BILL ANALYSIS Ó ----------------------------------------------------------------------- |Hearing Date:June 10, 2013 |Bill No:AB | | |370 | ----------------------------------------------------------------------- SENATE COMMITTEE ON BUSINESS, PROFESSIONS AND ECONOMIC DEVELOPMENT Senator Ted W. Lieu, Chair Bill No: AB 370Author:Muratsuchi As Amended:June 3, 2013 Fiscal: No SUBJECT: Consumers: online tracking. SUMMARY: Requires that privacy policies posted by an operator of a commercial Web site or online service, that collects personally identifiable information, to disclose to a consumer who uses or visits their Web site or online service how the operator responds to a Web browser "do not track" signals or other similar mechanisms regarding online tracking, as defined, and to disclose whether other parties on the operator's commercial Web site or online service may be conducting online tracking and to provide the consumer with what process, procedure or mechanism of the operators may be used to exercise a choice as to whether to permit the collection or not. Existing law: 1)Requires an operator of a commercial Web site or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, to make that policy available, as specified. (Business and Professions Code (BPC) §§ 22575(a) and 22577(b)(5)) 2)Provides that an operator shall be in violation of the provision in Item # 1) above, only if the operator fails to post its [privacy] policy within 30 days after being notified of noncompliance. 3)Specifies that the privacy policy shall include the following: (BPC § 22575 (b)) AB 370 Page 2 a) What PII that the operator collects about individual consumers and the categories of third-party persons or entities with whom the operator may share the PII. b) A description of the process, if maintained by the operator, in which the consumer may review and request changes to any of his or her PII that is collected through the Web site or online service. c) A description of the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. d) Identify the effective date of the privacy policy. 4)Defines the following terms: (BPC § 22577) a) "Personally identifiable information" (PII) as that which is collected online by an operator, including first and last name, home address, email address, telephone number, social security number and any other unique identifier. b) "Conspicuously post," with respect to the privacy policy, includes posting the privacy policy, as specified. c) "Operator" means any person or entity that owns a Web site located on the Internet or an online service that maintains and collects PII from a consumer residing in California who uses or visits the Web site or online service and the Web site or online service is used for commercial purposes. d) "Consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or house-hold purposes. This bill: 1) Provides that as part of the privacy policy, the operator disclose how they respond to Web browser "do not track" signals or other similar mechanisms regarding online tracking, as defined, when an individual consumer uses or visits the commercial Web site or online service. 2) Provides that as part of the privacy policy, the operator disclose whether other parties on the operator's commercial Web site or AB 370 Page 3 online service are or may be conducting online tracking, as defined, and what, if any program, solution, protocol, or mechanism the operator follows that offers consumers who use or visit its commercial Web site, or online service, the ability to exercise a choice regarding whether to permit this collection, and also offer information regarding how the consumer can use the program, solution, protocol, or mechanism. 3) Specifies that the term "online tracking" means the practice of collecting PII about an individual consumer's online activities over time and across different Web sites and online services, for any use other than the internal business purposes of the commercial Web site of online service, through which tracking is conducted. 4) Specifies that the term "internal business purposes" means those activities necessary to maintain or analyze the functioning of the commercial Web site or online service, perform network communications, authenticate users of the commercial Web site or online service, and ensure legal or regulatory compliance, provided that the information collected for these activities is not used or disclosed for any other purpose. FISCAL EFFECT: This bill has been keyed "non-fiscal" by Legislative Counsel. COMMENTS: 1.Purpose. The California Office of the Attorney General (AG) is the Sponsor of this measure. According to the AG, this bill will increase awareness of online behavioral tracking and allow Californians to make informed decisions. This bill amends the California Online Privacy Protection Act (CalOPPA) to require a commercial Web site or online service to disclose the following information in its privacy policy: (1) how it responds to an individual's request to disable online tracking; (2) whether third parties are or may be conducting online tracking on the site; and (3) what options are available to consumers who choose not to be tracked across Web sites. As indicated by the AG, CalOPPA, requires the operator of a commercial Web site or online service that collects PII from California residents to conspicuously post a privacy policy. This is the only general requirement for a privacy policy in the nation. CalOPPA imposes limited content requirements for a privacy policy, and requires an operator to comply with practices represented in its privacy policy. AB 370 Page 4 Since CalOPPA took effect, as stated by the AG, online commerce has burgeoned and evolving technology and new business practices have raised new privacy concerns. One practice that raises privacy concerns is online tracking, or online behavioral tracking; the monitoring of an individual across multiple Web sites to build a profile of behavior and interests. In the age of mobile computing, similar tracking is done by monitoring individuals as they use different apps and different phone features. The resulting profiles are commonly used to deliver targeted advertisements. 