator does not allow third parties to conduct
26online tracking on the Web site or service, to disclose that fact.

end insert
begin delete

27(2)

end delete

28begin insert(3)end insert If the operator maintains a process for an individual
29consumer who uses or visits its commercial Web site or online
30service to review and request changes to any of his or her
P3    1personally identifiable information that is collected through the
2Web site or online service, provide a description of that process.

begin delete

3(3)

end delete

4begin insert(4)end insert Describe the process by which the operator notifies
5consumers who use or visit its commercial Web site or online
6service of material changes to the operator’s privacy policy for
7that Web site or online service.

begin delete

8(4)

end delete

9begin insert(5)end insert Identify its effective date.

10begin insert

begin insertSEC. 2end insertbegin insert.end insert  

end insert

begin insertSection 22577 of the end insertbegin insertBusiness and Professions Codeend insert
11begin insert is amended to read:end insert

12

22577.  

For the purposes of this chapter, the following
13definitions apply:

14(a) The term “personally identifiable information” means
15individually identifiable information about an individual consumer
16collected online by the operator from that individual and
17maintained by the operator in an accessible form, including any
18of the following:

19(1) A first and last name.

20(2) A home or other physical address, including street name and
21name of a city or town.

22(3) An e-mail address.

23(4) A telephone number.

24(5) A social security number.

25(6) Any other identifier that permits the physical or online
26contacting of a specific individual.

27(7) Information concerning a user that the Web site or online
28service collects online from the user and maintains in personally
29identifiable form in combination with an identifier described in
30this subdivision.

31(b) The term “conspicuously post” with respect to a privacy
32policy shall include posting the privacy policy through any of the
33following:

34(1) A Web page on which the actual privacy policy is posted if
35the Web page is the homepage or first significant page after
36entering the Web site.

37(2) An icon that hyperlinks to a Web page on which the actual
38privacy policy is posted, if the icon is located on the homepage or
39the first significant page after entering the Web site, and if the icon
40contains the word “privacy.” The icon shall also use a color that
P4    1contrasts with the background color of the Web page or is
2otherwise distinguishable.

3(3) A text link that hyperlinks to a Web page on which the actual
4privacy policy is posted, if the text link is located on the homepage
5or first significant page after entering the Web site, and if the text
6link does one of the following:

7(A) Includes the word “privacy.”

8(B) Is written in capital letters equal to or greater in size than
9the surrounding text.

10(C) Is written in larger type than the surrounding text, or in
11contrasting type, font, or color to the surrounding text of the same
12size, or set off from the surrounding text of the same size by
13symbols or other marks that call attention to the language.

14(4) Any other functional hyperlink that is so displayed that a
15reasonable person would notice it.

16(5) In the case of an online service, any other reasonably
17accessible means of making the privacy policy available for
18consumers of the online service.

19(c) The term “operator” means any person or entity that owns
20a Web site located on the Internet or an online service that collects
21and maintains personally identifiable information from a consumer
22residing in California who uses or visits the Web site or online
23service if the Web site or online service is operated for commercial
24purposes. It does not include any third party that operates, hosts,
25or manages, but does not own, a Web site or online service on the
26owner’s behalf or by processing information on behalf of the
27owner.

28(d) The term “consumer” means any individual who seeks or
29acquires, by purchase or lease, any goods, services, money, or
30credit for personal, family, or household purposes.

begin insert

31(e) The term “online tracking” means the practice of collecting
32personally identifiable information about an individual consumer’s
33online activities over time and across different Web sites and online
34services.

end insert
begin delete
35

SECTION 1.  

It is the intent of the Legislature to enact
36legislation that would regulate online behavioral tracking of
37consumers.

end delete


O

    98