AB 370, as amended, Muratsuchi. Consumers: online tracking.
Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
This bill would require an operator to disclose whether or not it honors a request from a consumer to disable online tracking, as defined, of the consumer who visits or uses its commercial Web site or online
service. The bill would also require an operator to disclose if itbegin delete does not allowend deletebegin insert allowsend insert 3rd parties to conduct online tracking on the commercial Web site or online servicebegin insert and whether there is a means to disable this trackingend insert.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 22575 of the Business and Professions
2Code is amended to read:
(a) An operator of a commercial Web site or online
4service that collects personally identifiable information through
5the Internet about individual consumers residing in California who
6use or visit its commercial Web site or online service shall
7conspicuously post its privacy policy on its Web site, or in the case
8of an operator of an online service, make that policy available in
9accordance with paragraph (5) of subdivision (b) of Section 22577.
10An operator shall be in violation of this subdivision only if the
11operator fails to post its policy within 30 days after being notified
12of noncompliance.
13(b) The privacy policy required by subdivision (a) shall do
all
14of the following:
15(1) Identify the categories of personally identifiable information
16that the operator collects through the Web site or online service
17about individual consumers who use or visit its commercial Web
18site or online service and the categories of third-party persons or
19entities with whom the operator may share that personally
20identifiable information.
21(2) Disclose whether or not the operator honors or complies
22with a Web browser’s signal or other similar mechanism that
23indicates a request to disable online tracking of the individual
24consumer who uses or visits its commercial Web site or online
25service, or, if the operator does not allow third parties to conduct
26online tracking on the Web site or service, to disclose that fact.
28 27(3)
end delete
28begin insert(2)end insert If the operator maintains a process for an individual
29consumer who uses or visits its commercial Web site or online
30service to review and request changes to any of his or her
31personally identifiable information that is collected through the
32Web site or online service, provide a description of that process.
4 33(4)
end delete
34begin insert(3)end insert Describe the process by which the operator notifies
35consumers who use or visit its commercial Web site or online
P3 1service of
material changes to the operator’s privacy policy for
2that Web site or online service.
9 3(5)
end delete4begin insert(4)end insert Identify its effective date.
begin insert
5(5) Disclose how the operator responds to Web browser “do
6not track” signals or other similar mechanisms regarding online
7tracking, as defined in subdivision (e) of Section 22577, when an
8individual consumer uses or visits the commercial Web site or
9online service.
10(6) Disclose whether other parties on the operator’s commercial
11Web site or online service are or may be conducting online
12tracking, as defined in subdivision (e) of Section 22577, and what,
13if any, program, solution, protocol, or mechanism the operator
14follows that offers consumers who use or visit its commercial Web
15site or online service the ability to exercise a choice regarding
16whether to permit this collection. The operator shall also offer
17information regarding how the consumer can use the program,
18solution, protocol, or mechanism.
Section 22577 of the Business and Professions Code
20 is amended to read:
For the purposes of this chapter, the following
22definitions apply:
23(a) The term “personally identifiable information” means
24individually identifiable information about an individual consumer
25collected online by the operator from that individual and
26maintained by the operator in an accessible form, including any
27of the following:
28(1) A first and last name.
29(2) A home or other physical address, including street name and
30name of a city or town.
31(3) An e-mail address.
32(4) A telephone number.
33(5) A social security number.
34(6) Any other identifier that permits the physical or online
35contacting of a specific individual.
36(7) Information concerning a user that the Web site or online
37service collects online from the user and maintains in personally
38identifiable form in combination with an identifier described in
39this subdivision.
P4 1(b) The term “conspicuously post” with respect to a privacy
2policy shall include posting the privacy policy through any of the
3following:
4(1) A Web page on which the actual
privacy policy is posted if
5the Web page is the homepage or first significant page after
6entering the Web site.
7(2) An icon that hyperlinks to a Web page on which the actual
8privacy policy is posted, if the icon is located on the homepage or
9the first significant page after entering the Web site, and if the icon
10contains the word “privacy.” The icon shall also use a color that
11contrasts with the background color of the Web page or is
12otherwise distinguishable.
13(3) A text link that hyperlinks to a Web page on which the actual
14privacy policy is posted, if the text link is located on the homepage
15or first significant page after entering the Web site, and if the text
16link does one of the following:
17(A) Includes the word “privacy.”
18(B) Is written in capital letters equal to or greater in size than
19the surrounding text.
20(C) Is written in larger type than the surrounding text, or in
21contrasting type, font, or color to the surrounding text of the same
22size, or set off from the surrounding text of the same size by
23symbols or other marks that call attention to the language.
24(4) Any other functional hyperlink that is so displayed that a
25reasonable person would notice it.
26(5) In the case of an online service, any other reasonably
27accessible means of making the privacy policy available for
28consumers of the online service.
29(c) The term “operator” means any person or entity that owns
30a Web site located on the Internet or an online service that collects
31and maintains personally identifiable information from a consumer
32residing in California who uses or visits the Web site or online
33service if the Web site or online service is operated for commercial
34purposes. It does not include any third party that operates, hosts,
35or manages, but does not own, a Web site or online service on the
36owner’s behalf or by processing information on behalf of the
37owner.
38(d) The term “consumer” means any individual who seeks or
39acquires, by purchase or lease, any goods, services, money, or
40credit for personal, family, or household purposes.
P5 1(e) The term “online tracking” means the practice of collecting
2personally
identifiable information about an individual consumer’s
3online activities over time and across different Web sites and online
4begin delete services.end deletebegin insert services, for any use other than the internal business
5purposes of the commercial Web site or online service through
6which the tracking is conducted.end insert
7(f) The term “internal business purposes” means those activities
8necessary to maintain or analyze the functioning of the commercial
9Web site or online service, perform network communications,
10authenticate users of the commercial Web site or online service,
11and ensure legal or regulatory compliance, provided that the
12information collected for these activities is not used or
disclosed
13for any other purpose.
O
97