BILL ANALYSIS ��
AB 370
Page 1
Date of Hearing: April 16, 2013
ASSEMBLY COMMITTEE ON BUSINESS, PROFESSIONS AND CONSUMER
PROTECTION
Richard S. Gordon, Chair
AB 370 (Muratsuchi) - As Amended: March 19, 2013
SUBJECT : Consumers: online tracking.
SUMMARY : Requires an operator of a commercial Web site or
online service collecting personally identifiable information
(PII) to disclose in its online privacy policy whether or not it
honors requests by consumers to disable online tracking.
Specifically, this bill :
1)Requires an operator of a commercial Web site or online
service that collects PII about California consumers through
the Internet to disclose in its online privacy policy whether
or not the operator honors or complies with a Web browser's
signal or other similar mechanism that indicates a request to
disable online tracking of the individual consumer who uses or
visits its commercial Web site or online service.
2)Requires an operator to disclose if it does not allow third
parties to conduct online tracking on the Web site or online
service.
3)Defines the term "online tracking" to mean "the practice of
collecting personally identifiable information about an
individual consumer's online activities over time and across
different Web sites and online services."
EXISTING LAW:
1)Requires an operator of a commercial Web site or online
service that collects PII through the Internet about consumers
residing in California who use or visit its commercial Web
site or online service to conspicuously post its privacy
policy on its Web site or online service and to comply with
that policy. (Business and Professions Code (BPC) Section
22575(a))
2)Requires, among other things, that the privacy policy identify
the categories of PII that the operator collects about
individual consumers who use or visit its Web site or online
�
AB 370
Page 2
service and third parties with whom the operator shares the
information. (BPC 22575(b))
3)Requires, subject to specified exceptions, a business that
discloses a customer's personal information to a third party
for direct marketing purposes to provide the customer, within
30 days after the customer's request, as specified, in writing
or by e-mail the names and addresses of the recipients of that
information and specified details regarding the information
disclosed. (Civil Code Section 1798.83)
FISCAL EFFECT : None. This bill is keyed non-fiscal by the
Legislative Counsel.
COMMENTS :
1)Purpose of this bill . This bill requires operators of
commercial Web sites and other online services that collect
PII to disclose whether or not they will honor a signal from
the consumer's Web browser requesting that the Web site not
collect the consumer's PII. Many popular Web browsers
incorporate a voluntary Do Not Track signal that a consumer
can use, but Web sites are not legally required to honor that
signal. This bill aims to better inform consumers as to which
Web sites or online services honor the Do Not Track signal -
and which do not. This bill is sponsored by the California
Attorney General's Office.
2)Author's statement . According to the author, "Since the
California Online Privacy Protection Act (CalOPPA) took effect
[in 2004], online commerce has burgeoned and evolving
technology and new business practices have raised new privacy
concerns. One practice that raises privacy concerns is online
tracking, also called online behavioral tracking. This is the
monitoring of an individual across multiple websites to build
a profile of behavior and interests. In the age of smart
phones and tablets, similar tracking is also done by
monitoring individuals as they use different apps and
different phone features. The resulting profiles are commonly
used to deliver targeted advertisements?
"This bill would increase consumer awareness of the
practice of online tracking by websites and online
services, such as mobile apps. AB 370 will allow
consumers to learn from a website's privacy policy
�
AB 370
Page 3
whether or not that website honors a Do Not Track signal.
This will allow the consumer to make an informed
decision about their use of the website or service."
3)Growth in online tracking and data auctions . On June 17,
2012, the Wall Street Journal published an article about
user-tailored advertising and the explosion in demand for
consumer data collected through web browsers. The article
notes,"?[the] rapid rise in the number of companies collecting
data about individuals' Web-surfing behavior is testament to
the power of the $31 billion online-advertising business,
which increasingly relies on data about users' Web surfing
behavior to target advertisements."
This tracking often goes unnoticed by consumers and is made
possible by the use of "cookie" files that record the sites
visited by the consumer's Web browser. The Journal notes that
in one study, the average visit to a Web page triggered 56
instances of data collection. The data collected by these
cookies are so valuable that online auctions have sprung up
among advertisers to compete for the data.
According to the article:
Despite rising privacy concerns, the online industry's
data-collection efforts have expanded in the past few
years. One reason is the popularity of online
auctions, where advertisers buy data about users' Web
browsing. [One firm] estimated that such auctions,
known as real-time bidding exchanges, contribute to
40% of online data collection.
In real-time bidding, as soon as a user visits a Web
page, the visit is auctioned to the highest bidder,
based on attributes such as the type of page visited
or previous Web browsing by the user. The bidding is
done automatically using computer algorithms.