2.California Online Privacy Protection Act (CalOPPA). In 2003, the Legislature passed AB 68 (Simitian, Chapter 829, Statutes of 2003), which generally requires operators of Web sites and online services that collect PII about the users of their site to conspicuously post their privacy policies on the Web site and comply with them. As it stands today, CalOPPA requires privacy policies to identify the categories of PII collected, the categories of third-parties with whom that PII may be shared, the process for consumers to review and request changes to his or her PII, and the process for notification of material changes to the policy. An operator has 30 days to comply after receiving notice of noncompliance with the posting requirement. Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California's Unfair Competition Law and may result in penalties of up to $2,500 for each violation. Any violation of this bill would be enforceable as a violation of CalOPPA. 3.Growth in Online Tracking and Data Auctions. According to the AG, online tracking is pervasive. "What They Know," a series of articles published in the Wall Street Journal starting in 2010, reported on an investigation of the tracking on the 50 most popular Web sites in the country. Those sites installed 3,180 tracking files on a computer used to visit them; 12 of those sites installed more than 100 tracking tools each. Profiles of individuals created from tracking data are bought and sold in the marketplace of analytics companies, data brokers, and advertising networks. Online tracking data can be combined with information obtained from offline records. The profiles are not only used for targeted advertising, but also for tailored offers at different prices based on statistically generated assumptions. The AB 370 Page 5 presence of trackers on Web sites is generally invisible to site users. In addition to "cookies" that record site visited, there are more sophisticated trackers, including some that can "re-spawn" even after users try to delete them. On June 17, 2012, the Wall Street Journal published another article about user-tailored advertising and the explosion in demand for consumer data collected through Web browsers. The article notes, "?[the] rapid rise in the number of companies collecting data about individuals Web-surfing behavior is testament to the power of the $31 billion online-advertising business, which increasingly relies on data about users Web surfing behavior to target advertisements." This tracking often goes unnoticed by consumers and is made possible by the use of "cookie" files that record the sites visited by the consumer's Web browser. The Journal notes that in one study, the average visit to a Web page triggered 56 instances of data collection. The data collected by these cookies are so valuable that online auctions have sprung up among advertisers to compete for the data. According to the article: Despite rising privacy concerns, the online industry's data-collection efforts have expanded in the past few years. One reason is the popularity of online auctions, where advertisers buy data about users' Web browsing. [One firm] estimated that such auctions, known as real-time bidding exchanges, contribute to 40% of online data collection. In real-time bidding, as soon as a user visits a Web page, the visit is auctioned to the highest bidder, based on attributes such as the type of page visited or previous Web browsing by the user. The bidding is done automatically using computer algorithms. For example, this is how pop-up ads for clocks and Web sites with clocks for sale begin showing up on your browser as you are looking online at clocks. Forrester Research estimates that real-time bidding will constitute 18% of the online display-ad market this year, up from 13% last year. "It's gone from virtually zero in 2009 to about a fifth of the entire market right now," said Michael Greene, a Forrester senior analyst. "We've moved from a traditional advertising model of buying 1,000 impressions. Now you evaluate and buy a single impression." AB 370 Page 6 To make the auctions work, advertising companies are racing to place tracking technology on as many Web sites as possible. That technology gives them user and Web-page data to sell in the auction. 4.Efforts Regarding Do Not Track. There has been some progress toward providing Web site users with more control over targeted advertising. The Digital Advertising Alliance , a coalition of media and marketing organizations, has an icon-based program that gives individuals an opportunity to learn about, and opt-out of, receipt of online behavioral advertising. The program is voluntary for operators, and at this point, it does not allow Web site users to choose not to be tracked. The Federal Trade Commission (FTC), in its March 2012 report titled Protecting Consumer Privacy in an Era of Rapid Change, endorsed the implementation of any easy-to-use, persistent, and effective Do Not Track system. In practice, a consumer wishing to communicate a Do Not Track signal to Web sites would generally do so via their Web browser controls, the presence of which would signal to a visited Web site that it should disable its tracking for that visit. The signal or "field" communicates that the consumer either opts in to or opts out of data tracking; if a choice is not made, the default would presumably communicate that the consumer has not opted out of tracking. According to the AG, "[s]ubsequently, all of the major browser companies have offered Do Not Track browser headers that signal to Web sites an individual's choice not to be tracked. There is, however, no legal requirement for sites to honor an individual's Do Not Track choices." There was no data immediately available to suggest how frequently Web sites decline to honor a Do Not Track signal, although one list maintained by researchers at Stanford reflects a running list of Web sites that honor the Do Not Track signal - that list shows only 20 Web sites, most of which are not commonly known with the exception of Twitter. 