BILL ANALYSIS �Ó
-----------------------------------------------------------------------
|Hearing Date:June 10, 2013 |Bill No:AB |
| |370 |
-----------------------------------------------------------------------
SENATE COMMITTEE ON BUSINESS, PROFESSIONS
AND ECONOMIC DEVELOPMENT
Senator Ted W. Lieu, Chair
Bill No: AB 370Author:Muratsuchi
As Amended:June 3, 2013 Fiscal: No
SUBJECT: Consumers: online tracking.
SUMMARY: Requires that privacy policies posted by an operator of a
commercial Web site or online service, that collects personally
identifiable information, to disclose to a consumer who uses or visits
their Web site or online service how the operator responds to a Web
browser "do not track" signals or other similar mechanisms regarding
online tracking, as defined, and to disclose whether other parties on
the operator's commercial Web site or online service may be conducting
online tracking and to provide the consumer with what process,
procedure or mechanism of the operators may be used to exercise a
choice as to whether to permit the collection or not.
Existing law:
1)Requires an operator of a commercial Web site or online service that
collects personally identifiable information (PII) through the
Internet about consumers residing in California who use or visit its
commercial Web site or online service to conspicuously post its
privacy policy on its Web site, or in the case of an operator of an
online service, to make that policy available, as specified.
(Business and Professions Code (BPC) §§ 22575(a) and 22577(b)(5))
2)Provides that an operator shall be in violation of the provision in
Item # 1) above, only if the operator fails to post its [privacy]
policy within 30 days after being notified of noncompliance.
3)Specifies that the privacy policy shall include the following: (BPC
§ 22575 (b))
�
AB 370
Page 2
a) What PII that the operator collects about individual consumers
and the categories of third-party persons or entities with whom
the operator may share the PII.
b) A description of the process, if maintained by the operator,
in which the consumer may review and request changes to any of
his or her PII that is collected through the Web site or online
service.
c) A description of the process by which the operator notifies
consumers who use or visit its commercial Web site or online
service of material changes to the operator's privacy policy for
that Web site or online service.
d) Identify the effective date of the privacy policy.
4)Defines the following terms: (BPC § 22577)
a) "Personally identifiable information" (PII) as that which is
collected online by an operator, including first and last name,
home address, email address, telephone number, social security
number and any other unique identifier.
b) "Conspicuously post," with respect to the privacy policy,
includes posting the privacy policy, as specified.
c) "Operator" means any person or entity that owns a Web site
located on the Internet or an online service that maintains and
collects PII from a consumer residing in California who uses or
visits the Web site or online service and the Web site or online
service is used for commercial purposes.
d) "Consumer" means any individual who seeks or acquires, by
purchase or lease, any goods, services, money, or credit for
personal, family, or house-hold purposes.
This bill:
1) Provides that as part of the privacy policy, the operator disclose
how they respond to
Web browser "do not track" signals or other similar mechanisms
regarding online tracking, as defined, when an individual consumer
uses or visits the commercial Web site or online service.
2) Provides that as part of the privacy policy, the operator disclose
whether other parties on the operator's commercial Web site or
�
AB 370
Page 3
online service are or may be conducting online tracking, as
defined, and what, if any program, solution, protocol, or mechanism
the operator follows that offers consumers who use or visit its
commercial Web site, or online service, the ability to exercise a
choice regarding whether to permit this collection, and also offer
information regarding how the consumer can use the program,
solution, protocol, or mechanism.
3) Specifies that the term "online tracking" means the practice of
collecting PII about an individual consumer's online activities
over time and across different Web sites and online services, for
any use other than the internal business purposes of the commercial
Web site of online service, through which tracking is conducted.
4) Specifies that the term "internal business purposes" means those
activities necessary to maintain or analyze the functioning of the
commercial Web site or online service, perform network
communications, authenticate users of the commercial Web site or
online service, and ensure legal or regulatory compliance, provided
that the information collected for these activities is not used or
disclosed for any other purpose.
