BILL ANALYSIS                                                                                                                                                                                                    







         ----------------------------------------------------------------------- 
        |Hearing Date:June 10, 2013         |Bill No:AB                         |
        |                                   |370                                |
         ----------------------------------------------------------------------- 


                      SENATE COMMITTEE ON BUSINESS, PROFESSIONS 
                               AND ECONOMIC DEVELOPMENT
                              Senator Ted W. Lieu, Chair
                                           

                        Bill No:        AB 370Author:Muratsuchi
                         As Amended:June 3, 2013  Fiscal:   No

        
        SUBJECT:   Consumers:  online tracking. 
        
        SUMMARY: Requires that privacy policies posted by an operator of a  
        commercial Web site or online service, that collects personally  
        identifiable information, to disclose to a consumer who uses or visits  
        their Web site or online service how the operator responds to a Web  
        browser "do not track" signals or other similar mechanisms regarding  
        online tracking, as defined, and to disclose whether other parties on  
        the operator's commercial Web site or online service may be conducting  
        online tracking and to provide the consumer with what process,  
        procedure or mechanism of the operators may be used to exercise a  
        choice as to whether to permit the collection or not.    

        Existing law:
        
        1)Requires an operator of a commercial Web site or online service that  
          collects personally identifiable information (PII) through the  
          Internet about consumers residing in California who use or visit its  
          commercial Web site or online service to conspicuously post its  
          privacy policy on its Web site, or in the case of an operator of an  
          online service, to make that policy available, as specified.   
          (Business and Professions Code (BPC)  22575(a) and 22577(b)(5))

        2)Provides that an operator shall be in violation of the provision in  
          Item # 1) above, only if the operator fails to post its [privacy]  
          policy within 30 days after being notified of noncompliance.

        3)Specifies that the privacy policy shall include the following:  (BPC  
           22575 (b))






                                                                         AB 370
                                                                         Page 2



           a)   What PII that the operator collects about individual consumers  
             and the categories of third-party persons or entities with whom  
             the operator may share the PII. 

           b)   A description of the process, if maintained by the operator,  
             in which the consumer may review and request changes to any of  
             his or her PII that is collected through the Web site or online  
             service.

           c)   A description of the process by which the operator notifies  
             consumers who use or visit its commercial Web site or online  
             service of material changes to the operator's privacy policy for  
             that Web site or online service.

           d)   Identify the effective date of the privacy policy.

        4)Defines the following terms:  (BPC  22577)

           a)   "Personally identifiable information" (PII) as that which is  
             collected online by an operator, including first and last name,  
             home address, email address, telephone number, social security  
             number and any other unique identifier.

           b)   "Conspicuously post," with respect to the privacy policy,  
             includes posting the privacy policy, as specified.

           c)   "Operator" means any person or entity that  owns  a Web site  
             located on the Internet or an online service that maintains and  
             collects PII from a consumer residing in California who uses or  
             visits the Web site or online service and the Web site or online  
             service is used for commercial purposes.

           d)   "Consumer" means any individual who seeks or acquires, by  
             purchase or lease, any goods, services, money, or credit for  
             personal, family, or house-hold purposes. 

        This bill:

        1) Provides that as part of the privacy policy, the operator disclose  
           how they respond to 
        Web browser "do not track" signals or other similar mechanisms  
           regarding online tracking, as defined, when an individual consumer  
           uses or visits the commercial Web site or online service.

        2) Provides that as part of the privacy policy, the operator disclose  
           whether  other parties  on the operator's commercial Web site or  





                                                                         AB 370
                                                                         Page 3



           online service are or may be conducting online tracking, as  
           defined, and what, if any program, solution, protocol, or mechanism  
           the operator follows that offers consumers who use or visit its  
           commercial Web site, or online service, the ability to exercise a  
           choice regarding whether to permit this collection, and also offer  
           information regarding how the consumer can use the program,  
           solution, protocol, or mechanism. 

        3) Specifies that the term "online tracking" means the practice of  
           collecting PII about an individual consumer's online activities  
           over time and across different Web sites and online services, for  
           any use other than the internal business purposes of the commercial  
           Web site of online service, through which tracking is conducted.

        4) Specifies that the term "internal business purposes" means those  
           activities necessary to maintain or analyze the functioning of the  
           commercial Web site or online service, perform network  
           communications, authenticate users of the commercial Web site or  
           online service, and ensure legal or regulatory compliance, provided  
           that the information collected for these activities is not used or  
           disclosed for any other purpose. 

