BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
AB 370 (Muratsuchi)
As Amended June 3, 2013
Hearing Date: June 18, 2013
Fiscal: No
Urgency: No
TH
SUBJECT
Consumers: Online Tracking
DESCRIPTION
Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about California consumers to conspicuously
post and comply with its stated privacy policy. This bill would
require an operator's privacy policy to disclose how the
operator responds to a Web browser's "do not track" signal or
other similar mechanism regarding online tracking. This bill
would also require an operator's privacy policy to disclose
whether other parties on the Web site or online service are or
may be conducting online tracking, and what, if any, options an
individual consumer has regarding whether or not to permit this
collection.
BACKGROUND
In 2003, California enacted the Online Privacy Protection Act
(CalOPPA), a first in the nation statute requiring operators of
commercial Web sites to post online privacy policies and adhere
to their requirements. Among other things, CalOPPA requires a
Web site operator's privacy policy to identify the categories of
personally identifiable information collected about individual
consumers who use or visit the Web site, as well as to disclose
the categories of third-party persons or entities with whom the
operator may share that personally identifiable information. In
the ten years that have elapsed since CalOPPA was enacted,
online commerce and Web technology have thrived, and with the
emergence of these new business practices and new technologies,
(more)
�
AB 370 (Muratsuchi)
Page 2 of ?
new privacy concerns have also risen.
One of the most prevalent of these new concerns involves the
growing industry practice of sharing Internet usage data with
third-parties. Stated succinctly:
Third-party services bring tremendous value to the web:
they enable first-party websites to trivially implement
advertising, analytics, social network integration, and
more. But they also give rise to privacy concerns: over
the past several years, researchers, civil society
organizations, and policymakers have called attention to
the increasing trend of third-party websites recording and
analyzing users' browsing activities across unrelated
first-party websites ("third-party web tracking" or
"tracking" for short). (Mayer & Mitchell, Third-Party Web
Tracking: Policy and Technology
[as of June 13, 2013], p.
1.)
The amount of data collected by Web site operators and/or
third-parties operating through Web sites is staggering.
According to one commenter:
[e]very search, query, click, page view, and link are
logged, retained, analyzed, and used by a host of third
parties, including websites (also known as "publishers"),
advertisers, and a multitude of advertising intermediaries,
including ad networks, ad exchanges, analytics providers,
re-targeters, market researchers, and more. Although users
may expect that many of their online activities are
anonymous, the architecture of the Internet allows multiple
parties to collect data and compile user profiles with
various degrees of identifying information. (Tene &
Polonetsky, To Track or "Do Not Track": Advancing
Transparency and Individual Control in Online Behavioral
Advertising [as of June 13, 2013], p. 1.)
The widespread aggregation and sale of data concerning the
Internet usage of individual consumers, seemingly collected
without a user's knowledge, raises serious privacy concerns. As
another scholar explains:
�
AB 370 (Muratsuchi)
Page 3 of ?
Web browsing history is inextricably linked to personal
information. The pages a user visits can reveal [his or]
her location, interests, purchases, employment status,
sexual orientation, financial challenges, medical
conditions, and more. Examining individual page loads is
often adequate to draw many conclusions about a user;
analyzing patterns of activity allows yet more inferences.
. . .
Collection of sensitive personal information is not a
hypothetical concern. In mid-2011 we discovered that an
advertising network, Epic Marketplace, had publicly exposed
its interest segment data, offering a rare glimpse of what
third-party trackers seek to learn about users. User
segments included menopause, getting pregnant, repairing
bad credit, and debt relief. Several months later we found
that the free online dating website OkCupid was sending to
the data provider Lotame how often a user drinks, smokes,
and does drugs. When Krishnamurthy et al. tested search
queries on ten popular health websites, they found a third
party learned of the user's query on nine of them. (Mayer
& Mitchell, Third-Party Web Tracking: Policy and
Technology, p. 3.)
