BILL NUMBER: AB 370	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  MARCH 19, 2013

INTRODUCED BY   Assembly Member Muratsuchi

                        FEBRUARY 14, 2013

   An act  to amend Sections 22575 and 22577 of the Business and
Professions Code,   relating to consumers.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 370, as amended, Muratsuchi. Consumers: online tracking. 
   Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about consumers residing in California who use
or visit its commercial Web site or online service to conspicuously
post its privacy policy on its Web site or online service and to
comply with that policy. Existing law, among other things, requires
that the privacy policy identify the categories of personally
identifiable information that the operator collects about individual
consumers who use or visit its Web site or online service and 3rd
parties with whom the operator shares the information.  
   This bill would require an operator to disclose whether or not it
honors a request from a consumer to disable online tracking, as
defined, of the consumer who visits or uses its commercial Web site
or online service. The bill would also require an operator to
disclose if it does not allow 3rd parties to conduct online tracking
on the commercial Web site or online service.  
   Existing law, subject to specified exceptions, requires a business
that discloses a customer's personal information to a 3rd party for
direct marketing purposes to provide the customer, within 30 days
after the customer's request, as specified, in writing or by e-mail
the names and addresses of the recipients of that information and
specified details regarding the information disclosed. 

   This bill would declare the intent of the Legislature to enact
legislation that would regulate online behavioral tracking of
consumers. 
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1   .    Section 22575 of the 
 Business and Professions Code   is amended to read:

   22575.  (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
   (b) The privacy policy required by subdivision (a) shall do all of
the following:
   (1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information. 
   (2) Disclose whether or not the operator honors or complies with a
Web browser's signal or other similar mechanism that indicates a
request to disable online tracking of the individual consumer who
uses or visits its commercial Web site or online service, or, if the
operator does not allow third parties to conduct online tracking on
the Web site or service, to disclose that fact.  
   (2) 
    (3)  If the operator maintains a process for an
individual consumer who uses or visits its commercial Web site or
online service to review and request changes to any of his or her
personally identifiable information that is collected through the Web
site or online service, provide a description of that process.

   (3) 
    (4)  Describe the process by which the operator notifies
consumers who use or visit its commercial Web site or online service
of material changes to the operator's privacy policy for that Web
site or online service. 
   (4) 
    (5)  Identify its effective date.
   SEC. 2  .    Section 22577 of the  
Business and Professions Code   is amended to read: 
   22577.  For the purposes of this chapter, the following
definitions apply:
   (a) The term "personally identifiable information" means
individually identifiable information about an individual consumer
collected online by the operator from that individual and maintained
by the operator in an accessible form, including any of the
following:
   (1) A first and last name.
   (2) A home or other physical address, including street name and
name of a city or town.
   (3) An e-mail address.
   (4) A telephone number.
   (5) A social security number.
   (6) Any other identifier that permits the physical or online
contacting of a specific individual.
   (7) Information concerning a user that the Web site or online
service collects online from the user and maintains in personally
identifiable form in combination with an identifier described in this
subdivision.
   (b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
   (1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
   (2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
   (3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
   (A) Includes the word "privacy."
   (B) Is written in capital letters equal to or greater in size than
the surrounding text.
   (C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
   (4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
   (5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.
   (c) The term "operator" means any person or entity that owns a Web
site located on the Internet or an online service that collects and
maintains personally identifiable information from a consumer
residing in California who uses or visits the Web site or online
service if the Web site or online service is operated for commercial
purposes. It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the
owner's behalf or by processing information on behalf of the owner.
   (d) The term "consumer" means any individual who seeks or
acquires, by purchase or lease, any goods, services, money, or credit
for personal, family, or household purposes. 
   (e) The term "online tracking" means the practice of collecting
personally identifiable information about an individual consumer's
online activities over time and across different Web sites and online
services.  
  SECTION 1.    It is the intent of the Legislature
to enact legislation that would regulate online behavioral tracking
of consumers.