5.World Wide Web Consortium (W3C). The W3C is an internet standards setting organization for the World Wide Web. Founded and currently led by Tim Berners-Lee (who invented the World Wide Web over 20 years ago) and who is located at the Massachusetts Institute of Technology (MIT), the consortium is made up of member organizations which maintain full-time staff for the purpose of working together in the development of standards for the World Wide Web. As of April AB 370 Page 7 12, 2013, the W3C has 379 members including businesses, nonprofit organizations, universities, governmental entities, and individuals. W3C tries to enforce compatibility and agreement among industry members in the adoption of new standards defined by the W3C. W3C has been criticized as being dominated by larger organizations and thus standards that represent their interests. For example, a member of the Web Content Accessibility Guidelines Working Group complained that, "The process is stacked in favor of multinationals with expense accounts who can afford to talk on the phone for two hours a week and jet to world capitals for meetings." A similar criticism, responding to large software company complaints about the slow pace of W3C's formulation of Web services standards, appeared in Cnet's news.com: "'I'm not convinced that developers are too bothered," said Ed Dumbill, editor of XML.com, who has worked as a software developer on Web services. "I think developers are being poorly served by the fact that the big companies have dominated the work of W3C over the last year. The W3C does more or less what its members tell it to do. So I don't have a huge amount of sympathy for the complaints of large companies." Consumer Watchdog has indicated that in regards to Do Not Track, W3C is trying to develop specifications for how technically a Do Not Track message should be sent and what the compliance obligations would be for a Web site that received the message. The W3C talks have gone on for a year-and-a-half without reaching a result. 6.Recent Amendments Attempt to Address Industry Concerns and Privacy Advocates. The AG indicates that this measure was recently amended to clarify the transparency requirements for a first party Web site or online service visited by a consumer and for third parties that are tracking the visitor on the first party's site. The amendments draw upon discussions with industry representatives and privacy advocates. The definition of "online tracking" is amended to exclude tracking for "internal business purposes" of the first-party operator, such as network communications and user authentication. This exemption is consistent with the emphasis on simplifying consumer choice in the federal government's 2012 privacy reports. The categories of business purposes is based on the 2012 revision of the federal Children's Online Privacy Protection Act rule, and on exemptions in California privacy laws on the driver's license scanning, supermarket club cards, and financial information privacy. AB 370 Page 8 Instead of the previous bill language that required an operator to disclose whether or not it "honors or complies with" a Do Not Track browser signal, the amendments require an operator to disclose how it responds to such a signal. The change, which was suggested by the industry, is intended to provide disclosure that will be more helpful to consumers than just a simple "yes or no" statement. In response to industry concerns about first party Web site operators being held responsible for the actions of third party "trackers" that they cannot always control, the amendments simply require a Web site operator to disclose whether third parties are or may be conducting online tracking on the site. As also suggested by the industry, the amendments require a web site operator to inform consumers about what options are available to them to choose not to be tracked across Web sites. 1.Prior and Related Legislation. AB 242 (Chau), of the 2013-14 Legislative Session, would require online privacy policies mandated under CalOPPA to be no more than 100 words, written in clear and concise language, written at no greater than an 8th grade reading level, and include a statement indicating whether the PII may be sold or shared with others, and if so, how and with whom the information may be shared. ( Status : AB 242 is currently pending in the Assembly Judiciary Committee.) AB 257 (Hall) of the 2013-14 Legislative Session, would expressly include mobile applications in the provisions of CalOPPA, and require operators to satisfy various privacy policy requirements for mobile applications, including allowing consumers to access their own collected and retained PII, imposing safeguards to protect PII, requiring a supplemental privacy policy if an application collects information not essential to the application's basic function, and a requirement that the operator provide a special notice if the application accesses specified devices and information. This bill would also require mobile application markets and advertising networks to comply with specified privacy procedures. ( Status : AB 257 is currently pending in the Assembly Judiciary Committee.) SB 501 (Corbett) of the 2013-14 Legislative Session, would require a social networking Internet Web site, as defined, to remove the personal identifying information of any registered user, as defined, within 96 hours after his or her request, and would also require removal of that information in that same manner regarding a user AB 370 Page 9 under 18 years of age upon request by the user's parent or legal guardian. SB 501 would also impose a civil penalty, not to exceed $10,000, for each willful and knowing violation of these provisions. ( Status : SB 501 is currently pending in the Assembly and has been referred to the Arts, Entertainment, Sports, Tourism and Internet Media Committee and the Judiciary Committee.) SB 