AB 370,
as amended, Muratsuchi. Consumers:begin delete online tracking.end deletebegin insert internet privacy.end insert
Existing law requires an operator of a commercialbegin insert Internetend insert Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
This bill would require an operator to disclosebegin delete whether or not it honors a request from a consumer to disable online tracking, as defined, of the consumer who visits or uses its commercial Web site or online
service. The bill would also require an operator to disclose if it allows 3rd parties to conduct online tracking on the commercial Web site or online service and whether there is a means to disable this tracking.end deletebegin insert how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different Web sites or online services. The bill would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service.end insert
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 22575 of the Business and Professions
2Code is amended to read:
(a) An operator of a commercial Web site or online
4service that collects personally identifiable information through
5the Internet about individual consumers residing in California who
6use or visit its commercial Web site or online service shall
7conspicuously post its privacy policy on its Web site, or in the case
8of an operator of an online service, make that policy available in
9accordance with paragraph (5) of subdivision (b) of Section 22577.
10An operator shall be in violation of this subdivision only if the
11operator fails to post its policy within 30 days after being notified
12of noncompliance.
13(b) The privacy policy required by subdivision (a) shall do
all
14of the following:
15(1) Identify the categories of personally identifiable information
16that the operator collects through the Web site or online service
17about individual consumers who use or visit its commercial Web
18site or online service and the categories of third-party persons or
19entities with whom the operator may share that personally
20identifiable information.
21(2) If the operator maintains a process for an individual
22consumer who uses or visits its commercial Web site or online
23service to review and request changes to any of his or her
24personally identifiable information that is collected through the
25Web site or online service, provide a description of that process.
26(3) Describe the process by which the
operator notifies
27consumers who use or visit its commercial Web site or online
P3 1service of material changes to the operator’s privacy policy for
2that Web site or online service.
3(4) Identify its effective date.
4(5) Disclose how the operator responds to Web browser “do not
5track” signals or otherbegin delete similarend delete mechanismsbegin insert that provide consumers
6the ability to exercise choiceend insert regardingbegin delete online tracking, as defined begin insert
the
7in subdivision (e) of Section 22577, when an individual consumer
8uses or visits the commercial Web site or online serviceend delete
9collection of personally identifiable information about an
10individual consumer’s online activities over time and across
11third-party Web sites or online services, if the operator engages
12in that collectionend insert.
13(6) Disclose whether other partiesbegin delete on the operator’s commercial begin insert
may collect personally
14Web site or online service are or may be conducting online
15tracking, as defined in subdivision (e) of Section 22577, and what,
16if any, program, solution, protocol, or mechanism the operator
17follows that offers consumers who use or visit its commercial Web
18site or online service the ability to exercise a choice regarding
19whether to permit this collection. The operator shall also offer
20information regarding how the consumer can use the program,
21solution, protocol, or mechanismend delete
22identifiable information about an individual consumer’s online
23activities over time and across different Web sites when a consumer
24uses the operator’s Web site or serviceend insert.
25(7) An operator may satisfy the requirement of paragraph (5)
26by providing a clear and conspicuous hyperlink in the operator’s
27privacy policy to an online location containing a description,
28including the effects, of any program or protocol the operator
29follows that offers the consumer that choice.
Section 22577 of the Business and Professions Code
31 is amended to read:
For the purposes of this chapter, the following
33definitions apply:
34(a) The term “personally identifiable information” means
35individually identifiable information about an individual consumer
36collected online by the operator from that individual and
37maintained by the operator in an accessible form, including any
38of the following:
39(1) A first and last name.
P4 1(2) A home or other physical address, including street name and
2name of a city or town.
3(3) An e-mail address.
4(4) A telephone number.
5(5) A social security number.
6(6) Any other identifier that permits the physical or online
7contacting of a specific individual.
8(7) Information concerning a user that the Web site or online
9service collects online from the user and maintains in personally
10identifiable form in combination with an identifier described in
11this subdivision.
12(b) The term “conspicuously post” with respect to a privacy
13policy shall include posting the privacy policy through any of the
14following:
15(1) A Web page on which the actual
privacy policy is posted if
16the Web page is the homepage or first significant page after
17entering the Web site.
18(2) An icon that hyperlinks to a Web page on which the actual
19privacy policy is posted, if the icon is located on the homepage or
20the first significant page after entering the Web site, and if the icon
21contains the word “privacy.” The icon shall also use a color that
22contrasts with the background color of the Web page or is
23otherwise distinguishable.
24(3) A text link that hyperlinks to a Web page on which the actual
25privacy policy is posted, if the text link is located on the homepage
26or first significant page after entering the Web site, and if the text
27link does one of the following:
28(A) Includes the word “privacy.”
29(B) Is written in capital letters equal to or greater in size than
30the surrounding text.
31(C) Is written in larger type than the surrounding text, or in
32contrasting type, font, or color to the surrounding text of the same
33size, or set off from the surrounding text of the same size by
34symbols or other marks that call attention to the language.
35(4) Any other functional hyperlink that is so displayed that a
36reasonable person would notice it.
37(5) In the case of an online service, any other reasonably
38accessible means of making the privacy policy available for
39consumers of the online service.
P5 1(c) The term “operator” means any person or entity that owns
2a Web site located on the Internet or an online service that collects
3and maintains personally identifiable information from a consumer
4residing in California who uses or visits the Web site or online
5service if the Web site or online service is operated for commercial
6purposes. It does not include any third party that operates, hosts,
7or manages, but does not own, a Web site or online service on the
8owner’s behalf or by processing information on behalf of the
9owner.
10(d) The term “consumer” means any individual who seeks or
11acquires, by purchase or lease, any goods, services, money, or
12credit for personal, family, or household purposes.
13(e) The term “online tracking” means the practice of collecting
14personally
identifiable information about an individual consumer’s
15online activities over time and across different Web sites and online
16services, for any use other than the internal business purposes of
17the commercial Web site or online service through which the
18tracking is conducted.
19(f) The term “internal business purposes” means those activities
20necessary to maintain or analyze the functioning of the commercial
21Web site or online service, perform network communications,
22authenticate users of the commercial Web site or online service,
23and ensure legal or regulatory compliance, provided that the
24information collected for these activities is not used or disclosed
25for any other purpose.
O
96