BILL ANALYSIS                                                                                                                                                                                                    Ó






                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2013-2014 Regular Session


          AB 370 (Muratsuchi)
          As Amended June 3, 2013
          Hearing Date: June 18, 2013
          Fiscal: No
          Urgency: No
          TH


                                        SUBJECT
                                           
                             Consumers: Online Tracking

                                      DESCRIPTION  

          Existing law requires an operator of a commercial Web site or  
          online service that collects personally identifiable information  
          through the Internet about California consumers to conspicuously  
          post and comply with its stated privacy policy.  This bill would  
          require an operator's privacy policy to disclose how the  
          operator responds to a Web browser's "do not track" signal or  
          other similar mechanism regarding online tracking.  This bill  
          would also require an operator's privacy policy to disclose  
          whether other parties on the Web site or online service are or  
          may be conducting online tracking, and what, if any, options an  
          individual consumer has regarding whether or not to permit this  
          collection.  

                                      BACKGROUND  

          In 2003, California enacted the Online Privacy Protection Act  
          (CalOPPA), a first in the nation statute requiring operators of  
          commercial Web sites to post online privacy policies and adhere  
          to their requirements.  Among other things, CalOPPA requires a  
          Web site operator's privacy policy to identify the categories of  
          personally identifiable information collected about individual  
          consumers who use or visit the Web site, as well as to disclose  
          the categories of third-party persons or entities with whom the  
          operator may share that personally identifiable information.  In  
          the ten years that have elapsed since CalOPPA was enacted,  
          online commerce and Web technology have thrived, and with the  
          emergence of these new business practices and new technologies,  
                                                                (more)



          AB 370 (Muratsuchi)
          Page 2 of ?



          new privacy concerns have also risen.

          One of the most prevalent of these new concerns involves the  
          growing industry practice of sharing Internet usage data with  
          third-parties.  Stated succinctly:

               Third-party services bring tremendous value to the web:  
               they enable first-party websites to trivially implement  
               advertising, analytics, social network integration, and  
               more.  But they also give rise to privacy concerns: over  
               the past several years, researchers, civil society  
               organizations, and policymakers have called attention to  
               the increasing trend of third-party websites recording and  
               analyzing users' browsing activities across unrelated  
               first-party websites ("third-party web tracking" or  
               "tracking" for short).  (Mayer & Mitchell, Third-Party Web  
               Tracking: Policy and Technology  
                [as of June 13, 2013], p.  
               1.)

          The amount of data collected by Web site operators and/or  
          third-parties operating through Web sites is staggering.   
          According to one commenter:

               [e]very search, query, click, page view, and link are  
               logged, retained, analyzed, and used by a host of third  
               parties, including websites (also known as "publishers"),  
               advertisers, and a multitude of advertising intermediaries,  
               including ad networks, ad exchanges, analytics providers,  
               re-targeters, market researchers, and more.  Although users  
               may expect that many of their online activities are  
               anonymous, the architecture of the Internet allows multiple  
               parties to collect data and compile user profiles with  
               various degrees of identifying information.  (Tene &  
               Polonetsky, To Track or "Do Not Track": Advancing  
               Transparency and Individual Control in Online Behavioral  
               Advertising  [as of June 13, 2013], p. 1.)

          The widespread aggregation and sale of data concerning the  
          Internet usage of individual consumers, seemingly collected  
          without a user's knowledge, raises serious privacy concerns.  As  
          another scholar explains:
                                                                      



          AB 370 (Muratsuchi)
          Page 3 of ?




