BILL ANALYSIS                                                                                                                                                                                                    



                                                                  AB 370
                                                                  Page  1

          Date of Hearing:   April 23, 2013


           ASSEMBLY COMMITTEE ON ARTS, ENTERTAINMENT, SPORTS, TOURISM, AND  
                                   INTERNET MEDIA
                               Ian C. Calderon, Chair

                  AB 370 (Muratsuchi) - As Amended:  March 19, 2013
           
            SUBJECT  :  Consumers: online tracking.

           SUMMARY  :  Requires an operator of a commercial Web site or  
          online service collecting personally identifiable information  
          (PII) to disclose in its online privacy policy whether or not it  
          honors requests by consumers to disable online tracking.   
          Specifically,  this bill  :  

          1)Requires an operator of a commercial Web site or online  
            service that collects PII about California consumers through  
            the Internet to disclose in its online privacy policy whether  
            or not the operator honors or complies with a Web browser's  
            signal or other similar mechanism that indicates a request to  
            disable online tracking of the individual consumer who uses or  
            visits its commercial Web site or online service.


          2)Requires an operator to disclose if it does not allow third  
            parties to conduct online tracking on the Web site or online  
            service. 


          3)Defines the term "online tracking" to mean "the practice of  
            collecting personally identifiable information about an  
            individual consumer's online activities over time and across  
            different Web sites and online services." 


           EXISTING LAW  :

          1) Requires an operator of a commercial Web site or online  
            service that collects PII through the Internet about consumers  
            residing in California who use or visit its commercial Web  
            site or online service to conspicuously post its privacy  
            policy on its Web site or online service and to comply with  
            that policy.  [Business and Professions Code Section  








                                                                  AB 370
                                                                  Page  2

            22575(a).] 

          2)Requires, among other things, that the privacy policy identify  
            the categories of PII that the operator collects about  
            individual consumers who use or visit its Web site or online  
            service and third parties with whom the operator shares the  
            information.  [Business and Professions Code Section  
            22575(b).] 

          3)Requires, subject to specified exceptions, a business that  
            discloses a customer's personal information to a third party  
            for direct marketing purposes to provide the customer, within  
            30 days after the customer's request, as specified, in writing  
            or by e-mail the names and addresses of the recipients of that  
            information and specified details regarding the information  
            disclosed. (Civil Code Section 1798.83) 

           FISCAL EFFECT  :  None. This bill is keyed non-fiscal.

           COMMENTS  :   

           1)Stated Need for Legislation and Support  :  According to the  
            author, "Since the California Online Privacy Protection Act  
            (CalOPPA) took effect [in 2004], online commerce has burgeoned  
            and evolving technology and new business practices have raised  
            new privacy concerns.  One practice that raises privacy  
            concerns is online tracking, also called online behavioral  
            tracking.  This is the monitoring of an individual across  
            multiple websites to build a profile of behavior and  
            interests.  In the age of smart phones and tablets, similar  
            tracking is also done by monitoring individuals as they use  
            different apps and different phone features. The resulting  
            profiles are commonly used to deliver targeted advertisements.  
             ? 

            "This bill would increase consumer awareness of the practice  
            of online tracking by websites and online services, such as  
            mobile apps.  This bill will allow consumers to learn from a  
            website's privacy policy whether or not that website honors a  
            Do Not Track signal.  This will allow the consumer to make an  
            informed decision about their use of the website or service."

            The bill's sponsor, the California Attorney General's Office,  
            adds, "This bill is a transparency proposal - not a Do Not  
            Track proposal.  When a privacy policy discloses whether or  








                                                                  AB 370
                                                                  Page  3

            not an operator honors a Do Not Track signal from a browser,  
            individuals may make informed decisions about their use of the  
            site or service." 

            Consumer Watchdog strongly believes there must ultimately be a  
            legal do-not-track requirement.  But they support this bill,  
            saying, "However, in the absence of such legislation,  
            transparency about a service's practices is a step in the  
            right direction.  Requiring transparency could well prompt  
            more companies to honor do-not-track requests.  At the least  
            it will give consumers more information about whether data  
            about their online activity is gathered."

           2)Background  : 

              a)   Recent Growth in Tracking and Marketing of Consumer  
               Online Behavior: Wall Street Journal Articles Detail the  
               Tracking Taking Place on the 50 Most Popular Websites  :

               On June 17, 2012, the Wall Street Journal published an  
               article about user-tailored advertising and the explosion  
               in demand for consumer data collected through web browsers.  
                The article notes," ? [the] rapid rise in the number of  
               companies collecting data about individuals' Web-surfing  
               behavior is testament to the power of the $31 billion  
               online-advertising business, which increasingly relies on  
               data about users' Web surfing behavior to target  
               advertisements."  This tracking often goes unnoticed by  
               consumers and is made possible by the use of "cookie" files  
               that record the sites visited by the consumer's Web  
               browser.  The Journal notes that in one study, the average  
               visit to a Web page triggered 56 instances of data  
               collection.  The data collected by these cookies are so  
               valuable that online auctions have sprung up among  
               advertisers to compete for the data. 

               According to the article, "Despite rising privacy concerns,  
               the online industry's data-collection efforts have expanded  
               in the past few years.  One reason is the popularity of  
               online auctions, where advertisers buy data about users'  
               Web browsing.  [One firm] estimated that such auctions,  
               known as real-time bidding exchanges, contribute to 40% of  
               online data collection. 

