BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                        AB 370|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  AB 370
          Author:   Muratsuchi (D)
          Amended:  6/18/13 in Senate
          Vote:     21

           
           SENATE BUSINESS, PROF. & ECON. DEVELOP. COMM.  :  10-0, 6/10/13
          AYES:  Lieu, Emmerson, Block, Corbett, Galgiani, Hernandez,  
            Hill, Padilla, Wyland, Yee

           SENATE JUDICIARY COMMITTEE  :  6-1, 6/25/13
          AYES:  Evans, Walters, Corbett, Jackson, Leno, Monning
          NOES:  Anderson

           ASSEMBLY FLOOR  :  73-0, 5/2/13 - See last page for vote


           SUBJECT  :    Consumers:  Internet privacy

           SOURCE  :     Office of the Attorney General


           DIGEST  :    This bill requires privacy policies posted by an  
          operator of a commercial Web site or online service, that  
          collects personally identifiable information (PII), to disclose  
          how the operator responds to Web browser "do not track" signals  
          or other similar mechanisms regarding the collection of PII and  
          to disclose whether other parties may collect PII about an  
          individual consumer's online activities, as specified.

           ANALYSIS  :    

          Existing law:
                                                                CONTINUED





                                                                     AB 370
                                                                     Page  
          2


          1.Requires an operator of a commercial Internet Web site or  
            online service that collects personally identifiable  
            information (PII) through the Internet about consumers  
            residing in California who use or visit its commercial Web  
            site or online service to conspicuously post its privacy  
            policy on its Web site, or in the case of an operator of an  
            online service, to make that policy available, as specified.

          2.Provides that an operator shall be in violation of the  
            provision in #1 above, only if the operator fails to post its  
            [privacy] policy within 30 days after being notified of  
            noncompliance.

          3.Specifies that the privacy policy shall (a) identify the  
            categories of PII that the operator collects about individual  
            consumers and the categories of third-party persons or  
            entities with whom the operator may share the PII; (b) provide  
            a description of the process, if maintained by the operator,  
            in which the consumer may review and request changes to any of  
            his/her PII that is collected through the Web site or online  
            service; (c) describe the process by which the operator  
            notifies consumers who use or visit its commercial Web site or  
            online service of material changes to the operator's privacy  
            policy for that Web site or online service; and (d) identify  
            the policy's effective date of the privacy policy.

          This bill:

          1.Requires, additionally, that the privacy policy shall  
            disclose:

             A.   How the operator responds to Web browser "do not track"  
               signals or other mechanisms that provide consumers the  
               ability to exercise choice regarding the collection of PII  
               of an individual consumer's online activities over time and  
               across third-party Web sites or online services, if the  
               operator engages in that collection.

             B.   Whether other parties may collect PII about an  
               individual consumer's online activities over time and  
               across different Web sites when a consumer uses the  
               operator's Web site or service.


                                                                CONTINUED





                                                                     AB 370
                                                                     Page  
          3

          1.Specifies that an operator may satisfy the requirement of #1  
            above by providing a clear and conspicuous hyperlink in the  
            operator's privacy policy to an online location containing a  
            description, including the effects, of any program or protocol  
            the operator follows that offers the consumer that choice.

           Background
           
           California Online Privacy Protection Act (CalOPPA)  .  In 2003,  
          the Legislature passed AB 68 (Simitian, Chapter 829), which  
          generally requires operators of Web sites and online services  
          that collect PII about the users of their site to conspicuously  
          post their privacy policies on the Web site and comply with  
          them. 

          As it stands today, CalOPPA requires privacy policies to  
          identify the categories of PII collected, the categories of  
          third-parties with whom that PII may be shared, the process for  
          consumers to review and request changes to his/her PII, and the  
          process for notification of material changes to the policy. 

          An operator has 30 days to comply after receiving notice of  
          noncompliance with the posting requirement.  Failure to comply  
          with the CalOPPA requirements or the provisions of the posted  
          privacy policy, if knowing and willful, or negligent and  
          material, is actionable under California's Unfair Competition  
          Law and may result in penalties of up to $2,500 for each  
          violation.  

           Growth in online tracking and data auctions  .  According to the  
          Office of the Attorney General (AG), online tracking is  
          pervasive.  "What They Know," a series of articles published in  
          the Wall Street Journal starting in 2010, reported on an  
          investigation of the tracking on the 50 most popular Web sites  
          in the country.  Those sites installed 3,180 tracking files on a  
          computer used to visit them; 12 of those sites installed more  
          than 100 tracking tools each.  

          Profiles of individuals created from tracking data are bought  
          and sold in the marketplace of analytics companies, data  
          brokers, and advertising networks.  Online tracking data can be  
          combined with information obtained from offline records.  The  
          profiles are not only used for targeted advertising, but also  
          for tailored offers at different prices based on statistically  

                                                                CONTINUED





                                                                     AB 370
                                                                     Page  
          4

          generated assumptions.  The presence of trackers on Web sites is  
          generally invisible to site users.  In addition to "cookies"  
          that record site visited, there are more sophisticated trackers,  
          including some that can "re-spawn" even after users try to  
          delete them.   