               Web browsing history is inextricably linked to personal  
               information.  The pages a user visits can reveal [his or]  
               her location, interests, purchases, employment status,  
               sexual orientation, financial challenges, medical  
               conditions, and more.  Examining individual page loads is  
               often adequate to draw many conclusions about a user;  
               analyzing patterns of activity allows yet more inferences.
               . . . 
               Collection of sensitive personal information is not a  
               hypothetical concern.  In mid-2011 we discovered that an  
               advertising network, Epic Marketplace, had publicly exposed  
               its interest segment data, offering a rare glimpse of what  
               third-party trackers seek to learn about users.  User  
               segments included menopause, getting pregnant, repairing  
               bad credit, and debt relief.  Several months later we found  
               that the free online dating website OkCupid was sending to  
               the data provider Lotame how often a user drinks, smokes,  
               and does drugs.  When Krishnamurthy et al. tested search  
               queries on ten popular health websites, they found a third  
               party learned of the user's query on nine of them.  (Mayer  
               & Mitchell, Third-Party Web Tracking: Policy and  
               Technology, p. 3.)

          Responding to the privacy concerns raised by online tracking,  
          the Federal Trade Commission (FTC) has advocated "the  
          implementation of an easy-to-use, persistent, and effective Do  
          Not Track system."  (FTC, Protecting Consumer Privacy in an Era  
          of Rapid Change: Recommendations For Businesses and Policymakers  
           [as of  
          June 13, 2013], p. 72.)  Currently, all of the major Web  
          browsers offer some sort of Do Not Track feature that enables  
          individual consumers to signal to the Web sites they visit their  
          choice not to be tracked.  However, whether or not an operator  
          of a Web site, or a third-party collecting user information  
          through another's Web site, complies with a user's preference  
          not to be tracked is voluntary, and available data suggests that  
          only a tiny fraction of Web site operators respect this  
          preference.  (See Mayer & Mitchell, Third-Party Web Tracking:  
          Policy and Technology, p. 12; Twitter, Inc., Twitter supports Do  
          Not Track   
          [as of June 13, 2013].)

          This bill, sponsored by the California Attorney General, would  
          require that the operator of a commercial Web site or online  
                                                                      



          AB 370 (Muratsuchi)
          Page 4 of ?



          service disclose how it responds to a Web browser's "do not  
          track" signal (i.e. whether it complies with a signal indicating  
          a request to disable online tracking of an individual consumer)  
          in its privacy policy.  The bill would also require an operator  
          of a Web site or online service to disclose whether other  
          parties on the Web site or online service are or may be  
          conducting online tracking, and what, if any, options an  
          individual consumer has regarding whether or not to permit this  
          collection.  

                                CHANGES TO EXISTING LAW
           
           Existing law  provides that, among other rights, all people have  
          an inalienable right to pursue and obtain privacy.  (Cal.  
          Const., art. I, Sec. 1.)

           Existing case law  permits a person to bring an action in tort  
          for the invasion of privacy, and provides that in order to state  
          a claim for violation of the constitutional right to privacy a  
          plaintiff must establish the following three elements: (1) a  
          legally protected privacy interest; (2) a reasonable expectation  
          of privacy in the circumstances; and (3) conduct by the  
          defendant that constitutes a serious invasion of privacy.  (Hill  
          v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)   
          Existing law recognizes four types of activities considered to  
          be an invasion of privacy giving rise to civil liability,  
          including the public disclosure of private facts.  (Id.)
           
           Existing case law  provides that there is no reasonable  
          expectation of privacy in information posted on a publicly  
          accessible Internet Web site.  Such information is no longer a  
          "private fact" that can be protected from public disclosure.   
          (Moreno v. Hanford Sentinel (2009) 172 Cal.App.4th 1125.)
          
           Existing law  , the California Online Privacy Protection Act of  
          2003, requires an operator of a commercial Web site or online  
          service that collects personally identifiable information  
          through the Internet about individual consumers residing in  
          California who use or visit its Web site to conspicuously post  
          its privacy policy.  (Bus. & Prof. Code Sec. 22575(a).)
          