Forrester Research estimates that real-time bidding
will constitute 18% of the online display-ad market
this year, up from 13% last year.
'It's gone from virtually zero in 2009 to about a
fifth of the entire market right now,' said Michael
Greene, a Forrester senior analyst. 'We've moved from
�
AB 370
Page 4
a traditional advertising model of buying 1,000
impressions. Now you evaluate and buy a single
impression.'
To make the auctions work, advertising companies are
racing to place tracking technology on as many Web
sites as possible. That technology gives them user and
Web-page data to sell in the auction.
4)The Do Not Track movement . The Federal Trade Commission in
December 2010 released a preliminary staff report, Protecting
Consumer Privacy in an Era of Rapid Change, that endorsed the
idea of an easy-to-use, persistent, and effective Do Not Track
system.
In practice, a consumer wishing to communicate a Do Not Track
signal to Web sites would generally do so via their Web
browser controls, the presence of which would signal to a
visited Web site that it should disable its tracking for that
visit. The signal or "field" communicates that the consumer
either opts in to or opts out of data tracking; if a choice is
not made, the default would presumably communicate that the
consumer has not opted out of tracking.
According to the California Attorney General's Office,
"[s]ubsequently, all the major browser companies have offered
Do Not Track browser headers that signal to websites an
individual's choice not to be tracked. There is, however, no
legal requirement for sites to honor the headers." There was
no data immediately available to suggest how frequently Web
sites decline to honor a Do Not Track signal, although one
list maintained by researchers at Stanford reflects a running
list of Web sites that honor the Do Not Track signal - that
list shows only 20 Web sites, most of which are not commonly
known with the exception of Twitter.
This bill would mandate that Web sites that track users must
also disclose if they are honoring the voluntary Do Not Track
signal.
5)California Online Privacy Protection Act (CalOPPA) . In 2003,
the Legislature passed AB 68 (Simitian), Chapter 829, Statutes
of 2003, which generally requires operators of Web sites and
online services that collect PII about the users of their site
to conspicuously post their privacy policies on the Web site
�
AB 370
Page 5
and comply with them.
As it stands today, CalOPPA requires privacy policies to
identify the categories of PII collected, the categories of
third-parties with whom that PII may be shared, the process
for consumers to review and request changes to his or her PII,
and the process for notification of material changes to the
policy.
An operator has 30 days to comply after receiving notice of
noncompliance with the posting requirement. Failure to comply
with the CalOPPA requirements or the provisions of the posted
privacy policy, if knowing and willfull, or negligent and
material, is actionable under California's Unfair Competition
Law and may result in penalties of up to $2,500 for each
violation. Any violation of this bill would be enforceable as
a violation of CalOPPA.
6)Arguments in support . According to the California Attorney
General's Office, "AB 370 is a transparency proposal - not a
Do Not Track proposal. When a privacy policy discloses whether
or not an operator honors a Do Not Track signal from a
browser, individuals may make informed decisions about their
use of the site or service."
7)Related legislation . AB 242 (Chau) of 2013, would require
online privacy policies mandated under CalOPPA to be no more
than 100 words, written in clear and concise language, written
at no greater than an 8th grade reading level, and include a
statement indicating whether the PII may be sold or shared
with others, and if so, how and with whom the information may
be shared. That bill is currently pending in the Assembly
Judiciary Committee.
AB 257 (Hall) of 2013, would expressly include mobile
applications in the provisions of CalOPPA, and require
operators to satisfy various privacy policy requirements for
mobile applications, including allowing consumers to access
their own collected and retained PII, imposing safeguards to
protect PII, requiring a supplemental privacy policy if an
application collects information not essential to the
application's basic function, and a requirement that the
operator provide a special notice if the application accesses
specified devices and information. AB 257 would also require
mobile application markets and advertising networks to comply
�
AB 370
Page 6
with specified privacy procedures. That bill is currently
pending in the Assembly Judiciary Committee.
SB 501 (Corbett) of 2013, would require a social networking
Web site to remove the personal identifying information of any
registered user within 96 hours after his or her request, and
would also require removal of that information in that same
manner regarding a user under 18 years of age upon request by
the user's parent. SB 501 would also impose a civil penalty,
not to exceed $10,000, for each willful and knowing violation
of these provisions. That bill is currently pending referral
in the Senate Rules Committee.
8)Double-referral . This bill is double referred, and if passed
by this Committee will be referred to the Assembly Arts,
Entertainment, Sports, Tourism, and Internet Media Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
California Department of Justice, Office of the Attorney General
(sponsor)
Opposition
None on file.
Analysis Prepared by : Hank Dempsey / B.,P. & C.P. / (916)
319-3301