        FISCAL EFFECT:  This bill has been keyed "non-fiscal" by Legislative  
        Counsel.

        COMMENTS:
        
        1.Purpose.  The  California Office of the Attorney General  (AG) is the  
          Sponsor of this measure.  According to the AG, this bill will  
          increase awareness of online behavioral tracking and allow  
          Californians to make informed decisions.   This bill amends the  
          California Online Privacy Protection Act (CalOPPA) to require a  
          commercial Web site or online service to disclose the following  
          information in its privacy policy:  (1) how it responds to an  
          individual's request to disable online tracking; (2) whether third  
          parties are or may be conducting online tracking on the site; and  
          (3) what options are available to consumers who choose not to be  
          tracked across Web sites. 

        As indicated by the AG, CalOPPA, requires the operator of a commercial  
          Web site or online service that collects PII from California  
          residents to conspicuously post a privacy policy.  This is the only  
          general requirement for a privacy policy in the nation.  CalOPPA  
          imposes limited content requirements for a privacy policy, and  
          requires an operator to comply with practices represented in its  
          privacy policy.





                                                                         AB 370
                                                                         Page 4




        Since CalOPPA took effect, as stated by the AG, online commerce has  
          burgeoned and evolving technology and new business practices have  
          raised new privacy concerns.  One practice that raises privacy  
          concerns is online tracking, or online behavioral tracking;  the  
          monitoring of an individual across multiple Web sites to build a  
          profile of behavior and interests.  In the age of mobile computing,  
          similar tracking is done by monitoring individuals as they use  
          different apps and different phone features.  The resulting profiles  
          are commonly used to deliver targeted advertisements.

        2.California Online Privacy Protection Act (CalOPPA).  In 2003, the  
          Legislature passed 
        AB 68 (Simitian, Chapter 829, Statutes of 2003), which generally  
          requires operators of Web sites and online services that collect PII  
          about the users of their site to conspicuously post their privacy  
          policies on the Web site and comply with them. 

        As it stands today, CalOPPA requires privacy policies to identify the  
          categories of PII collected, the categories of third-parties with  
          whom that PII may be shared, the process for consumers to review and  
          request changes to his or her PII, and the process for notification  
          of material changes to the policy. 

        An operator has 30 days to comply after receiving notice of  
          noncompliance with the posting requirement.  Failure to comply with  
          the CalOPPA requirements or the provisions of the posted privacy  
          policy, if knowing and willful, or negligent and material, is  
          actionable under California's Unfair Competition Law and may result  
          in penalties of up to $2,500 for each violation.  Any violation of  
          this bill would be enforceable as a violation of CalOPPA.

        3.Growth in Online Tracking and Data Auctions.  According to the AG,  
          online tracking is pervasive.  "What They Know," a series of  
          articles published in the Wall Street Journal starting in 2010,  
          reported on an investigation of the tracking on the 50 most popular  
          Web sites in the country.  Those sites installed 3,180 tracking  
          files on a computer used to visit them; 12 of those sites installed  
          more than 100 tracking tools each.  
          
          Profiles of individuals created from tracking data are bought and  
          sold in the marketplace of analytics companies, data brokers, and  
          advertising networks.  Online tracking data can be combined with  
          information obtained from offline records.  The profiles are not  
          only used for targeted advertising, but also for tailored offers at  
          different prices based on statistically generated assumptions.  The  





                                                                         AB 370
                                                                         Page 5



          presence of trackers on Web sites is generally invisible to site  
          users.  In addition to "cookies" that record site visited, there are  
          more sophisticated trackers, including some that can "re-spawn" even  
          after users try to delete them.   

          On June 17, 2012, the Wall Street Journal published another article  
          about user-tailored advertising and the explosion in demand for  
          consumer data collected through Web browsers. The article notes,  
          "?[the] rapid rise in the number of companies collecting data about  
          individuals Web-surfing behavior is testament to the power of the  
          $31 billion online-advertising business, which increasingly relies  
          on data about users Web surfing behavior to target advertisements." 

          This tracking often goes unnoticed by consumers and is made possible  
          by the use of "cookie" files that record the sites visited by the  
          consumer's Web browser. The Journal notes that in one study, the  
          average visit to a Web page triggered 56 instances of data  
          collection. The data collected by these cookies are so valuable that  
          online auctions have sprung up among advertisers to compete for the  
          data.   

          According to the article:
           
             Despite rising privacy concerns, the online industry's  
             data-collection efforts have expanded in the past few years.  
             One reason is the popularity of online auctions, where  
             advertisers buy data about users' Web browsing. [One firm]  
             estimated that such auctions, known as real-time bidding  
             exchanges, contribute to 40% of online data collection.