           Existing law  states that the privacy policy required by the  
          above provision shall do all of the following:

                     identify the categories of personally identifiable  
                 information that the operator collects through the Web  
                                                                      



          AB 370 (Muratsuchi)
          Page 5 of ?



                 site about individual consumers who use or visit its Web  
                 site, and the categories of third-party persons or  
                 entities with whom the operator may share that personally  
                 identifiable information;
                     provide a description of the process for an  
                 individual consumer who uses or visits its Web site to  
                 review and request changes to any of his or her  
                 personally identifiable information that is collected  
                 through the Web site, if the operator maintains such a  
                 process;
                     describe the process by which the operator notifies  
                 consumers who use or visit its Web site of material  
                 changes to the operator's privacy policy; and
                     identify the privacy policy's effective date.  (Bus.  
                 & Prof. Code Sec. 22575(b).)
          
           Existing law  provides that an operator of a commercial Web site  
          or online service violates the above provisions when it either  
          (1) knowingly and willfully, or (2) negligently and materially,  
          fails to comply with these provisions or with the provisions of  
          its posted privacy policy.  (Bus. & Prof. Code Sec. 22576.)

           This bill  would additionally require a privacy to disclose how  
          the operator responds to Web browser "do not track" signals or  
          other similar mechanisms regarding online tracking when an  
          individual consumer uses or visits the commercial Web site or  
          online service.

           This bill  would also require the privacy policy to disclose  
          whether other parties on the operator's commercial Web site or  
          online service are or may be conducting online tracking, and  
          what, if any, program, solution, protocol, or mechanism the  
          operator follows that offers consumers who use or visit its  
          commercial Web site or online service the ability to exercise a  
          choice regarding whether to permit this collection.
          
           This bill  would define the term "online tracking" to mean the  
          practice of collecting personally identifiable information about  
          an individual consumer's online activities over time and across  
          different Web sites and online services, for any use other than  
          the internal business purposes, as defined, of the commercial  
          Web site or online service through which the tracking is  
          conducted.

           This bill  would define the term "internal business purposes" to  
          mean those activities necessary to maintain or analyze the  
                                                                      



          AB 370 (Muratsuchi)
          Page 6 of ?



          functioning of the commercial Web site or online service,  
          perform network communications, authenticate users of the  
          commercial Web site or online service, and ensure legal or  
          regulatory compliance, provided that the information collected  
          for these activities is not used or disclosed for any other  
          purpose.

                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
               There has been some progress in giving consumers more  
               control over targeted advertising.  The Digital Advertising  
               Alliance, a coalition of media and marketing organizations,  
               has an icon-based program that companies may voluntarily  
               use that gives consumers an opportunity to learn about and  
               opt out of receiving online behavioral advertising.  The  
               program does not allow consumers to choose not to be  
               tracked.  The World Wide Web Consortium, an Internet  
               standard setting organization, is working on a standard  
               protocol to allow consumers to communicate a decision not  
               to be tracked. 

               In its March 2012 report, Protecting Consumer Privacy in an  
               Era of Rapid Change, the Federal Trade Commission endorsed  
               the implementation of an easy-to-use, persistent, and  
               effective Do Not Track system.  Subsequently, all the major  
               browser companies have offered Do Not Track browser headers  
               that signal to websites an individual's choice not to be  
               tracked.  There is, however, no legal requirement for sites  
               to honor the headers.  
               . . .
               The presence of trackers on websites is generally invisible  
               to site users.  In addition to "cookie" files that record  
               the sites visited, there are more sophisticated trackers,  
               including some that can "re-spawn" themselves even after  
               users try to delete them.

          The author states that this bill would "[r]equire a website's  
          existing privacy policy to disclose how it reacts to an  
          individual's request to not be the subject of online tracking,"  
          and would also "[r]equire a website's existing privacy policy to  
          disclose whether there may be third parties conducting online  
          tracking."
                                                                      



          AB 370 (Muratsuchi)
          Page 7 of ?




