BILL ANALYSIS ��
AB 370
Page 1
Date of Hearing: April 23, 2013
ASSEMBLY COMMITTEE ON ARTS, ENTERTAINMENT, SPORTS, TOURISM, AND
INTERNET MEDIA
Ian C. Calderon, Chair
AB 370 (Muratsuchi) - As Amended: March 19, 2013
SUBJECT : Consumers: online tracking.
SUMMARY : Requires an operator of a commercial Web site or
online service collecting personally identifiable information
(PII) to disclose in its online privacy policy whether or not it
honors requests by consumers to disable online tracking.
Specifically, this bill :
1)Requires an operator of a commercial Web site or online
service that collects PII about California consumers through
the Internet to disclose in its online privacy policy whether
or not the operator honors or complies with a Web browser's
signal or other similar mechanism that indicates a request to
disable online tracking of the individual consumer who uses or
visits its commercial Web site or online service.
2)Requires an operator to disclose if it does not allow third
parties to conduct online tracking on the Web site or online
service.
3)Defines the term "online tracking" to mean "the practice of
collecting personally identifiable information about an
individual consumer's online activities over time and across
different Web sites and online services."
EXISTING LAW :
1) Requires an operator of a commercial Web site or online
service that collects PII through the Internet about consumers
residing in California who use or visit its commercial Web
site or online service to conspicuously post its privacy
policy on its Web site or online service and to comply with
that policy. [Business and Professions Code Section
�
AB 370
Page 2
22575(a).]
2)Requires, among other things, that the privacy policy identify
the categories of PII that the operator collects about
individual consumers who use or visit its Web site or online
service and third parties with whom the operator shares the
information. [Business and Professions Code Section
22575(b).]
3)Requires, subject to specified exceptions, a business that
discloses a customer's personal information to a third party
for direct marketing purposes to provide the customer, within
30 days after the customer's request, as specified, in writing
or by e-mail the names and addresses of the recipients of that
information and specified details regarding the information
disclosed. (Civil Code Section 1798.83)
FISCAL EFFECT : None. This bill is keyed non-fiscal.
COMMENTS :
1)Stated Need for Legislation and Support : According to the
author, "Since the California Online Privacy Protection Act
(CalOPPA) took effect [in 2004], online commerce has burgeoned
and evolving technology and new business practices have raised
new privacy concerns. One practice that raises privacy
concerns is online tracking, also called online behavioral
tracking. This is the monitoring of an individual across
multiple websites to build a profile of behavior and
interests. In the age of smart phones and tablets, similar
tracking is also done by monitoring individuals as they use
different apps and different phone features. The resulting
profiles are commonly used to deliver targeted advertisements.
?
"This bill would increase consumer awareness of the practice
of online tracking by websites and online services, such as
mobile apps. This bill will allow consumers to learn from a
website's privacy policy whether or not that website honors a
Do Not Track signal. This will allow the consumer to make an
informed decision about their use of the website or service."
The bill's sponsor, the California Attorney General's Office,
adds, "This bill is a transparency proposal - not a Do Not
Track proposal. When a privacy policy discloses whether or
�
AB 370
Page 3
not an operator honors a Do Not Track signal from a browser,
individuals may make informed decisions about their use of the
site or service."
Consumer Watchdog strongly believes there must ultimately be a
legal do-not-track requirement. But they support this bill,
saying, "However, in the absence of such legislation,
transparency about a service's practices is a step in the
right direction. Requiring transparency could well prompt
more companies to honor do-not-track requests. At the least
it will give consumers more information about whether data
about their online activity is gathered."
2)Background :
a) Recent Growth in Tracking and Marketing of Consumer
Online Behavior: Wall Street Journal Articles Detail the
Tracking Taking Place on the 50 Most Popular Websites :
On June 17, 2012, the Wall Street Journal published an
article about user-tailored advertising and the explosion
in demand for consumer data collected through web browsers.
The article notes," ? [the] rapid rise in the number of
companies collecting data about individuals' Web-surfing
behavior is testament to the power of the $31 billion
online-advertising business, which increasingly relies on
data about users' Web surfing behavior to target
advertisements." This tracking often goes unnoticed by
consumers and is made possible by the use of "cookie" files
that record the sites visited by the consumer's Web
browser. The Journal notes that in one study, the average
visit to a Web page triggered 56 instances of data
collection. The data collected by these cookies are so
valuable that online auctions have sprung up among
advertisers to compete for the data.
According to the article, "Despite rising privacy concerns,
the online industry's data-collection efforts have expanded
in the past few years. One reason is the popularity of
online auctions, where advertisers buy data about users'
Web browsing. [One firm] estimated that such auctions,
known as real-time bidding exchanges, contribute to 40% of
online data collection.