Responding to the privacy concerns raised by online tracking,
the Federal Trade Commission (FTC) has advocated "the
implementation of an easy-to-use, persistent, and effective Do
Not Track system." (FTC, Protecting Consumer Privacy in an Era
of Rapid Change: Recommendations For Businesses and Policymakers
[as of
June 13, 2013], p. 72.) Currently, all of the major Web
browsers offer some sort of Do Not Track feature that enables
individual consumers to signal to the Web sites they visit their
choice not to be tracked. However, whether or not an operator
of a Web site, or a third-party collecting user information
through another's Web site, complies with a user's preference
not to be tracked is voluntary, and available data suggests that
only a tiny fraction of Web site operators respect this
preference. (See Mayer & Mitchell, Third-Party Web Tracking:
Policy and Technology, p. 12; Twitter, Inc., Twitter supports Do
Not Track
[as of June 13, 2013].)
This bill, sponsored by the California Attorney General, would
require that the operator of a commercial Web site or online
�
AB 370 (Muratsuchi)
Page 4 of ?
service disclose how it responds to a Web browser's "do not
track" signal (i.e. whether it complies with a signal indicating
a request to disable online tracking of an individual consumer)
in its privacy policy. The bill would also require an operator
of a Web site or online service to disclose whether other
parties on the Web site or online service are or may be
conducting online tracking, and what, if any, options an
individual consumer has regarding whether or not to permit this
collection.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for the invasion of privacy, and provides that in order to state
a claim for violation of the constitutional right to privacy a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
Existing case law provides that there is no reasonable
expectation of privacy in information posted on a publicly
accessible Internet Web site. Such information is no longer a
"private fact" that can be protected from public disclosure.
(Moreno v. Hanford Sentinel (2009) 172 Cal.App.4th 1125.)
Existing law , the California Online Privacy Protection Act of
2003, requires an operator of a commercial Web site or online
service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its Web site to conspicuously post
its privacy policy. (Bus. & Prof. Code Sec. 22575(a).)
Existing law states that the privacy policy required by the
above provision shall do all of the following:
identify the categories of personally identifiable
information that the operator collects through the Web
�
AB 370 (Muratsuchi)
Page 5 of ?
site about individual consumers who use or visit its Web
site, and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information;
provide a description of the process for an
individual consumer who uses or visits its Web site to
review and request changes to any of his or her
personally identifiable information that is collected
through the Web site, if the operator maintains such a
process;
describe the process by which the operator notifies
consumers who use or visit its Web site of material
changes to the operator's privacy policy; and
identify the privacy policy's effective date. (Bus.
& Prof. Code Sec. 22575(b).)
Existing law provides that an operator of a commercial Web site
or online service violates the above provisions when it either
(1) knowingly and willfully, or (2) negligently and materially,
fails to comply with these provisions or with the provisions of
its posted privacy policy. (Bus. & Prof. Code Sec. 22576.)
This bill would additionally require a privacy to disclose how
the operator responds to Web browser "do not track" signals or
other similar mechanisms regarding online tracking when an
individual consumer uses or visits the commercial Web site or
online service.
This bill would also require the privacy policy to disclose
whether other parties on the operator's commercial Web site or
online service are or may be conducting online tracking, and
what, if any, program, solution, protocol, or mechanism the
operator follows that offers consumers who use or visit its
commercial Web site or online service the ability to exercise a
choice regarding whether to permit this collection.
This bill would define the term "online tracking" to mean the
practice of collecting personally identifiable information about
an individual consumer's online activities over time and across
different Web sites and online services, for any use other than
the internal business purposes, as defined, of the commercial
Web site or online service through which the tracking is
conducted.
This bill would define the term "internal business purposes" to
mean those activities necessary to maintain or analyze the
�
AB 370 (Muratsuchi)
Page 6 of ?
functioning of the commercial Web site or online service,
perform network communications, authenticate users of the
commercial Web site or online service, and ensure legal or
regulatory compliance, provided that the information collected
for these activities is not used or disclosed for any other
purpose.
