BILL ANALYSIS Ó AB 370 Page 1 ASSEMBLY THIRD READING AB 370 (Muratsuchi) As Amended March 19, 2013 Majority vote BUSINESS & PROFESSIONS 12-0 ARTS, ENTERAINMENT, SPORTS 6-1 ----------------------------------------------------------------- |Ayes:|Gordon, Jones, Bocanegra, |Ayes:|Ian Calderon, Waldron, | | |Campos, Dickinson, | |Bloom, Brown, Gomez, | | |Eggman, Holden, | |Levine | | |Maienschein, Mullin, | | | | |Skinner, Ting, Wilk | | | | | | | | |-----+--------------------------+-----+--------------------------| | | |Nays:|Wilk | | | | | | ----------------------------------------------------------------- SUMMARY : Requires an operator of a commercial Web site or online service collecting personally identifiable information (PII) to disclose in its online privacy policy whether or not it honors requests by consumers to disable online tracking. Specifically, this bill : 1)Requires an operator of a commercial Web site or online service that collects PII about California consumers through the Internet to disclose in its online privacy policy whether or not the operator honors or complies with a Web browser's signal or other similar mechanism that indicates a request to disable online tracking of the individual consumer who uses or visits its commercial Web site or online service. 2)Requires an operator to disclose if it does not allow third parties to conduct online tracking on the Web site or online service. 3)Defines the term "online tracking" to mean "the practice of collecting personally identifiable information about an individual consumer's online activities over time and across different Web sites and online services." EXISTING LAW : AB 370 Page 2 1)Requires an operator of a commercial Web site or online service that collects PII through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. (Business and Professions Code (BPC) Section 22575(a).) 2)Requires, among other things, that the privacy policy identify the categories of PII that the operator collects about individual consumers who use or visit its Web site or online service and third parties with whom the operator shares the information. (BPC 22575(b).) FISCAL EFFECT : None. This bill is keyed non-fiscal by the Legislative Counsel. COMMENTS : 1)Purpose of this bill . This bill requires operators of commercial Web sites and other online services that collect PII to disclose whether or not they will honor a signal from the consumer's Web browser requesting that the Web site not collect the consumer's PII. Many popular Web browsers incorporate a voluntary Do Not Track signal that a consumer can use, but Web sites are not legally required to honor that signal. This bill aims to better inform consumers as to which Web sites or online services honor the Do Not Track signal - and which do not. This bill is sponsored by the California Attorney General's Office. 2)Author's statement . According to the author, "Since the California Online Privacy Protection Act (CalOPPA) took effect [in 2004], online commerce has burgeoned and evolving technology and new business practices have raised new privacy concerns. One practice that raises privacy concerns is online tracking, also called online behavioral tracking. This is the monitoring of an individual across multiple websites to build a profile of behavior and interests. In the age of smart phones and tablets, similar tracking is also done by monitoring individuals as they use different apps and different phone features. The resulting profiles are commonly used to deliver targeted advertisements? AB 370 Page 3 "This bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. AB 370 will allow consumers to learn from a website's privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service." 3)Growth in online tracking and data auctions . On June 17, 2012, the Wall Street Journal published an article about user-tailored advertising and the explosion in demand for consumer data collected through Web browsers. The article notes,"?[the] rapid rise in the number of companies collecting data about individuals' Web-surfing behavior is testament to the power of the $31 billion online-advertising business, which increasingly relies on data about users' Web surfing behavior to target advertisements." This tracking often goes unnoticed by consumers and is made possible by the use of "cookie" files that record the sites visited by the consumer's Web browser. The Journal notes that in one study, the average visit to a Web page triggered 56 instances of data collection. The data collected by these cookies are so valuable that online auctions have sprung up among advertisers to compete for the data. 4)The Do Not Track movement . The Federal Trade Commission in December 2010 released a preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change, which endorsed the idea of an easy-to-use, persistent, and effective Do Not Track system. In practice, a consumer wishing to communicate a Do Not Track signal to Web sites would generally do so via their Web browser controls, the presence of which would signal to a visited Web site that it should disable its tracking for that visit. The signal or "field" communicates that the consumer either opts in to or opts out of data tracking; if a choice is not made, the default would presumably communicate that the consumer has not opted out of tracking. According to the California Attorney General's Office, "[s]ubsequently, all the major browser companies have offered AB 370 Page 4 Do Not Track browser headers that signal to websites an individual's choice not to be tracked. There is, however, no legal requirement for sites to honor the headers." There was no data immediately available to suggest how frequently Web sites decline to honor a Do Not Track signal, although one list maintained by researchers at Stanford reflects a running list of Web sites that honor the Do Not Track signal - that list shows only 20 Web sites, most of which are not well-known with the exception of Twitter. This bill would mandate that Web sites that track users must also disclose if they are honoring the voluntary Do Not Track signal. 5)California Online Privacy Protection Act (CalOPPA) . In 2003, the Legislature passed AB 68 (Simitian), Chapter 829, Statutes of 2003, which generally requires operators of Web sites and online services that collect PII about the users of their site to conspicuously post their privacy policies on the Web site and comply with them. CalOPPA currently requires privacy policies to identify the categories of PII collected, the categories of third-parties with whom that PII may be shared, the process for consumers to review and request changes to his or her PII, and the process for notification of material changes to the policy. An operator has 30 days to comply after receiving notice of noncompliance with the posting requirement. Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California's Unfair Competition Law and may result in penalties of up to $2,500 for each violation. Any violation of this bill would be enforceable as a violation of CalOPPA. 6)Arguments in support . According to the California Attorney General's Office, "AB 370 is a transparency proposal - not a Do Not Track proposal. When a privacy policy discloses whether or not an operator honors a Do Not Track signal from a browser, individuals may make informed decisions about their use of the site or service." AB 370 Page 5 Analysis Prepared by : Hank Dempsey / B.,P. & C.P. / (916) 319-3301 FN: 0000269