"In real-time bidding, as soon as a user visits a Web page,
�
AB 370
Page 4
the visit is auctioned to the highest bidder, based on
attributes such as the type of page visited or previous Web
browsing by the user. The bidding is done automatically
using computer algorithms." This is how pop-up ads for
clocks and Web sites with clocks for sale begin showing up
on your browser as you are looking online at clocks.
b) California Online Privacy Protection Act (CalOPPA).
In 2003, the Legislature passed AB 68 (Simitian), Chapter
829, Statutes of 2003, which generally requires operators
of Web sites and online services that collect PII about the
users of their site to conspicuously post their privacy
policies on the Web site and comply with them. As it
stands today, CalOPPA requires privacy policies to identify
the categories of PII collected, the categories of
third-parties with whom that PII may be shared, the process
for consumers to review and request changes to his or her
PII, and the process for notification of material changes
to the policy. An operator has 30 days to comply after
receiving notice of noncompliance with the posting
requirement. Failure to comply with the CalOPPA
requirements or the provisions of the posted privacy
policy, if knowing and willfull, or negligent and material,
is actionable under California's Unfair Competition Law and
may result in penalties of up to $2,500 for each violation.
Any violation of this bill would be enforceable as a
violation of CalOPPA.
c) Federal Efforts to Regulate Do-Not-Track: Basis for AB
370 Implementation :
The Federal Trade Commission in December 2010 released a
preliminary staff report, Protecting Consumer Privacy in an
Era of Rapid Change, that endorsed the idea of an
easy-to-use, persistent, and effective Do Not Track system.
In practice, a consumer wishing to communicate a Do Not
Track signal to Web sites would generally do so via their
Web browser controls, the presence of which would signal to
a visited Web site that it should disable its tracking for
that visit. The signal or "field" communicates that the
consumer either opts in to or opts out of data tracking; if
a choice is not made, the default would presumably
communicate that the consumer has not opted out of
tracking.
�
AB 370
Page 5
According to the California Attorney General's Office,
"[s]ubsequently, all the major browser companies have
offered Do Not Track browser headers that signal to
websites an individual's choice not to be tracked. There
is, however, no legal requirement for sites to honor the
headers." There was no data immediately available to
suggest how frequently Web sites decline to honor a Do Not
Track signal, although one list maintained by researchers
at Stanford reflects a running list of Web sites that honor
the Do Not Track signal - that list shows only 20 Web
sites, most of which are not commonly known with the
exception of Twitter. This bill would mandate that Web
sites that track users must also disclose if they are
honoring the voluntary Do Not Track signal.
3) Prior and Related Legislation :
a) AB 242 (Chau), of the 2013-14 Legislative Session, would
require online privacy policies mandated under CalOPPA to
be no more than 100 words, written in clear and concise
language, written at no greater than an 8th grade reading
level, and include a statement indicating whether the PII
may be sold or shared with others, and if so, how and with
whom the information may be shared. Status: AB 242 is
currently pending in the Assembly Judiciary Committee.
b) AB 257 (Hall) of the 2013-14 Legislative Session, would
expressly include mobile applications in the provisions of
CalOPPA, and require operators to satisfy various privacy
policy requirements for mobile applications, including
allowing consumers to access their own collected and
retained PII, imposing safeguards to protect PII, requiring
a supplemental privacy policy if an application collects
information not essential to the application's basic
function, and a requirement that the operator provide a
special notice if the application accesses specified
devices and information. This bill would also require
mobile application markets and advertising networks to
comply with specified privacy procedures. Status: AB 257
is currently set for hearing April 23, 2013 in the Assembly
Judiciary Committee.
c) SB 501 (Corbett) of the 2013-14 Legislative Session,
would require a social networking Web site to remove the
�
AB 370
Page 6
personal identifying information of any registered user
within 96 hours after his or her request, and would also
require removal of that information in that same manner
regarding a user under 18 years of age upon request by the
user's parent. SB 501 would also impose a civil penalty,
not to exceed $10,000, for each willful and knowing
violation of these provisions. Status: SB 501 is currently
set for hearing on April 23, 2013, in the Senate Judiciary
Committee.
d) SB 761 (Lowenthal) of the 2011-12 Legislative Session,
would have required the Attorney General, by July 1, 2012,
to adopt regulations that would require online businesses
to provide California consumers with a method for the
consumer to opt out of the collection or use of his or her
information by the business. SB 761 was returned to the
Secretary of the Senate from the Senate Appropriations
Committee pursuant to Joint Rule 56.
e) AB 68 (Simitian), Chapter 829, Statutes of 2003,
requires operators of Web sites and online services that
collect PII about the users of their site to conspicuously
post their privacy policies on the Web site and comply with
them.
REGISTERED SUPPORT / OPPOSITION :
Support
California Department of Justice, Office of the Attorney General
(sponsor)
Consumer Watchdog
Opposition
None on file
Analysis Prepared by : Dana Mitchell / A.,E.,S.,T. & I.M. /
(916) 319-3450