COMMENT
1. Stated need for the bill
The author writes:
There has been some progress in giving consumers more
control over targeted advertising. The Digital Advertising
Alliance, a coalition of media and marketing organizations,
has an icon-based program that companies may voluntarily
use that gives consumers an opportunity to learn about and
opt out of receiving online behavioral advertising. The
program does not allow consumers to choose not to be
tracked. The World Wide Web Consortium, an Internet
standard setting organization, is working on a standard
protocol to allow consumers to communicate a decision not
to be tracked.
In its March 2012 report, Protecting Consumer Privacy in an
Era of Rapid Change, the Federal Trade Commission endorsed
the implementation of an easy-to-use, persistent, and
effective Do Not Track system. Subsequently, all the major
browser companies have offered Do Not Track browser headers
that signal to websites an individual's choice not to be
tracked. There is, however, no legal requirement for sites
to honor the headers.
. . .
The presence of trackers on websites is generally invisible
to site users. In addition to "cookie" files that record
the sites visited, there are more sophisticated trackers,
including some that can "re-spawn" themselves even after
users try to delete them.
The author states that this bill would "[r]equire a website's
existing privacy policy to disclose how it reacts to an
individual's request to not be the subject of online tracking,"
and would also "[r]equire a website's existing privacy policy to
disclose whether there may be third parties conducting online
tracking."
�
AB 370 (Muratsuchi)
Page 7 of ?
2. Technical description of "Do Not Track"
According to the non-profit Mozilla Foundation, the developer of
a Web browser called "Firefox," "[m]ost major websites track
their visitors' behavior and then sell or provide that
information to other companies (like advertisers)." In general,
"tracking" refers to "many different methods that websites,
advertisers and others use to learn about your web browsing
behavior," and "includes information about what sites you visit,
things you like, dislike and purchase." Entities that track Web
site usage "often use this information to show ads, products or
services specifically targeted to you." (Mozilla, How do I turn
on the Do-not-track feature?
[as of June 13, 2013].)
Many Web browsers, including Firefox, have a "Do-not-track
feature that lets you tell websites you don't want your browsing
behavior tracked." When you activate the "do-not-track"
feature, a Web browser "tells every website you visit (as well
as their advertisers and other content providers) that you don't
want your browsing behavior tracked." Web browsers convey a
user's preference not to be tracked by transmitting a Do Not
Track HTTP header every time your data is requested from the
Internet. Mozilla notes that "[h]onoring this setting is
voluntary - individual websites are not required to respect it.
Websites that do honor this setting should automatically stop
tracking your behavior without any further action from you."
(Mozilla, How do I turn on the Do-not-track feature?)
According to Mozilla, "[t]urning on Do-not-track will not affect
your ability to log in to websites nor cause [a Web browser] to
forget your private information - such as the contents of
shopping carts, location information or login information."
However, an Internet user "may see less relevant advertising on
websites if you have the Do-not-track option activated."
(Mozilla, How do I turn on the Do-not-track feature?) Do not
track might also alter a user's Internet experience by
"interfere[ing] with some personalized services you enjoy:"
For example, a Do Not Track request might mean you would
have to type in your zip code each time you want to view a
weather report, rather than seeing the weather
automatically displayed. Personalization on websites can
save you time and repetitive typing, but it requires data.
�
AB 370 (Muratsuchi)
Page 8 of ?
(Mozilla, Do Not Track FAQ
[as of June 13, 2013].)
3. Protection of user privacy
Staff notes that the right to privacy is a fundamental right
protected by Section 1 of Article I of the Constitution of
California. This bill builds upon that fundamental right by
requiring the operators of commercial Web sites and online
services to conspicuously disclose how they respond to an
Internet user's "do not track" request, to disclose whether
other parties are or may be conducting tracking through the
site, and to inform Internet users if the operator of the site
offers any mechanism that would allow users to exercise a choice
regarding whether to permit online tracking. It also furthers
the original stated intent underlying the California Online
Privacy Protection Act, which was to "improv[e] the knowledge
[individual consumers] have as to whether personally
identifiable information obtained by . . . commercial Web
site[s] through the Internet may be disclosed, sold, or shared."