          On June 17, 2012, the Wall Street Journal published another  
          article about user-tailored advertising and the explosion in  
          demand for consumer data collected through Web browsers. The  
          article notes, "?[the] rapid rise in the number of companies  
          collecting data about individuals Web-surfing behavior is  
          testament to the power of the $31 billion online-advertising  
          business, which increasingly relies on data about users Web  
          surfing behavior to target advertisements." 

          This tracking often goes unnoticed by consumers and is made  
          possible by the use of "cookie" files that record the sites  
          visited by the consumer's Web browser.  The Journal notes that  
          in one study, the average visit to a Web page triggered 56  
          instances of data collection. The data collected by these  
          cookies are so valuable that online auctions have sprung up  
          among advertisers to compete for the data.   

           Comments

           The author writes:
          
               There has been some progress in giving consumers more  
               control over targeted advertising.  The Digital Advertising  
               Alliance, a coalition of media and marketing organizations,  
               has an icon-based program that companies may voluntarily  
               use that gives consumers an opportunity to learn about and  
               opt out of receiving online behavioral advertising.  The  
               program does not allow consumers to choose not to be  
               tracked.  The World Wide Web Consortium, an Internet  
               standard setting organization, is working on a standard  
               protocol to allow consumers to communicate a decision not  
               to be tracked. 

               In its March 2012 report, Protecting Consumer Privacy in an  
               Era of Rapid Change, the Federal Trade Commission endorsed  
               the implementation of an easy-to-use, persistent, and  
               effective Do Not Track system.  Subsequently, all the major  
               browser companies have offered Do Not Track browser headers  

                                                                CONTINUED





                                                                     AB 370
                                                                     Page  
          5

               that signal to websites an individual's choice not to be  
               tracked.  There is, however, no legal requirement for sites  
               to honor the headers.  
               . . .
               The presence of trackers on websites is generally invisible  
               to site users.  In addition to "cookie" files that record  
               the sites visited, there are more sophisticated trackers,  
               including some that can "re-spawn" themselves even after  
               users try to delete them.

          The author states that this bill would "[r]equire a website's  
          existing privacy policy to disclose how it reacts to an  
          individual's request to not be the subject of online tracking,"  
          and would also "[r]equire a website's existing privacy policy to  
          disclose whether there may be third parties conducting online  
          tracking."

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   Local:  
           No

           SUPPORT  :   (Verified  6/26/13)

          Office of the Attorney General (source) 
          Consumer Watchdog
          Microsoft Corporation

           ARGUMENTS IN SUPPORT  :    According to the bill's sponsor, the  
          Office of the Attorney General, this bill will increase  
          awareness of online behavioral tracking and allow Californians  
          to make informed decisions.   

          Consumer Watchdog states that "AB 370 is a transparency proposal  
          - not a Do Not Track proposal.  When a privacy policy discloses  
          whether or not an operator honors a Do Not Track signal from a  
          browser, individuals may make informed decisions about their use  
          of the site or the service.  CW strongly believes that there  
          must ultimately be a legal Do Not Track requirement.  However,  
          in the absence of such legislation, transparency about a  
          service's practices is a step in the right direction.  Requiring  
          transparency could well prompt companies to compete based on  
          their privacy practices.  AB 370 will likely prompt more  
          companies to honor Do Not Track requests.  At the least it will  
          give consumers more information about whether data about their  
          online activity is gathered."

                                                                CONTINUED





                                                                     AB 370
                                                                     Page  
          6


          The Microsoft Corporation writes in support of this bill and  
          "believes that government and industry must partner to protect  
          consumer's privacy and data security while still enabling and  
          fostering innovation, productivity, and cost-efficiency offered  
          by new technology."

           ASSEMBLY FLOOR  :  73-0, 5/2/13
          AYES:  Achadjian, Alejo, Allen, Ammiano, Bigelow, Blumenfield,  
            Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian  
            Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley,  
            Dahle, Daly, Dickinson, Eggman, Fong, Fox, Frazier, Beth  
            Gaines, Garcia, Gatto, Gomez, Gordon, Gorell, Gray, Grove,  
            Hagman, Harkey, Roger Hernández, Holden, Jones-Sawyer, Levine,  
            Linder, Logue, Lowenthal, Maienschein, Mansoor, Medina,  
            Melendez, Mitchell, Morrell, Mullin, Muratsuchi, Nazarian,  
            Nestande, Olsen, Pan, Patterson, Perea, V. Manuel Pérez,  
            Quirk, Quirk-Silva, Rendon, Salas, Skinner, Stone, Ting,  
            Torres, Wagner, Waldron, Weber, Wieckowski, Wilk, Yamada, John  
            A. Pérez
          NO VOTE RECORDED:  Atkins, Bloom, Donnelly, Hall, Jones,  
            Williams, Vacancy
          MW:nl  6/26/13   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****


















                                                                CONTINUED