FISCAL EFFECT: This bill has been keyed "non-fiscal" by Legislative
Counsel.
COMMENTS:
1.Purpose. The California Office of the Attorney General (AG) is the
Sponsor of this measure. According to the AG, this bill will
increase awareness of online behavioral tracking and allow
Californians to make informed decisions. This bill amends the
California Online Privacy Protection Act (CalOPPA) to require a
commercial Web site or online service to disclose the following
information in its privacy policy: (1) how it responds to an
individual's request to disable online tracking; (2) whether third
parties are or may be conducting online tracking on the site; and
(3) what options are available to consumers who choose not to be
tracked across Web sites.
As indicated by the AG, CalOPPA, requires the operator of a commercial
Web site or online service that collects PII from California
residents to conspicuously post a privacy policy. This is the only
general requirement for a privacy policy in the nation. CalOPPA
imposes limited content requirements for a privacy policy, and
requires an operator to comply with practices represented in its
privacy policy.
�
AB 370
Page 4
Since CalOPPA took effect, as stated by the AG, online commerce has
burgeoned and evolving technology and new business practices have
raised new privacy concerns. One practice that raises privacy
concerns is online tracking, or online behavioral tracking; the
monitoring of an individual across multiple Web sites to build a
profile of behavior and interests. In the age of mobile computing,
similar tracking is done by monitoring individuals as they use
different apps and different phone features. The resulting profiles
are commonly used to deliver targeted advertisements.
2.California Online Privacy Protection Act (CalOPPA). In 2003, the
Legislature passed
AB 68 (Simitian, Chapter 829, Statutes of 2003), which generally
requires operators of Web sites and online services that collect PII
about the users of their site to conspicuously post their privacy
policies on the Web site and comply with them.
As it stands today, CalOPPA requires privacy policies to identify the
categories of PII collected, the categories of third-parties with
whom that PII may be shared, the process for consumers to review and
request changes to his or her PII, and the process for notification
of material changes to the policy.
An operator has 30 days to comply after receiving notice of
noncompliance with the posting requirement. Failure to comply with
the CalOPPA requirements or the provisions of the posted privacy
policy, if knowing and willful, or negligent and material, is
actionable under California's Unfair Competition Law and may result
in penalties of up to $2,500 for each violation. Any violation of
this bill would be enforceable as a violation of CalOPPA.
3.Growth in Online Tracking and Data Auctions. According to the AG,
online tracking is pervasive. "What They Know," a series of
articles published in the Wall Street Journal starting in 2010,
reported on an investigation of the tracking on the 50 most popular
Web sites in the country. Those sites installed 3,180 tracking
files on a computer used to visit them; 12 of those sites installed
more than 100 tracking tools each.
Profiles of individuals created from tracking data are bought and
sold in the marketplace of analytics companies, data brokers, and
advertising networks. Online tracking data can be combined with
information obtained from offline records. The profiles are not
only used for targeted advertising, but also for tailored offers at
different prices based on statistically generated assumptions. The
�
AB 370
Page 5
presence of trackers on Web sites is generally invisible to site
users. In addition to "cookies" that record site visited, there are
more sophisticated trackers, including some that can "re-spawn" even
after users try to delete them.
On June 17, 2012, the Wall Street Journal published another article
about user-tailored advertising and the explosion in demand for
consumer data collected through Web browsers. The article notes,
"?[the] rapid rise in the number of companies collecting data about
individuals Web-surfing behavior is testament to the power of the
$31 billion online-advertising business, which increasingly relies
on data about users Web surfing behavior to target advertisements."
This tracking often goes unnoticed by consumers and is made possible
by the use of "cookie" files that record the sites visited by the
consumer's Web browser. The Journal notes that in one study, the
average visit to a Web page triggered 56 instances of data
collection. The data collected by these cookies are so valuable that
online auctions have sprung up among advertisers to compete for the
data.
According to the article:
Despite rising privacy concerns, the online industry's
data-collection efforts have expanded in the past few years.