(AB 68, Simitian, Chapter 829, Statutes of 2003, Sec. 2(b).)
Staff notes further that operators who fail to post privacy
policies as required under existing law are given a 30-day
window to cure following a notice of non-compliance before they
are considered to be in violation of the California Online
Privacy Protection Act. (Bus. & Prof. Code Sec. 22575(a).)
4. User attitudes toward third-party tracking
A number of nationwide surveys have shown that the majority of
Internet users are opposed to third-party tracking of their Web
browsing activities. Mayer & Mitchell of Stanford University
have compiled the following survey results:
A 2009 representative U.S. phone survey by Turow et al.
found that 87% of respondents would not want advertising
based on tracking. In an unrepresentative 2010 survey of
Amazon Mechanical Turk users by McDonald and Cranor, only
45% of respondents wanted to be shown any ads that had been
tailored to their interests. A December 2010 USA
Today/Gallup poll reported 67% of respondents thought
behavioral targeting should be outright illegal. In a
mid-2011 representative U.S. online survey by TRUSTe and
Harris Interactive, 85% of respondents said they would not
consent to tracking for ad targeting, and 78% said they
would not consent to tracking for website analytics.
Finally, a 2012 representative telephone survey by Pew
�
AB 370 (Muratsuchi)
Page 9 of ?
Research found that 68% of respondents were "not okay" with
behavioral advertising. (Mayer & Mitchell, Third-Party Web
Tracking: Policy and Technology, pp. 4-5.)
This bill would not prohibit third-party or any other form of
online tracking. Rather, it is a transparency measure that
would implement a uniform protocol for informing Internet users
about the tracking or data collection practices of individual
Web sites, and about any options they may have to exercise a
choice regarding whether to permit this collection. In so
doing, it would allow California consumers to make an informed
decision on whether or not to submit to online tracking.
5. Concerns expressed by industry groups
Though not in formal opposition, the California Chamber of
Commerce, the California Retailers Association, the Direct
Marketing Association, the Internet Alliance, and the Personal
Insurance Federation of California have all expressed concern
with AB 370. Their concerns are threefold. First, they point
out that trade and industry groups, most notably the World Wide
Web Consortium (W3C), are in disagreement about what "online
tracking" and "do not track" mean. They suggest that this
disagreement may make it difficult to implement the terms of AB
370, and recommend that the Legislature wait to allow WC3 and
others to finish their efforts to develop industry standards for
these concepts before moving forward with legislation like this.
Unfortunately, as the Attorney General points out, WC3 has been
trying for over a year and a half now to address this issue, and
there is no indication that a resolution will be arrived at any
time soon. Further, while there might be internal debate about
precisely what activities should be labeled as "tracking," AB
370 does not weigh into this debate. Rather, it sets out a
bright-line standard directing operators to disclose (1) how
their Web site responds to a "do not track" header message, (2)
whether other parties are collecting personally identifiable
information through their site or service about an individual
consumer's online activities over time and across different Web
sites and online services, and (3) what options, if any, an
individual consumer has in exercising a choice regarding whether
to permit this collection.
Second, they offer an interpretation of the definition of
"personally identifiable information" that only includes
information actively or knowingly provided by a Web user, which,
by implication, would not include the passive collection of
�
AB 370 (Muratsuchi)
Page 10 of ?
information via online tracking addressed in this bill. Such an
interpretation of existing law needlessly restricts the
definition of "personally identifiable information" to the
active (and by implication voluntary or consensual) transmission
of information, overlooking the fact that subsection (a)(6) of
the definition sweeps in "[a]ny other identifier that permits
the physical or online contacting of a specific individual,"
including information passively collected from an individual.
Finally, the concerned entities broadly suggest that this bill
could affect "the economic foundation and function of the
Internet." As noted above, this bill does not prohibit online
tracking or force Web sites to comply with a user's "do not
track" request. Rather, it requires Web site operators to make
specific disclosures about online tracking. AB 370 is
fundamentally a transparency bill -- it does not require Web
site operators to make any affirmative changes to their data
collection practices.