          2.  Technical description of "Do Not Track"  

          According to the non-profit Mozilla Foundation, the developer of  
          a Web browser called "Firefox," "[m]ost major websites track  
          their visitors' behavior and then sell or provide that  
          information to other companies (like advertisers)."  In general,  
          "tracking" refers to "many different methods that websites,  
          advertisers and others use to learn about your web browsing  
          behavior," and "includes information about what sites you visit,  
          things you like, dislike and purchase."  Entities that track Web  
          site usage "often use this information to show ads, products or  
          services specifically targeted to you."  (Mozilla, How do I turn  
          on the Do-not-track feature?  
           [as of June 13, 2013].)

          Many Web browsers, including Firefox, have a "Do-not-track  
          feature that lets you tell websites you don't want your browsing  
          behavior tracked."  When you activate the "do-not-track"  
          feature, a Web browser "tells every website you visit (as well  
          as their advertisers and other content providers) that you don't  
          want your browsing behavior tracked."  Web browsers convey a  
          user's preference not to be tracked by transmitting a Do Not  
          Track HTTP header every time your data is requested from the  
          Internet.  Mozilla notes that "[h]onoring this setting is  
          voluntary - individual websites are not required to respect it.   
          Websites that do honor this setting should automatically stop  
          tracking your behavior without any further action from you."   
          (Mozilla, How do I turn on the Do-not-track feature?)

          According to Mozilla, "[t]urning on Do-not-track will not affect  
          your ability to log in to websites nor cause [a Web browser] to  
          forget your private information - such as the contents of  
          shopping carts, location information or login information."   
          However, an Internet user "may see less relevant advertising on  
          websites if you have the Do-not-track option activated."   
          (Mozilla, How do I turn on the Do-not-track feature?)  Do not  
          track might also alter a user's Internet experience by  
          "interfere[ing] with some personalized services you enjoy:"

               For example, a Do Not Track request might mean you would  
               have to type in your zip code each time you want to view a  
               weather report, rather than seeing the weather  
               automatically displayed.  Personalization on websites can  
               save you time and repetitive typing, but it requires data.   
                                                                      



          AB 370 (Muratsuchi)
          Page 8 of ?



               (Mozilla, Do Not Track FAQ  
                [as of June 13, 2013].)

          3.  Protection of user privacy  

          Staff notes that the right to privacy is a fundamental right  
          protected by Section 1 of Article I of the Constitution of  
          California.  This bill builds upon that fundamental right by  
          requiring the operators of commercial Web sites and online  
          services to conspicuously disclose how they respond to an  
          Internet user's "do not track" request, to disclose whether  
          other parties are or may be conducting tracking through the  
          site, and to inform Internet users if the operator of the site  
          offers any mechanism that would allow users to exercise a choice  
          regarding whether to permit online tracking.  It also furthers  
          the original stated intent underlying the California Online  
          Privacy Protection Act, which was to "improv[e] the knowledge  
          [individual consumers] have as to whether personally  
          identifiable information obtained by . . . commercial Web  
          site[s] through the Internet may be disclosed, sold, or shared."  
           (AB 68, Simitian, Chapter 829, Statutes of 2003, Sec. 2(b).)   
          Staff notes further that operators who fail to post privacy  
          policies as required under existing law are given a 30-day  
          window to cure following a notice of non-compliance before they  
          are considered to be in violation of the California Online  
          Privacy Protection Act.  (Bus. & Prof. Code Sec. 22575(a).)
          4.  User attitudes toward third-party tracking  

          A number of nationwide surveys have shown that the majority of  
          Internet users are opposed to third-party tracking of their Web  
          browsing activities.  Mayer & Mitchell of Stanford University  
          have compiled the following survey results:

               A 2009 representative U.S. phone survey by Turow et al.  
               found that 87% of respondents would not want advertising  
               based on tracking.  In an unrepresentative 2010 survey of  
               Amazon Mechanical Turk users by McDonald and Cranor, only  
               45% of respondents wanted to be shown any ads that had been  
               tailored to their interests.  A December 2010 USA  
               Today/Gallup poll reported 67% of respondents thought  
               behavioral targeting should be outright illegal.  In a  
               mid-2011 representative U.S. online survey by TRUSTe and  
               Harris Interactive, 85% of respondents said they would not  
               consent to tracking for ad targeting, and 78% said they  
               would not consent to tracking for website analytics.   
               Finally, a 2012 representative telephone survey by Pew  
                                                                      



          AB 370 (Muratsuchi)
          Page 9 of ?