             In real-time bidding, as soon as a user visits a Web page,  
             the visit is auctioned to the highest bidder, based on  
             attributes such as the type of page visited or previous Web  
             browsing by the user.  The bidding is done automatically  
             using computer algorithms.  For example, this is how pop-up  
             ads for clocks and Web sites with clocks for sale begin  
             showing up on your browser as you are looking online at  
             clocks.

             Forrester Research estimates that real-time bidding will  
             constitute 18% of the online display-ad market this year, up  
             from 13% last year.  "It's gone from virtually zero in 2009  
             to about a fifth of the entire market right now," said  
             Michael Greene, a Forrester senior analyst.  "We've moved  
             from a traditional advertising model of buying 1,000  
             impressions. Now you evaluate and buy a single impression."





                                                                         AB 370
                                                                         Page 6




             To make the auctions work, advertising companies are racing  
             to place tracking technology on as many Web sites as  
             possible. That technology gives them user and Web-page data  
             to sell in the auction.

        4.Efforts Regarding Do Not Track.  There has been some progress toward  
          providing Web site users with more control over targeted  
          advertising.  The  Digital Advertising Alliance  , a coalition of media  
          and marketing organizations, has an icon-based program that gives  
          individuals an opportunity to learn about, and opt-out of, receipt  
          of online behavioral advertising.  The program is voluntary for  
          operators, and at this point, it does not allow Web site users to  
          choose not to be tracked.  The Federal Trade Commission (FTC), in  
          its March 2012 report titled Protecting Consumer Privacy in an Era  
          of Rapid Change, endorsed the implementation of any easy-to-use,  
          persistent, and effective Do Not Track system. 
         
          In practice, a consumer wishing to communicate a Do Not Track signal  
          to Web sites would generally do so via their Web browser controls,  
          the presence of which would signal to a visited Web site that it  
          should disable its tracking for that visit. The signal or "field"  
          communicates that the consumer either opts in to or opts out of data  
          tracking; if a choice is not made, the default would presumably  
          communicate that the consumer has not opted out of tracking.  

          According to the AG, "[s]ubsequently, all of the major browser  
          companies have offered Do Not Track browser headers that signal to  
          Web sites an individual's choice not to be tracked. There is,  
          however, no legal requirement for sites to honor an individual's Do  
          Not Track choices." 

          There was no data immediately available to suggest how frequently  
          Web sites decline to honor a Do Not Track signal, although one list  
          maintained by researchers at Stanford reflects a running list of Web  
          sites that honor the Do Not Track signal - that list shows only 20  
          Web sites, most of which are not commonly known with the exception  
          of Twitter.

        5.World Wide Web Consortium (W3C).  The W3C is an internet standards  
          setting organization for the World Wide Web.  Founded and currently  
          led by Tim Berners-Lee (who invented the World Wide Web over 20  
          years ago) and who is located at the Massachusetts Institute of  
          Technology (MIT), the consortium is made up of member organizations  
          which maintain full-time staff for the purpose of working together  
          in the development of standards for the World Wide Web.  As of April  





                                                                         AB 370
                                                                         Page 7



          12, 2013, the W3C has 379 members including businesses, nonprofit  
          organizations, universities, governmental entities, and individuals.  
           W3C tries to enforce compatibility and agreement among industry  
          members in the adoption of new standards defined by the W3C.

        W3C has been criticized as being dominated by larger organizations and  
          thus standards that represent their interests.   For example, a  
          member of the Web Content Accessibility Guidelines Working Group  
          complained that,  "The process is stacked in favor of multinationals  
          with expense accounts who can afford to talk on the phone for two  
          hours a week and jet to world capitals for meetings."  A similar  
          criticism, responding to large software company complaints about the  
          slow pace of W3C's formulation of Web services standards, appeared  
          in Cnet's news.com:  "'I'm not convinced that developers are too  
          bothered," said Ed Dumbill, editor of XML.com, who has worked as a  
          software developer on Web services.  "I think developers are being  
          poorly served by the fact that the big companies have dominated the  
          work of W3C over the last year.  The W3C does more or less what its  
          members tell it to do.  So I don't have a huge amount of sympathy  
          for the complaints of large companies."

         Consumer Watchdog  has indicated that in regards to Do Not Track, W3C  
          is trying to develop specifications for how technically a Do Not  
          Track message should be sent and what the compliance obligations  
          would be for a Web site that received the message.  The W3C talks  
          have gone on for a year-and-a-half without reaching a result.       
          