               "In real-time bidding, as soon as a user visits a Web page,  








                                                                  AB 370
                                                                  Page  4

               the visit is auctioned to the highest bidder, based on  
               attributes such as the type of page visited or previous Web  
               browsing by the user.  The bidding is done automatically  
               using computer algorithms." This is how pop-up ads for  
               clocks and Web sites with clocks for sale begin showing up  
               on your browser as you are looking online at clocks.
                
             b)   California Online Privacy Protection Act (CalOPPA).
           
               In 2003, the Legislature passed AB 68 (Simitian), Chapter  
               829, Statutes of 2003, which generally requires operators  
               of Web sites and online services that collect PII about the  
               users of their site to conspicuously post their privacy  
               policies on the Web site and comply with them.  As it  
               stands today, CalOPPA requires privacy policies to identify  
               the categories of PII collected, the categories of  
               third-parties with whom that PII may be shared, the process  
               for consumers to review and request changes to his or her  
               PII, and the process for notification of material changes  
               to the policy.  An operator has 30 days to comply after  
               receiving notice of noncompliance with the posting  
               requirement.  Failure to comply with the CalOPPA  
               requirements or the provisions of the posted privacy  
               policy, if knowing and willfull, or negligent and material,  
               is actionable under California's Unfair Competition Law and  
               may result in penalties of up to $2,500 for each violation.  
                Any violation of this bill would be enforceable as a  
               violation of CalOPPA. 

            c)    Federal Efforts to Regulate Do-Not-Track: Basis for AB  
            370 Implementation  :
               
               The Federal Trade Commission in December 2010 released a  
               preliminary staff report, Protecting Consumer Privacy in an  
               Era of Rapid Change, that endorsed the idea of an      
               easy-to-use, persistent, and effective Do Not Track system.  
                In practice, a consumer wishing to communicate a Do Not  
               Track signal to Web sites would generally do so via their  
               Web browser controls, the presence of which would signal to  
               a visited Web site that it should disable its tracking for  
               that visit. The signal or "field" communicates that the  
               consumer either opts in to or opts out of data tracking; if  
               a choice is not made, the default would presumably  
               communicate that the consumer has not opted out of  
               tracking. 








                                                                  AB 370
                                                                  Page  5


               According to the California Attorney General's Office,  
               "[s]ubsequently, all the major browser companies have  
               offered Do Not Track browser headers that signal to  
               websites an individual's choice not to be tracked.  There  
               is, however, no legal requirement for sites to honor the  
               headers."  There was no data immediately available to  
               suggest how frequently Web sites decline to honor a Do Not  
               Track signal, although one list maintained by researchers  
               at Stanford reflects a running list of Web sites that honor  
               the Do Not Track signal - that list shows only 20 Web  
               sites, most of which are not commonly known with the  
               exception of Twitter.  This bill would mandate that Web  
               sites that track users must also disclose if they are  
               honoring the voluntary Do Not Track signal.

          3)   Prior and Related Legislation  :

             a)   AB 242 (Chau), of the 2013-14 Legislative Session, would  
               require online privacy policies mandated under CalOPPA to  
               be no more than 100 words, written in clear and concise  
               language, written at no greater than an 8th grade reading  
               level, and include a statement indicating whether the PII  
               may be sold or shared with others, and if so, how and with  
               whom the information may be shared.  Status: AB 242 is  
               currently pending in the Assembly Judiciary Committee. 

             b)   AB 257 (Hall) of the 2013-14 Legislative Session, would  
               expressly include mobile applications in the provisions of  
               CalOPPA, and require operators to satisfy various privacy  
               policy requirements for mobile applications, including  
               allowing consumers to access their own collected and  
               retained PII, imposing safeguards to protect PII, requiring  
               a supplemental privacy policy if an application collects  
               information not essential to the application's basic  
               function, and a requirement that the operator provide a  
               special notice if the application accesses specified  
               devices and information.  This bill would also require  
               mobile application markets and advertising networks to  
               comply with specified privacy procedures.  Status: AB 257  
               is currently set for hearing April 23, 2013 in the Assembly  
               Judiciary Committee. 

             c)   SB 501 (Corbett) of the 2013-14 Legislative Session,  
               would require a social networking Web site to remove the  








                                                                  AB 370
                                                                  Page  6

               personal identifying information of any registered user  
               within 96 hours after his or her request, and would also  
               require removal of that information in that same manner  
               regarding a user under 18 years of age upon request by the  
               user's parent.   SB 501 would also impose a civil penalty,  
               not to exceed $10,000, for each willful and knowing  
               violation of these provisions.  Status: SB 501 is currently  
               set for hearing on April 23, 2013, in the Senate Judiciary  
               Committee.

             d)   SB 761 (Lowenthal) of the 2011-12 Legislative Session,  
               would have required the Attorney General, by July 1, 2012,  
               to adopt regulations that would require online businesses  
               to provide California consumers with a method for the  
               consumer to opt out of the collection or use of his or her  
               information by the business.  SB 761 was returned to the  
               Secretary of the Senate from the Senate Appropriations  
               Committee pursuant to Joint Rule 56.

             e)   AB 68 (Simitian), Chapter 829, Statutes of 2003,  
               requires operators of Web sites and online services that  
               collect PII about the users of their site to conspicuously  
               post their privacy policies on the Web site and comply with  
               them.
               
           REGISTERED SUPPORT / OPPOSITION  :   

           Support 
           
          California Department of Justice, Office of the Attorney General  
          (sponsor)
          Consumer Watchdog

           Opposition 
           
          None on file


           Analysis Prepared by  :    Dana Mitchell / A.,E.,S.,T. & I.M. /  
          (916) 319-3450