One reason is the popularity of online auctions, where
advertisers buy data about users' Web browsing. [One firm]
estimated that such auctions, known as real-time bidding
exchanges, contribute to 40% of online data collection.
In real-time bidding, as soon as a user visits a Web page,
the visit is auctioned to the highest bidder, based on
attributes such as the type of page visited or previous Web
browsing by the user. The bidding is done automatically
using computer algorithms. For example, this is how pop-up
ads for clocks and Web sites with clocks for sale begin
showing up on your browser as you are looking online at
clocks.
Forrester Research estimates that real-time bidding will
constitute 18% of the online display-ad market this year, up
from 13% last year. "It's gone from virtually zero in 2009
to about a fifth of the entire market right now," said
Michael Greene, a Forrester senior analyst. "We've moved
from a traditional advertising model of buying 1,000
impressions. Now you evaluate and buy a single impression."
�
AB 370
Page 6
To make the auctions work, advertising companies are racing
to place tracking technology on as many Web sites as
possible. That technology gives them user and Web-page data
to sell in the auction.
4.Efforts Regarding Do Not Track. There has been some progress toward
providing Web site users with more control over targeted
advertising. The Digital Advertising Alliance , a coalition of media
and marketing organizations, has an icon-based program that gives
individuals an opportunity to learn about, and opt-out of, receipt
of online behavioral advertising. The program is voluntary for
operators, and at this point, it does not allow Web site users to
choose not to be tracked. The Federal Trade Commission (FTC), in
its March 2012 report titled Protecting Consumer Privacy in an Era
of Rapid Change, endorsed the implementation of any easy-to-use,
persistent, and effective Do Not Track system.
In practice, a consumer wishing to communicate a Do Not Track signal
to Web sites would generally do so via their Web browser controls,
the presence of which would signal to a visited Web site that it
should disable its tracking for that visit. The signal or "field"
communicates that the consumer either opts in to or opts out of data
tracking; if a choice is not made, the default would presumably
communicate that the consumer has not opted out of tracking.
According to the AG, "[s]ubsequently, all of the major browser
companies have offered Do Not Track browser headers that signal to
Web sites an individual's choice not to be tracked. There is,
however, no legal requirement for sites to honor an individual's Do
Not Track choices."
There was no data immediately available to suggest how frequently
Web sites decline to honor a Do Not Track signal, although one list
maintained by researchers at Stanford reflects a running list of Web
sites that honor the Do Not Track signal - that list shows only 20
Web sites, most of which are not commonly known with the exception
of Twitter.
5.World Wide Web Consortium (W3C). The W3C is an internet standards
setting organization for the World Wide Web. Founded and currently
led by Tim Berners-Lee (who invented the World Wide Web over 20
years ago) and who is located at the Massachusetts Institute of
Technology (MIT), the consortium is made up of member organizations
which maintain full-time staff for the purpose of working together
in the development of standards for the World Wide Web. As of April
�
AB 370
Page 7
12, 2013, the W3C has 379 members including businesses, nonprofit
organizations, universities, governmental entities, and individuals.
W3C tries to enforce compatibility and agreement among industry
members in the adoption of new standards defined by the W3C.
W3C has been criticized as being dominated by larger organizations and
thus standards that represent their interests. For example, a
member of the Web Content Accessibility Guidelines Working Group
complained that, "The process is stacked in favor of multinationals
with expense accounts who can afford to talk on the phone for two
hours a week and jet to world capitals for meetings." A similar
criticism, responding to large software company complaints about the
slow pace of W3C's formulation of Web services standards, appeared
in Cnet's news.com: "'I'm not convinced that developers are too
bothered," said Ed Dumbill, editor of XML.com, who has worked as a
software developer on Web services. "I think developers are being
poorly served by the fact that the big companies have dominated the
work of W3C over the last year. The W3C does more or less what its
members tell it to do. So I don't have a huge amount of sympathy
for the complaints of large companies."
Consumer Watchdog has indicated that in regards to Do Not Track, W3C
is trying to develop specifications for how technically a Do Not
Track message should be sent and what the compliance obligations
would be for a Web site that received the message. The W3C talks
have gone on for a year-and-a-half without reaching a result.