        6.Recent Amendments Attempt to Address Industry Concerns and Privacy  
          Advocates.  The AG indicates that this measure was recently amended  
          to clarify the transparency requirements for a first party Web site  
          or online service visited by a consumer and for third parties that  
          are tracking the visitor on the first party's site.  The amendments  
          draw upon discussions with industry representatives and privacy  
          advocates.

                   The definition of "online tracking" is amended to exclude  
               tracking for "internal business purposes" of the first-party  
               operator, such as network communications and user  
               authentication.  This exemption is consistent with the emphasis  
               on simplifying consumer choice in the federal government's 2012  
               privacy reports.  The categories of business purposes is based  
               on the 2012 revision of the federal Children's Online Privacy  
               Protection Act rule, and on exemptions in California privacy  
               laws on the driver's license scanning, supermarket club cards,  
               and financial information privacy.






                                                                         AB 370
                                                                         Page 8



                   Instead of the previous bill language that required an  
               operator to disclose whether or not it "honors or complies  
               with" a Do Not Track browser signal, the amendments require an  
               operator to disclose how it responds to such a signal.  The  
               change, which was suggested by the industry, is intended to  
               provide disclosure that will be more helpful to consumers than  
               just a simple "yes or no" statement.

                   In response to industry concerns about first party Web  
               site operators being held responsible for the actions of third  
               party "trackers" that they cannot always control, the  
               amendments simply require a Web site operator to disclose  
               whether third parties are or may be conducting online tracking  
               on the site.  As also suggested by the industry, the amendments  
               require a web site operator to inform consumers about what  
               options are available to them to choose not to be tracked  
               across Web sites.
             
        1.Prior and Related Legislation.   AB 242  (Chau), of the 2013-14  
          Legislative Session, would require online privacy policies mandated  
          under CalOPPA to be no more than 100 words, written in clear and  
          concise language, written at no greater than an 8th grade reading  
          level, and include a statement indicating whether the PII may be  
          sold or shared with others, and if so, how and with whom the  
          information may be shared.  (  Status  :  AB 242 is currently pending in  
          the Assembly Judiciary Committee.)
          
           AB 257  (Hall) of the 2013-14 Legislative Session, would expressly  
          include mobile applications in the provisions of CalOPPA, and  
          require operators to satisfy various privacy policy requirements for  
          mobile applications, including allowing consumers to access their  
          own collected and retained PII, imposing safeguards to protect PII,  
          requiring a supplemental privacy policy if an application collects  
          information not essential to the application's basic function, and a  
          requirement that the operator provide a special notice if the  
          application accesses specified devices and information.  This bill  
          would also require mobile application markets and advertising  
          networks to comply with specified privacy procedures.  
          (  Status  : AB 257 is currently pending in the Assembly Judiciary  
          Committee.) 
           
          SB 501  (Corbett) of the 2013-14 Legislative Session, would require a  
          social networking Internet Web site, as defined, to remove the  
          personal identifying information of any registered user, as defined,  
          within 96 hours after his or her request, and would also require  
          removal of that information in that same manner regarding a user  





                                                                         AB 370
                                                                         Page 9



          under 18 years of age upon request by the user's parent or legal  
          guardian.   SB 501 would also impose a civil penalty, not to exceed  
          $10,000, for each willful and knowing violation of these provisions.  
           ( Status  :  SB 501 is currently pending in the Assembly and has been  
          referred to the Arts, Entertainment, Sports, Tourism and Internet  
          Media Committee and the Judiciary Committee.)
           
          SB 761  (Lowenthal) of the 2011-12 Legislative Session, would have  
          required the Attorney General, by July 1, 2012, to adopt regulations  
          that would require online businesses to provide California consumers  
          with a method for the consumer to opt out of the collection or use  
          of his or her information by the business.  (  Status  :  SB 761 was  
          held in the Senate Appropriations Committee.)
           
          AB 68  (Simitian, Chapter 829, Statutes of 2003) requires operators  
          of Web sites and online services that collect PII about the users of  
          their site to conspicuously post their privacy policies on the Web  
          site and comply with them.