               Research found that 68% of respondents were "not okay" with  
               behavioral advertising.  (Mayer & Mitchell, Third-Party Web  
               Tracking: Policy and Technology, pp. 4-5.)

          This bill would not prohibit third-party or any other form of  
          online tracking.  Rather, it is a transparency measure that  
          would implement a uniform protocol for informing Internet users  
          about the tracking or data collection practices of individual  
          Web sites, and about any options they may have to exercise a  
          choice regarding whether to permit this collection.  In so  
          doing, it would allow California consumers to make an informed  
          decision on whether or not to submit to online tracking.

          5.  Concerns expressed by industry groups  

          Though not in formal opposition, the California Chamber of  
          Commerce, the California Retailers Association, the Direct  
          Marketing Association, the Internet Alliance, and the Personal  
          Insurance Federation of California have all expressed concern  
          with AB 370.  Their concerns are threefold.  First, they point  
          out that trade and industry groups, most notably the World Wide  
          Web Consortium (W3C), are in disagreement about what "online  
          tracking" and "do not track" mean.  They suggest that this  
          disagreement may make it difficult to implement the terms of AB  
          370, and recommend that the Legislature wait to allow WC3 and  
          others to finish their efforts to develop industry standards for  
          these concepts before moving forward with legislation like this.  
           Unfortunately, as the Attorney General points out, WC3 has been  
          trying for over a year and a half now to address this issue, and  
          there is no indication that a resolution will be arrived at any  
          time soon.  Further, while there might be internal debate about  
          precisely what activities should be labeled as "tracking," AB  
          370 does not weigh into this debate.  Rather, it sets out a  
          bright-line standard directing operators to disclose (1) how  
          their Web site responds to a "do not track" header message, (2)  
          whether other parties are collecting personally identifiable  
          information through their site or service about an individual  
          consumer's online activities over time and across different Web  
          sites and online services, and (3) what options, if any, an  
          individual consumer has in exercising a choice regarding whether  
          to permit this collection.

          Second, they offer an interpretation of the definition of  
          "personally identifiable information" that only includes  
          information actively or knowingly provided by a Web user, which,  
          by implication, would not include the passive collection of  
                                                                      



          AB 370 (Muratsuchi)
          Page 10 of ?



          information via online tracking addressed in this bill.  Such an  
          interpretation of existing law needlessly restricts the  
          definition of "personally identifiable information" to the  
          active (and by implication voluntary or consensual) transmission  
          of information, overlooking the fact that subsection (a)(6) of  
          the definition sweeps in "[a]ny other identifier that permits  
                                                                       the physical or online contacting of a specific individual,"  
          including information passively collected from an individual.

          Finally, the concerned entities broadly suggest that this bill  
          could affect "the economic foundation and function of the  
          Internet."  As noted above, this bill does not prohibit online  
          tracking or force Web sites to comply with a user's "do not  
          track" request.  Rather, it requires Web site operators to make  
          specific disclosures about online tracking.  AB 370 is  
          fundamentally a transparency bill -- it does not require Web  
          site operators to make any affirmative changes to their data  
          collection practices.

          The Internet Association and TechAmerica, both in formal  
          opposition to the bill, offer overlapping arguments to those  
          made by the concerned entities, as well as other arguments that  
          appear to have been resolved by the author's amendments that  
          were made on June 3, 2013.


