BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  AB 370
                                                                  Page  1

          Date of Hearing:   April 16, 2013

              ASSEMBLY COMMITTEE ON BUSINESS, PROFESSIONS AND CONSUMER  
                                     PROTECTION
                              Richard S. Gordon, Chair
                  AB 370 (Muratsuchi) - As Amended:  March 19, 2013
           
          SUBJECT  :   Consumers: online tracking.

           SUMMARY  :   Requires an operator of a commercial Web site or  
          online service collecting personally identifiable information  
          (PII) to disclose in its online privacy policy whether or not it  
          honors requests by consumers to disable online tracking.   
          Specifically,  this bill  :  

          1)Requires an operator of a commercial Web site or online  
            service that collects PII about California consumers through  
            the Internet to disclose in its online privacy policy whether  
            or not the operator honors or complies with a Web browser's  
            signal or other similar mechanism that indicates a request to  
            disable online tracking of the individual consumer who uses or  
            visits its commercial Web site or online service.

          2)Requires an operator to disclose if it does not allow third  
            parties to conduct online tracking on the Web site or online  
            service.

          3)Defines the term "online tracking" to mean "the practice of  
            collecting personally identifiable information about an  
            individual consumer's online activities over time and across  
            different Web sites and online services."

           EXISTING LAW:  
               
          1)Requires an operator of a commercial Web site or online  
            service that collects PII through the Internet about consumers  
            residing in California who use or visit its commercial Web  
            site or online service to conspicuously post its privacy  
            policy on its Web site or online service and to comply with  
            that policy. (Business and Professions Code (BPC) Section  
            22575(a))

          2)Requires, among other things, that the privacy policy identify  
            the categories of PII that the operator collects about  
            individual consumers who use or visit its Web site or online  








                                                                  AB 370
                                                                  Page  2

            service and third parties with whom the operator shares the  
            information. (BPC 22575(b))

          3)Requires, subject to specified exceptions, a business that  
            discloses a customer's personal information to a third party  
            for direct marketing purposes to provide the customer, within  
            30 days after the customer's request, as specified, in writing  
            or by e-mail the names and addresses of the recipients of that  
            information and specified details regarding the information  
            disclosed. (Civil Code Section 1798.83)

           FISCAL EFFECT  :   None. This bill is keyed non-fiscal by the  
          Legislative Counsel. 

           COMMENTS  :   

           1)Purpose of this bill  .  This bill requires operators of  
            commercial Web sites and other online services that collect  
            PII to disclose whether or not they will honor a signal from  
            the consumer's Web browser requesting that the Web site not  
            collect the consumer's PII. Many popular Web browsers  
            incorporate a voluntary Do Not Track signal that a consumer  
            can use, but Web sites are not legally required to honor that  
            signal.  This bill aims to better inform consumers as to which  
            Web sites or online services honor the Do Not Track signal -  
            and which do not.  This bill is sponsored by the California  
            Attorney General's Office.   
           
           2)Author's statement  .  According to the author, "Since the  
            California Online Privacy Protection Act (CalOPPA) took effect  
            [in 2004], online commerce has burgeoned and evolving  
            technology and new business practices have raised new privacy  
            concerns.  One practice that raises privacy concerns is online  
            tracking, also called online behavioral tracking. This is the  
            monitoring of an individual across multiple websites to build  
            a profile of behavior and interests.  In the age of smart  
            phones and tablets, similar tracking is also done by  
            monitoring individuals as they use different apps and  
            different phone features.  The resulting profiles are commonly  
            used to deliver targeted advertisements? 

            "This bill would increase consumer awareness of the  
            practice of online tracking by websites and online  
            services, such as mobile apps.  AB 370 will allow  
            consumers to learn from a website's privacy policy  








                                                                  AB 370
                                                                  Page  3

            whether or not that website honors a Do Not Track signal.  
             This will allow the consumer to make an informed  
            decision about their use of the website or service."

           3)Growth in online tracking and data auctions  .  On June 17,  
            2012, the Wall Street Journal published an article about  
            user-tailored advertising and the explosion in demand for  
            consumer data collected through web browsers. The article  
            notes,"?[the] rapid rise in the number of companies collecting  
            data about individuals' Web-surfing behavior is testament to  
            the power of the $31 billion online-advertising business,  
            which increasingly relies on data about users' Web surfing  
            behavior to target advertisements." 

          This tracking often goes unnoticed by consumers and is made  
            possible by the use of "cookie" files that record the sites  
            visited by the consumer's Web browser. The Journal notes that  
            in one study, the average visit to a Web page triggered 56  
            instances of data collection. The data collected by these  
            cookies are so valuable that online auctions have sprung up  
            among advertisers to compete for the data.   

          According to the article:
             
               Despite rising privacy concerns, the online industry's  
               data-collection efforts have expanded in the past few  
               years. One reason is the popularity of online  
               auctions, where advertisers buy data about users' Web  
               browsing. [One firm] estimated that such auctions,  
               known as real-time bidding exchanges, contribute to  
               40% of online data collection.

               In real-time bidding, as soon as a user visits a Web  
               page, the visit is auctioned to the highest bidder,  
               based on attributes such as the type of page visited  
               or previous Web browsing by the user.  The bidding is  
               done automatically using computer algorithms.