        2.Arguments in Support.   Consumer Watchdog  (CW) expresses its support  
          for AB 370 which would increase awareness of online tracking, and  
          allow Californians to make better-informed choices about using  
          online services and Web sites based on the services' privacy  
          practices and whether they allow tracking.  CW strongly believes  
          that consumers must have the right to opt out of such tracking and  
          sponsored SB 761 introduced in 2011 that would have required a Do  
          Not Track mechanism and required companies to honor it.  It was not  
          enacted.  At the federal level Sen. Jay Rockefeller and Sen. Richard  
          Blumenthal have just introduced Do Not Track legislation that CW  
          supports, which would empower the Federal Trade Commission to enact  
          Do Not Track regulations and enforce them.  CW further states that  
          AB 370 is a transparency proposal - not a Do Not Track proposal.   
          When a privacy policy discloses whether or not an operator honors a  
          Do Not Track signal from a browser, individuals may make informed  
          decisions about their use of the site or the service.  CW strongly  
          believes that there must ultimately be a legal Do Not Track  
          requirement.  However, in the absence of such legislation,  
          transparency about a service's practices is a step in the right  
          direction.  Requiring transparency could well prompt companies to  
          compete based on their privacy practices.  
                                                                                 AB 370 will likely prompt more companies to honor Do Not Track  
          requests.  At the least it will give consumers more information  
          about whether data about their online activity is gathered.

         Microsoft  also writes in support of SB 370 as amended and applauds the  
          Author and the AG for their attention to individual privacy and  





                                                                         AB 370
                                                                         Page 10



          transparency.  As a leading provider of software and online  
          services, Microsoft is committed to creating a trusted environment  
          for Internet users, and protection of individual privacy is at the  
          core of this commitment.  Microsoft believes that organizations  
          should be responsible and accountable for how they collect, use, and  
          protect personal information while helping individuals better manage  
          the information they share online.  As part of a longstanding  
          commitment to privacy Microsoft provides resources to individuals to  
          help individuals protect their online information.  Microsoft  
          believes that government and industry must partner to protect  
          consumer's privacy and data security while still enabling and  
          fostering innovation, productivity, and cost-efficiency offered by  
          new technology.  
        
        3.Arguments in Opposition.  The  Internet Association  (IA), a national  
          trade association representing the interests of Internet companies,  
          is opposed to AB 370 as of May 23, 2013 (prior to the recent  
          amendments).  The IA indicates that protecting consumer privacy and  
          security is the number one priority for their companies and that  
          first and foremost, the companies they represent are accountable to  
          their users and committed to providing them not only with an  
          awareness of companies' privacy policies but also offering  
          easy-to-use tools to customize their privacy settings.  The IA  
          believes that AB 370 will impose standards that would not achieve  
          the intended policy goal.  Rather, this proposed legislation could  
          lead to uncertainty in the marketplace for emerging Internet  
          companies, increase costs for fledgling businesses and young  
          entrepreneurs, and jeopardize innovative products that benefit  
          consumers.  The concerns expressed by the IA are as follows:
        
                   The bill's use of "online tracking" overlooks the  
               divergence over exactly what online tracking means.   
               Furthermore, discussions for a Do Not Track standard are still  
               ongoing at the W3C, and there has not been any agreement on a  
               do not track technical standard.  Therefore, this legislation  
               would be premature and would prove difficult to implement at  
               this time and confusing to consumers.
             
                   By creating a definition of "do not track" this  
               legislation could come into conflict with what is agreed in the  
               future at the W3C.
             
                   The goal of the bill is to give consumers more  
               transparency and choice about how data is being collected and  
               shared online, but the Internet industry already works to give  
               users meaningful choices about their privacy online.  In fact,  





                                                                         AB 370
                                                                         Page 11



               the digital advertising industry (including Digital Advertising  
               Alliance) has established a number of enforceable and  
               self-regulatory initiatives pertaining to online behavioral  
               advertising and privacy.  These frameworks provide flexibility  
               in adapting to changing consumer preferences and technological  
               developments.
             
                   The bill would force companies to claim responsibility for  
               the privacy policies of third parties over which these  
               companies have no control.
             
          The IA further argues that online advertising makes it possible for  
          social networks, apps, search engines and online publications to be  
          available at no cost to users.  The alternative to an ad-supported  
          Web is one locked behind paywalls.  If those services need to be  
          funded in other ways, the free and open Internet would no longer be  
          free and open to all.  No matter how well intentioned, legislation  
          hastily enacted and without consideration of the full impact on  
          dynamic industry could create lasting, negative consequences for  
          California entrepreneurs and innovators as well as consumers.  

        NOTE  :  Double-referral to Judiciary Committee second.

        SUPPORT AND OPPOSITION:
        
         Support:  

        California Office of the Attorney General (Sponsor)
        Consumer Watchdog
        Microsoft

         Opposition:  

        Internet Association



        Consultant:Bill Gage