The Internet Association and TechAmerica, both in formal
opposition to the bill, offer overlapping arguments to those
made by the concerned entities, as well as other arguments that
appear to have been resolved by the author's amendments that
were made on June 3, 2013.
Support : Consumer Watchdog; Microsoft Corporation
Opposition : Internet Association; TechAmerica (unless amended)
HISTORY
Source : California Attorney General
Related Pending Legislation :
AB 242 (Chau) would require online privacy policies mandated
under the California Online Privacy Protection Act to be no more
than 100 words, written in clear and concise language, written
at no greater than an 8th grade reading level, and include a
statement indicating whether any personally identifiable
information may be sold or shared with others, and if so, how
and with whom. This bill is in the Assembly Judiciary
Committee.
AB 257 (Hall) would require mobile computing applications to
�
AB 370 (Muratsuchi)
Page 11 of ?
comply with the California Online Privacy Protection Act, and
would require operators and advertising networks to satisfy
various privacy policy requirements for mobile applications,
including allowing consumers to access their own collected and
retained personal identifying information. This bill is in the
Assembly Judiciary Committee.
AB 1291 (Lowenthal) would create the Right to Know Act of 2013,
repealing and reorganizing certain provisions of existing law
pertaining to the disclosure of a consumer's personal
information. This bill is in the Assembly Judiciary Committee.
SB 501 (Corbett) would require social networking Internet Web
sites to remove the address, telephone number, and other
personal identifying information of a registered user within 96
hours of his or her request. It would also allow a parent or
legal guardian of a registered user who identifies himself or
herself as under 18 years of age to require a social networking
Web site to remove personal identifying information of their
children. This bill is in the Assembly Committee on Arts,
Entertainment, Sports, Tourism, and Internet Media.
SB 568 (Steinberg) would prohibit an operator of an Internet Web
site, online service, online application, or mobile application,
from marketing or advertising a product or service to a minor if
the minor cannot legally purchase the product or participate in
the service in the State of California. This bill would also
prohibit an operator from using, disclosing, compiling, or
allowing a third party to knowingly use, disclose, or compile,
the personal information of a minor for the purpose of marketing
goods or services that minors cannot legally purchase or engage
in the State of California. This bill is in the Assembly
Committee on Arts, Entertainment, Sports, Tourism, and Internet
Media.
Prior Legislation :
SB 761 (Lowenthal, 2012) would have required the Attorney
General, by July 1, 2012, to adopt regulations that would
require online businesses to provide California consumers with a
method for the consumer to opt out of the collection or use of
his or her information by the business. This bill died in the
Senate Appropriations Committee.
SB 632 (Davis, 2009) would have required a social networking
Internet Web site to provide a disclosure to users that an image
�
AB 370 (Muratsuchi)
Page 12 of ?
which is uploaded onto the Web site is capable of being copied,
without consent, by persons who view the image, or copied in
violation of the privacy policy, terms of use, or other policy
of the site. This bill was vetoed.
ACR 106 (Nava, 2008) would have urged user-generated content Web
sites to work with the Safety Technical Task Force and law
enforcement to reduce the use of those Web sites for purposes of
criminal behavior. This resolution died on the Assembly Floor.
AB 68 (Simitian, Chapter 829, Statutes of 2003) enacted the
California Online Privacy Protection Act, which requires the
operators of Web sites and online services that collect
personally identifiable information from California residents
for commercial purposes to conspicuously post their privacy
policy on their Web site or online service and to comply with
that policy.
Prior Vote :
Assembly Committee on Business, Professions, and Consumer
Protection
(Ayes 12, Noes 0)
Assembly Committee on Arts, Entertainment, Sports, Tourism, and
Internet Media (Ayes 6, Noes 1)
Assembly Floor (Ayes 73, Noes 0)
Senate Committee on Business, Professions, and Economic
Development
(Ayes 10, Noes 0)
**************