761 (Lowenthal) of the 2011-12 Legislative Session, would have required the Attorney General, by July 1, 2012, to adopt regulations that would require online businesses to provide California consumers with a method for the consumer to opt out of the collection or use of his or her information by the business. ( Status : SB 761 was held in the Senate Appropriations Committee.) AB 68 (Simitian, Chapter 829, Statutes of 2003) requires operators of Web sites and online services that collect PII about the users of their site to conspicuously post their privacy policies on the Web site and comply with them. 2.Arguments in Support. Consumer Watchdog (CW) expresses its support for AB 370 which would increase awareness of online tracking, and allow Californians to make better-informed choices about using online services and Web sites based on the services' privacy practices and whether they allow tracking. CW strongly believes that consumers must have the right to opt out of such tracking and sponsored SB 761 introduced in 2011 that would have required a Do Not Track mechanism and required companies to honor it. It was not enacted. At the federal level Sen. Jay Rockefeller and Sen. Richard Blumenthal have just introduced Do Not Track legislation that CW supports, which would empower the Federal Trade Commission to enact Do Not Track regulations and enforce them. CW further states that AB 370 is a transparency proposal - not a Do Not Track proposal. When a privacy policy discloses whether or not an operator honors a Do Not Track signal from a browser, individuals may make informed decisions about their use of the site or the service. CW strongly believes that there must ultimately be a legal Do Not Track requirement. However, in the absence of such legislation, transparency about a service's practices is a step in the right direction. Requiring transparency could well prompt companies to compete based on their privacy practices. AB 370 will likely prompt more companies to honor Do Not Track requests. At the least it will give consumers more information about whether data about their online activity is gathered. Microsoft also writes in support of SB 370 as amended and applauds the Author and the AG for their attention to individual privacy and AB 370 Page 10 transparency. As a leading provider of software and online services, Microsoft is committed to creating a trusted environment for Internet users, and protection of individual privacy is at the core of this commitment. Microsoft believes that organizations should be responsible and accountable for how they collect, use, and protect personal information while helping individuals better manage the information they share online. As part of a longstanding commitment to privacy Microsoft provides resources to individuals to help individuals protect their online information. Microsoft believes that government and industry must partner to protect consumer's privacy and data security while still enabling and fostering innovation, productivity, and cost-efficiency offered by new technology. 3.Arguments in Opposition. The Internet Association (IA), a national trade association representing the interests of Internet companies, is opposed to AB 370 as of May 23, 2013 (prior to the recent amendments). The IA indicates that protecting consumer privacy and security is the number one priority for their companies and that first and foremost, the companies they represent are accountable to their users and committed to providing them not only with an awareness of companies' privacy policies but also offering easy-to-use tools to customize their privacy settings. The IA believes that AB 370 will impose standards that would not achieve the intended policy goal. Rather, this proposed legislation could lead to uncertainty in the marketplace for emerging Internet companies, increase costs for fledgling businesses and young entrepreneurs, and jeopardize innovative products that benefit consumers. The concerns expressed by the IA are as follows: The bill's use of "online tracking" overlooks the divergence over exactly what online tracking means. Furthermore, discussions for a Do Not Track standard are still ongoing at the W3C, and there has not been any agreement on a do not track technical standard. Therefore, this legislation would be premature and would prove difficult to implement at this time and confusing to consumers. By creating a definition of "do not track" this legislation could come into conflict with what is agreed in the future at the W3C. The goal of the bill is to give consumers more transparency and choice about how data is being collected and shared online, but the Internet industry already works to give users meaningful choices about their privacy online. In fact, AB 370 Page 11 the digital advertising industry (including Digital Advertising Alliance) has established a number of enforceable and self-regulatory initiatives pertaining to online behavioral advertising and privacy. These frameworks provide flexibility in adapting to changing consumer preferences and technological developments. The bill would force companies to claim responsibility for the privacy policies of third parties over which these companies have no control. The IA further argues that online advertising makes it possible for social networks, apps, search engines and online publications to be available at no cost to users. The alternative to an ad-supported Web is one locked behind paywalls. If those services need to be funded in other ways, the free and open Internet would no longer be free and open to all. No matter how well intentioned, legislation hastily enacted and without consideration of the full impact on dynamic industry could create lasting, negative consequences for California entrepreneurs and innovators as well as consumers. NOTE : Double-referral to Judiciary Committee second. SUPPORT AND OPPOSITION: Support: California Office of the Attorney General (Sponsor) Consumer Watchdog Microsoft Opposition: Internet Association Consultant:Bill Gage