               Forrester Research estimates that real-time bidding  
               will constitute 18% of the online display-ad market  
               this year, up from 13% last year. 

               'It's gone from virtually zero in 2009 to about a  
               fifth of the entire market right now,' said Michael  
               Greene, a Forrester senior analyst. 'We've moved from  








                                                                  AB 370
                                                                  Page  4

               a traditional advertising model of buying 1,000  
               impressions. Now you evaluate and buy a single  
               impression.'

               To make the auctions work, advertising companies are  
               racing to place tracking technology on as many Web  
               sites as possible. That technology gives them user and  
               Web-page data to sell in the auction.

           4)The Do Not Track movement  .  The Federal Trade Commission in  
            December 2010 released a preliminary staff report, Protecting  
            Consumer Privacy in an Era of Rapid Change, that endorsed the  
            idea of an easy-to-use, persistent, and effective Do Not Track  
            system. 

          In practice, a consumer wishing to communicate a Do Not Track  
            signal to Web sites would generally do so via their Web  
            browser controls, the presence of which would signal to a  
            visited Web site that it should disable its tracking for that  
            visit. The signal or "field" communicates that the consumer  
            either opts in to or opts out of data tracking; if a choice is  
            not made, the default would presumably communicate that the  
            consumer has not opted out of tracking.  

          According to the California Attorney General's Office,  
            "[s]ubsequently, all the major browser companies have offered  
            Do Not Track browser headers that signal to websites an  
            individual's choice not to be tracked. There is, however, no  
            legal requirement for sites to honor the headers." There was  
            no data immediately available to suggest how frequently Web  
            sites decline to honor a Do Not Track signal, although one  
            list maintained by researchers at Stanford reflects a running  
            list of Web sites that honor the Do Not Track signal - that  
            list shows only 20 Web sites, most of which are not commonly  
            known with the exception of Twitter.  

          This bill would mandate that Web sites that track users must  
            also disclose if they are honoring the voluntary Do Not Track  
            signal.  
            
           5)California Online Privacy Protection Act (CalOPPA)  .  In 2003,  
            the Legislature passed AB 68 (Simitian), Chapter 829, Statutes  
            of 2003, which generally requires operators of Web sites and  
            online services that collect PII about the users of their site  
            to conspicuously post their privacy policies on the Web site  








                                                                  AB 370
                                                                  Page  5

            and comply with them. 

          As it stands today, CalOPPA requires privacy policies to  
            identify the categories of PII collected, the categories of  
            third-parties with whom that PII may be shared, the process  
            for consumers to review and request changes to his or her PII,  
            and the process for notification of material changes to the  
            policy. 

          An operator has 30 days to comply after receiving notice of  
            noncompliance with the posting requirement. Failure to comply  
            with the CalOPPA requirements or the provisions of the posted  
            privacy policy, if knowing and willfull, or negligent and  
            material, is actionable under California's Unfair Competition  
            Law and may result in penalties of up to $2,500 for each  
            violation.  Any violation of this bill would be enforceable as  
            a violation of CalOPPA.

           6)Arguments in support  .  According to the California Attorney  
            General's Office, "AB 370 is a transparency proposal - not a  
            Do Not Track proposal. When a privacy policy discloses whether  
            or not an operator honors a Do Not Track signal from a  
            browser, individuals may make informed decisions about their  
            use of the site or service."

           7)Related legislation  .  AB 242 (Chau) of 2013, would require  
            online privacy policies mandated under CalOPPA to be no more  
            than 100 words, written in clear and concise language, written  
            at no greater than an 8th grade reading level, and include a  
            statement indicating whether the PII may be sold or shared  
            with others, and if so, how and with whom the information may  
            be shared.  That bill is currently pending in the Assembly  
            Judiciary Committee. 

            AB 257 (Hall) of 2013, would expressly include mobile  
            applications in the provisions of CalOPPA, and require  
            operators to satisfy various privacy policy requirements for  
            mobile applications, including allowing consumers to access  
            their own collected and retained PII, imposing safeguards to  
            protect PII, requiring a supplemental privacy policy if an  
            application collects information not essential to the  
            application's basic function, and a requirement that the  
            operator provide a special notice if the application accesses  
            specified devices and information. AB 257 would also require  
            mobile application markets and advertising networks to comply  








                                                                  AB 370
                                                                  Page  6

            with specified privacy procedures.  That bill is currently  
            pending in the Assembly Judiciary Committee. 

            SB 501 (Corbett) of 2013, would require a social networking  
            Web site to remove the personal identifying information of any  
            registered user within 96 hours after his or her request, and  
            would also require removal of that information in that same  
            manner regarding a user under 18 years of age upon request by  
            the user's parent. SB 501 would also impose a civil penalty,  
            not to exceed $10,000, for each willful and knowing violation  
            of these provisions.  That bill is currently pending referral  
            in the Senate Rules Committee. 

           8)Double-referral . This bill is double referred, and if passed  
            by this Committee will be referred to the Assembly Arts,  
            Entertainment, Sports, Tourism, and Internet Media Committee. 

           REGISTERED SUPPORT / OPPOSITION  :   

           Support 
           
          California Department of Justice, Office of the Attorney General  
          (sponsor)

           Opposition 
           
          None on file. 
           
          Analysis Prepared by  :    Hank Dempsey / B.,P. & C.P. / (916)  
          319-3301