BILL NUMBER: AB 370	ENROLLED
	BILL TEXT

	PASSED THE SENATE  AUGUST 22, 2013
	PASSED THE ASSEMBLY  AUGUST 26, 2013
	AMENDED IN SENATE  JUNE 18, 2013
	AMENDED IN SENATE  JUNE 3, 2013
	AMENDED IN ASSEMBLY  MARCH 19, 2013

INTRODUCED BY   Assembly Member Muratsuchi

                        FEBRUARY 14, 2013

   An act to amend Section 22575 of the Business and Professions
Code, relating to consumers.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 370, Muratsuchi. Consumers: internet privacy.
   Existing law requires an operator of a commercial Internet Web
site or online service that collects personally identifiable
information through the Internet about consumers residing in
California who use or visit its commercial Web site or online service
to conspicuously post its privacy policy on its Web site or online
service and to comply with that policy. Existing law, among other
things, requires that the privacy policy identify the categories of
personally identifiable information that the operator collects about
individual consumers who use or visit its Web site or online service
and 3rd parties with whom the operator shares the information.
   This bill would require an operator to disclose how it responds to
"do not track" signals or other mechanisms that provide consumers a
choice regarding the collection of personally identifiable
information about an individual consumer's online activities over
time and across different Web sites or online services. The bill
would require the operator to disclose whether other parties may
collect personally identifiable information when a consumer uses the
operator's Web site or service.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 22575 of the Business and Professions Code is
amended to read:
   22575.  (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
   (b) The privacy policy required by subdivision (a) shall do all of
the following:
   (1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
   (2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
   (3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
   (4) Identify its effective date.
   (5) Disclose how the operator responds to Web browser "do not
track" signals or other mechanisms that provide consumers the ability
to exercise choice regarding the collection of personally
identifiable information about an individual consumer's online
activities over time and across third-party Web sites or online
services, if the operator engages in that collection.
   (6) Disclose whether other parties may collect personally
identifiable information about an individual consumer's online
activities over time and across different Web sites when a consumer
uses the operator's Web site or service.
   (7) An operator may satisfy the requirement of paragraph (5) by
providing a clear and conspicuous hyperlink in the operator's privacy
policy to an online location containing a description, including the
effects, of any program or protocol the operator follows that offers
the consumer that choice.