6.Recent Amendments Attempt to Address Industry Concerns and Privacy
Advocates. The AG indicates that this measure was recently amended
to clarify the transparency requirements for a first party Web site
or online service visited by a consumer and for third parties that
are tracking the visitor on the first party's site. The amendments
draw upon discussions with industry representatives and privacy
advocates.
The definition of "online tracking" is amended to exclude
tracking for "internal business purposes" of the first-party
operator, such as network communications and user
authentication. This exemption is consistent with the emphasis
on simplifying consumer choice in the federal government's 2012
privacy reports. The categories of business purposes is based
on the 2012 revision of the federal Children's Online Privacy
Protection Act rule, and on exemptions in California privacy
laws on the driver's license scanning, supermarket club cards,
and financial information privacy.
�
AB 370
Page 8
Instead of the previous bill language that required an
operator to disclose whether or not it "honors or complies
with" a Do Not Track browser signal, the amendments require an
operator to disclose how it responds to such a signal. The
change, which was suggested by the industry, is intended to
provide disclosure that will be more helpful to consumers than
just a simple "yes or no" statement.
In response to industry concerns about first party Web
site operators being held responsible for the actions of third
party "trackers" that they cannot always control, the
amendments simply require a Web site operator to disclose
whether third parties are or may be conducting online tracking
on the site. As also suggested by the industry, the amendments
require a web site operator to inform consumers about what
options are available to them to choose not to be tracked
across Web sites.
1.Prior and Related Legislation. AB 242 (Chau), of the 2013-14
Legislative Session, would require online privacy policies mandated
under CalOPPA to be no more than 100 words, written in clear and
concise language, written at no greater than an 8th grade reading
level, and include a statement indicating whether the PII may be
sold or shared with others, and if so, how and with whom the
information may be shared. ( Status : AB 242 is currently pending in
the Assembly Judiciary Committee.)
AB 257 (Hall) of the 2013-14 Legislative Session, would expressly
include mobile applications in the provisions of CalOPPA, and
require operators to satisfy various privacy policy requirements for
mobile applications, including allowing consumers to access their
own collected and retained PII, imposing safeguards to protect PII,
requiring a supplemental privacy policy if an application collects
information not essential to the application's basic function, and a
requirement that the operator provide a special notice if the
application accesses specified devices and information. This bill
would also require mobile application markets and advertising
networks to comply with specified privacy procedures.
( Status : AB 257 is currently pending in the Assembly Judiciary
Committee.)
SB 501 (Corbett) of the 2013-14 Legislative Session, would require a
social networking Internet Web site, as defined, to remove the
personal identifying information of any registered user, as defined,
within 96 hours after his or her request, and would also require
removal of that information in that same manner regarding a user
�
AB 370
Page 9
under 18 years of age upon request by the user's parent or legal
guardian. SB 501 would also impose a civil penalty, not to exceed
$10,000, for each willful and knowing violation of these provisions.
( Status : SB 501 is currently pending in the Assembly and has been
referred to the Arts, Entertainment, Sports, Tourism and Internet
Media Committee and the Judiciary Committee.)
SB 761 (Lowenthal) of the 2011-12 Legislative Session, would have
required the Attorney General, by July 1, 2012, to adopt regulations
that would require online businesses to provide California consumers
with a method for the consumer to opt out of the collection or use
of his or her information by the business. ( Status : SB 761 was
held in the Senate Appropriations Committee.)
AB 68 (Simitian, Chapter 829, Statutes of 2003) requires operators
of Web sites and online services that collect PII about the users of
their site to conspicuously post their privacy policies on the Web
site and comply with them.