           Support  :  Consumer Watchdog; Microsoft Corporation

           Opposition  :  Internet Association; TechAmerica (unless amended)

                                        HISTORY
           
           Source  :  California Attorney General

           Related Pending Legislation  :

          AB 242 (Chau) would require online privacy policies mandated  
          under the California Online Privacy Protection Act to be no more  
          than 100 words, written in clear and concise language, written  
          at no greater than an 8th grade reading level, and include a  
          statement indicating whether any personally identifiable  
          information may be sold or shared with others, and if so, how  
          and with whom.  This bill is in the Assembly Judiciary  
          Committee. 

          AB 257 (Hall) would require mobile computing applications to  
                                                                      



          AB 370 (Muratsuchi)
          Page 11 of ?



          comply with the California Online Privacy Protection Act, and  
          would require operators and advertising networks to satisfy  
          various privacy policy requirements for mobile applications,  
          including allowing consumers to access their own collected and  
          retained personal identifying information.  This bill is in the  
          Assembly Judiciary Committee.

          AB 1291 (Lowenthal) would create the Right to Know Act of 2013,  
          repealing and reorganizing certain provisions of existing law  
          pertaining to the disclosure of a consumer's personal  
          information.  This bill is in the Assembly Judiciary Committee.

          SB 501 (Corbett) would require social networking Internet Web  
          sites to remove the address, telephone number, and other  
          personal identifying information of a registered user within 96  
          hours of his or her request.  It would also allow a parent or  
          legal guardian of a registered user who identifies himself or  
          herself as under 18 years of age to require a social networking  
          Web site to remove personal identifying information of their  
          children.  This bill is in the Assembly Committee on Arts,  
          Entertainment, Sports, Tourism, and Internet Media.

          SB 568 (Steinberg) would prohibit an operator of an Internet Web  
          site, online service, online application, or mobile application,  
          from marketing or advertising a product or service to a minor if  
          the minor cannot legally purchase the product or participate in  
          the service in the State of California.  This bill would also  
          prohibit an operator from using, disclosing, compiling, or  
          allowing a third party to knowingly use, disclose, or compile,  
          the personal information of a minor for the purpose of marketing  
          goods or services that minors cannot legally purchase or engage  
          in the State of California.  This bill is in the Assembly  
          Committee on Arts, Entertainment, Sports, Tourism, and Internet  
          Media.

           Prior Legislation  :

          SB 761 (Lowenthal, 2012) would have required the Attorney  
          General, by July 1, 2012, to adopt regulations that would  
          require online businesses to provide California consumers with a  
          method for the consumer to opt out of the collection or use of  
          his or her information by the business.  This bill died in the  
          Senate Appropriations Committee.

          SB 632 (Davis, 2009) would have required a social networking  
          Internet Web site to provide a disclosure to users that an image  
                                                                      



          AB 370 (Muratsuchi)
          Page 12 of ?



          which is uploaded onto the Web site is capable of being copied,  
          without consent, by persons who view the image, or copied in  
          violation of the privacy policy, terms of use, or other policy  
          of the site.  This bill was vetoed.

          ACR 106 (Nava, 2008) would have urged user-generated content Web  
          sites to work with the Safety Technical Task Force and law  
          enforcement to reduce the use of those Web sites for purposes of  
          criminal behavior.  This resolution died on the Assembly Floor.

          AB 68 (Simitian, Chapter 829, Statutes of 2003) enacted the  
          California Online Privacy Protection Act, which requires the  
          operators of Web sites and online services that collect  
          personally identifiable information from California residents  
          for commercial purposes to conspicuously post their privacy  
          policy on their Web site or online service and to comply with  
          that policy.
           
          Prior Vote  :

          Assembly Committee on Business, Professions, and Consumer  
          Protection
          (Ayes 12, Noes 0)
          Assembly Committee on Arts, Entertainment, Sports, Tourism, and  
          Internet Media (Ayes 6, Noes 1)
          Assembly Floor (Ayes 73, Noes 0)
          Senate Committee on Business, Professions, and Economic  
          Development
          (Ayes 10, Noes 0)

                                   **************