BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | AB 370| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: AB 370 Author: Muratsuchi (D) Amended: 6/18/13 in Senate Vote: 21 SENATE BUSINESS, PROF. & ECON. DEVELOP. COMM. : 10-0, 6/10/13 AYES: Lieu, Emmerson, Block, Corbett, Galgiani, Hernandez, Hill, Padilla, Wyland, Yee SENATE JUDICIARY COMMITTEE : 6-1, 6/25/13 AYES: Evans, Walters, Corbett, Jackson, Leno, Monning NOES: Anderson ASSEMBLY FLOOR : 73-0, 5/2/13 - See last page for vote SUBJECT : Consumers: Internet privacy SOURCE : Office of the Attorney General DIGEST : This bill requires privacy policies posted by an operator of a commercial Web site or online service, that collects personally identifiable information (PII), to disclose how the operator responds to Web browser "do not track" signals or other similar mechanisms regarding the collection of PII and to disclose whether other parties may collect PII about an individual consumer's online activities, as specified. ANALYSIS : Existing law: CONTINUED AB 370 Page 2 1.Requires an operator of a commercial Internet Web site or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, to make that policy available, as specified. 2.Provides that an operator shall be in violation of the provision in #1 above, only if the operator fails to post its [privacy] policy within 30 days after being notified of noncompliance. 3.Specifies that the privacy policy shall (a) identify the categories of PII that the operator collects about individual consumers and the categories of third-party persons or entities with whom the operator may share the PII; (b) provide a description of the process, if maintained by the operator, in which the consumer may review and request changes to any of his/her PII that is collected through the Web site or online service; (c) describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service; and (d) identify the policy's effective date of the privacy policy. This bill: 1.Requires, additionally, that the privacy policy shall disclose: A. How the operator responds to Web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII of an individual consumer's online activities over time and across third-party Web sites or online services, if the operator engages in that collection. B. Whether other parties may collect PII about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service. AB 370 Page 3 1.Specifies that an operator may satisfy the requirement of #1 above by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice. Background California Online Privacy Protection Act (CalOPPA) . In 2003, the Legislature passed AB 68 (Simitian, Chapter 829), which generally requires operators of Web sites and online services that collect PII about the users of their site to conspicuously post their privacy policies on the Web site and comply with them. As it stands today, CalOPPA requires privacy policies to identify the categories of PII collected, the categories of third-parties with whom that PII may be shared, the process for consumers to review and request changes to his/her PII, and the process for notification of material changes to the policy. An operator has 30 days to comply after receiving notice of noncompliance with the posting requirement. Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California's Unfair Competition Law and may result in penalties of up to $2,500 for each violation. Growth in online tracking and data auctions . According to the Office of the Attorney General (AG), online tracking is pervasive. "What They Know," a series of articles published in the Wall Street Journal starting in 2010, reported on an investigation of the tracking on the 50 most popular Web sites in the country. Those sites installed 3,180 tracking files on a computer used to visit them; 12 of those sites installed more than 100 tracking tools each. Profiles of individuals created from tracking data are bought and sold in the marketplace of analytics companies, data brokers, and advertising networks. Online tracking data can be combined with information obtained from offline records. The profiles are not only used for targeted advertising, but also for tailored offers at different prices based on statistically AB 370 Page 4 generated assumptions. The presence of trackers on Web sites is generally invisible to site users. In addition to "cookies" that record site visited, there are more sophisticated trackers, including some that can "re-spawn" even after users try to delete them. On June 17, 2012, the Wall Street Journal published another article about user-tailored advertising and the explosion in demand for consumer data collected through Web browsers. The article notes, "?[the] rapid rise in the number of companies collecting data about individuals Web-surfing behavior is testament to the power of the $31 billion online-advertising business, which increasingly relies on data about users Web surfing behavior to target advertisements." This tracking often goes unnoticed by consumers and is made possible by the use of "cookie" files that record the sites visited by the consumer's Web browser. The Journal notes that in one study, the average visit to a Web page triggered 56 instances of data collection. The data collected by these cookies are so valuable that online auctions have sprung up among advertisers to compete for the data. Comments The author writes: There has been some progress in giving consumers more control over targeted advertising. The Digital Advertising Alliance, a coalition of media and marketing organizations, has an icon-based program that companies may voluntarily use that gives consumers an opportunity to learn about and opt out of receiving online behavioral advertising. The program does not allow consumers to choose not to be tracked. The World Wide Web Consortium, an Internet standard setting organization, is working on a standard protocol to allow consumers to communicate a decision not to be tracked. In its March 2012 report, Protecting Consumer Privacy in an Era of Rapid Change, the Federal Trade Commission endorsed the implementation of an easy-to-use, persistent, and effective Do Not Track system. Subsequently, all the major browser companies have offered Do Not Track browser headers AB 370 Page 5 that signal to websites an individual's choice not to be tracked. There is, however, no legal requirement for sites to honor the headers. . . . The presence of trackers on websites is generally invisible to site users. In addition to "cookie" files that record the sites visited, there are more sophisticated trackers, including some that can "re-spawn" themselves even after users try to delete them. The author states that this bill would "[r]equire a website's existing privacy policy to disclose how it reacts to an individual's request to not be the subject of online tracking," and would also "[r]equire a website's existing privacy policy to disclose whether there may be third parties conducting online tracking." FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local: No SUPPORT : (Verified 8/8/13) Office of the Attorney General (source) California Public Interest Research Group Consumer Watchdog Microsoft Corporation ARGUMENTS IN SUPPORT : According to the bill's sponsor, the Office of the Attorney General, this bill will increase awareness of online behavioral tracking and allow Californians to make informed decisions. Consumer Watchdog (CW) states that "AB 370 is a transparency proposal - not a Do Not Track proposal. When a privacy policy discloses whether or not an operator honors a Do Not Track signal from a browser, individuals may make informed decisions about their use of the site or the service. CW strongly believes that there must ultimately be a legal Do Not Track requirement. However, in the absence of such legislation, transparency about a service's practices is a step in the right direction. Requiring transparency could well prompt companies to compete based on their privacy practices. AB 370 will likely prompt more companies to honor Do Not Track requests. At the least it will give consumers more information about whether data AB 370 Page 6 about their online activity is gathered." The Microsoft Corporation writes in support of this bill and "believes that government and industry must partner to protect consumer's privacy and data security while still enabling and fostering innovation, productivity, and cost-efficiency offered by new technology." ASSEMBLY FLOOR : 73-0, 5/2/13 AYES: Achadjian, Alejo, Allen, Ammiano, Bigelow, Blumenfield, Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley, Dahle, Daly, Dickinson, Eggman, Fong, Fox, Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gordon, Gorell, Gray, Grove, Hagman, Harkey, Roger Hernández, Holden, Jones-Sawyer, Levine, Linder, Logue, Lowenthal, Maienschein, Mansoor, Medina, Melendez, Mitchell, Morrell, Mullin, Muratsuchi, Nazarian, Nestande, Olsen, Pan, Patterson, Perea, V. Manuel Pérez, Quirk, Quirk-Silva, Rendon, Salas, Skinner, Stone, Ting, Torres, Wagner, Waldron, Weber, Wieckowski, Wilk, Yamada, John A. Pérez NO VOTE RECORDED: Atkins, Bloom, Donnelly, Hall, Jones, Williams, Vacancy MW:nl 8/8/13 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END ****