2.Arguments in Support. Consumer Watchdog (CW) expresses its support
for AB 370 which would increase awareness of online tracking, and
allow Californians to make better-informed choices about using
online services and Web sites based on the services' privacy
practices and whether they allow tracking. CW strongly believes
that consumers must have the right to opt out of such tracking and
sponsored SB 761 introduced in 2011 that would have required a Do
Not Track mechanism and required companies to honor it. It was not
enacted. At the federal level Sen. Jay Rockefeller and Sen. Richard
Blumenthal have just introduced Do Not Track legislation that CW
supports, which would empower the Federal Trade Commission to enact
Do Not Track regulations and enforce them. CW further states that
AB 370 is a transparency proposal - not a Do Not Track proposal.
When a privacy policy discloses whether or not an operator honors a
Do Not Track signal from a browser, individuals may make informed
decisions about their use of the site or the service. CW strongly
believes that there must ultimately be a legal Do Not Track
requirement. However, in the absence of such legislation,
transparency about a service's practices is a step in the right
direction. Requiring transparency could well prompt companies to
compete based on their privacy practices.
AB 370 will likely prompt more companies to honor Do Not Track
requests. At the least it will give consumers more information
about whether data about their online activity is gathered.
Microsoft also writes in support of SB 370 as amended and applauds the
Author and the AG for their attention to individual privacy and
�
AB 370
Page 10
transparency. As a leading provider of software and online
services, Microsoft is committed to creating a trusted environment
for Internet users, and protection of individual privacy is at the
core of this commitment. Microsoft believes that organizations
should be responsible and accountable for how they collect, use, and
protect personal information while helping individuals better manage
the information they share online. As part of a longstanding
commitment to privacy Microsoft provides resources to individuals to
help individuals protect their online information. Microsoft
believes that government and industry must partner to protect
consumer's privacy and data security while still enabling and
fostering innovation, productivity, and cost-efficiency offered by
new technology.
3.Arguments in Opposition. The Internet Association (IA), a national
trade association representing the interests of Internet companies,
is opposed to AB 370 as of May 23, 2013 (prior to the recent
amendments). The IA indicates that protecting consumer privacy and
security is the number one priority for their companies and that
first and foremost, the companies they represent are accountable to
their users and committed to providing them not only with an
awareness of companies' privacy policies but also offering
easy-to-use tools to customize their privacy settings. The IA
believes that AB 370 will impose standards that would not achieve
the intended policy goal. Rather, this proposed legislation could
lead to uncertainty in the marketplace for emerging Internet
companies, increase costs for fledgling businesses and young
entrepreneurs, and jeopardize innovative products that benefit
consumers. The concerns expressed by the IA are as follows:
The bill's use of "online tracking" overlooks the
divergence over exactly what online tracking means.
Furthermore, discussions for a Do Not Track standard are still
ongoing at the W3C, and there has not been any agreement on a
do not track technical standard. Therefore, this legislation
would be premature and would prove difficult to implement at
this time and confusing to consumers.
By creating a definition of "do not track" this
legislation could come into conflict with what is agreed in the
future at the W3C.
The goal of the bill is to give consumers more
transparency and choice about how data is being collected and
shared online, but the Internet industry already works to give
users meaningful choices about their privacy online. In fact,
�
AB 370
Page 11
the digital advertising industry (including Digital Advertising
Alliance) has established a number of enforceable and
self-regulatory initiatives pertaining to online behavioral
advertising and privacy. These frameworks provide flexibility
in adapting to changing consumer preferences and technological
developments.
The bill would force companies to claim responsibility for
the privacy policies of third parties over which these
companies have no control.
The IA further argues that online advertising makes it possible for
social networks, apps, search engines and online publications to be
available at no cost to users. The alternative to an ad-supported
Web is one locked behind paywalls. If those services need to be
funded in other ways, the free and open Internet would no longer be
free and open to all. No matter how well intentioned, legislation
hastily enacted and without consideration of the full impact on
dynamic industry could create lasting, negative consequences for
California entrepreneurs and innovators as well as consumers.
NOTE : Double-referral to Judiciary Committee second.
SUPPORT AND OPPOSITION:
Support:
California Office of the Attorney General (Sponsor)
Consumer Watchdog
Microsoft
Opposition:
Internet Association
Consultant:Bill Gage