BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 370|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 370
Author: Muratsuchi (D)
Amended: 6/18/13 in Senate
Vote: 21
SENATE BUSINESS, PROF. & ECON. DEVELOP. COMM. : 10-0, 6/10/13
AYES: Lieu, Emmerson, Block, Corbett, Galgiani, Hernandez,
Hill, Padilla, Wyland, Yee
SENATE JUDICIARY COMMITTEE : 6-1, 6/25/13
AYES: Evans, Walters, Corbett, Jackson, Leno, Monning
NOES: Anderson
ASSEMBLY FLOOR : 73-0, 5/2/13 - See last page for vote
SUBJECT : Consumers: Internet privacy
SOURCE : Office of the Attorney General
DIGEST : This bill requires privacy policies posted by an
operator of a commercial Web site or online service, that
collects personally identifiable information (PII), to disclose
how the operator responds to Web browser "do not track" signals
or other similar mechanisms regarding the collection of PII and
to disclose whether other parties may collect PII about an
individual consumer's online activities, as specified.
ANALYSIS :
Existing law:
CONTINUED
�
AB 370
Page
2
1.Requires an operator of a commercial Internet Web site or
online service that collects personally identifiable
information (PII) through the Internet about consumers
residing in California who use or visit its commercial Web
site or online service to conspicuously post its privacy
policy on its Web site, or in the case of an operator of an
online service, to make that policy available, as specified.
2.Provides that an operator shall be in violation of the
provision in #1 above, only if the operator fails to post its
[privacy] policy within 30 days after being notified of
noncompliance.
3.Specifies that the privacy policy shall (a) identify the
categories of PII that the operator collects about individual
consumers and the categories of third-party persons or
entities with whom the operator may share the PII; (b) provide
a description of the process, if maintained by the operator,
in which the consumer may review and request changes to any of
his/her PII that is collected through the Web site or online
service; (c) describe the process by which the operator
notifies consumers who use or visit its commercial Web site or
online service of material changes to the operator's privacy
policy for that Web site or online service; and (d) identify
the policy's effective date of the privacy policy.
This bill:
1.Requires, additionally, that the privacy policy shall
disclose:
A. How the operator responds to Web browser "do not track"
signals or other mechanisms that provide consumers the
ability to exercise choice regarding the collection of PII
of an individual consumer's online activities over time and
across third-party Web sites or online services, if the
operator engages in that collection.
B. Whether other parties may collect PII about an
individual consumer's online activities over time and
across different Web sites when a consumer uses the
operator's Web site or service.
�
AB 370
Page
3
1.Specifies that an operator may satisfy the requirement of #1
above by providing a clear and conspicuous hyperlink in the
operator's privacy policy to an online location containing a
description, including the effects, of any program or protocol
the operator follows that offers the consumer that choice.
Background
California Online Privacy Protection Act (CalOPPA) . In 2003,
the Legislature passed AB 68 (Simitian, Chapter 829), which
generally requires operators of Web sites and online services
that collect PII about the users of their site to conspicuously
post their privacy policies on the Web site and comply with
them.
As it stands today, CalOPPA requires privacy policies to
identify the categories of PII collected, the categories of
third-parties with whom that PII may be shared, the process for
consumers to review and request changes to his/her PII, and the
process for notification of material changes to the policy.
An operator has 30 days to comply after receiving notice of
noncompliance with the posting requirement. Failure to comply
with the CalOPPA requirements or the provisions of the posted
privacy policy, if knowing and willful, or negligent and
material, is actionable under California's Unfair Competition
Law and may result in penalties of up to $2,500 for each
violation.
Growth in online tracking and data auctions . According to the
Office of the Attorney General (AG), online tracking is
pervasive. "What They Know," a series of articles published in
the Wall Street Journal starting in 2010, reported on an
investigation of the tracking on the 50 most popular Web sites
in the country. Those sites installed 3,180 tracking files on a
computer used to visit them; 12 of those sites installed more
than 100 tracking tools each.
Profiles of individuals created from tracking data are bought
and sold in the marketplace of analytics companies, data
brokers, and advertising networks. Online tracking data can be
combined with information obtained from offline records. The
profiles are not only used for targeted advertising, but also
for tailored offers at different prices based on statistically
�
AB 370
Page
4
generated assumptions. The presence of trackers on Web sites is
generally invisible to site users. In addition to "cookies"
that record site visited, there are more sophisticated trackers,
including some that can "re-spawn" even after users try to
delete them.
On June 17, 2012, the Wall Street Journal published another
article about user-tailored advertising and the explosion in
demand for consumer data collected through Web browsers. The
article notes, "?[the] rapid rise in the number of companies
collecting data about individuals Web-surfing behavior is
testament to the power of the $31 billion online-advertising
business, which increasingly relies on data about users Web
surfing behavior to target advertisements."
This tracking often goes unnoticed by consumers and is made
possible by the use of "cookie" files that record the sites
visited by the consumer's Web browser. The Journal notes that
in one study, the average visit to a Web page triggered 56
instances of data collection. The data collected by these
cookies are so valuable that online auctions have sprung up
among advertisers to compete for the data.
Comments
The author writes:
There has been some progress in giving consumers more
control over targeted advertising. The Digital Advertising
Alliance, a coalition of media and marketing organizations,
has an icon-based program that companies may voluntarily
use that gives consumers an opportunity to learn about and
opt out of receiving online behavioral advertising. The
program does not allow consumers to choose not to be
tracked. The World Wide Web Consortium, an Internet
standard setting organization, is working on a standard
protocol to allow consumers to communicate a decision not
to be tracked.
In its March 2012 report, Protecting Consumer Privacy in an
Era of Rapid Change, the Federal Trade Commission endorsed
the implementation of an easy-to-use, persistent, and
effective Do Not Track system. Subsequently, all the major
browser companies have offered Do Not Track browser headers
�
AB 370
Page
5
that signal to websites an individual's choice not to be
tracked. There is, however, no legal requirement for sites
to honor the headers.
. . .
The presence of trackers on websites is generally invisible
to site users. In addition to "cookie" files that record
the sites visited, there are more sophisticated trackers,
including some that can "re-spawn" themselves even after
users try to delete them.
The author states that this bill would "[r]equire a website's
existing privacy policy to disclose how it reacts to an
individual's request to not be the subject of online tracking,"
and would also "[r]equire a website's existing privacy policy to
disclose whether there may be third parties conducting online
tracking."
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 8/8/13)
Office of the Attorney General (source)
California Public Interest Research Group
Consumer Watchdog
Microsoft Corporation
ARGUMENTS IN SUPPORT : According to the bill's sponsor, the
Office of the Attorney General, this bill will increase
awareness of online behavioral tracking and allow Californians
to make informed decisions.
Consumer Watchdog (CW) states that "AB 370 is a transparency
proposal - not a Do Not Track proposal. When a privacy policy
discloses whether or not an operator honors a Do Not Track
signal from a browser, individuals may make informed decisions
about their use of the site or the service. CW strongly
believes that there must ultimately be a legal Do Not Track
requirement. However, in the absence of such legislation,
transparency about a service's practices is a step in the right
direction. Requiring transparency could well prompt companies
to compete based on their privacy practices. AB 370 will likely
prompt more companies to honor Do Not Track requests. At the
least it will give consumers more information about whether data
�
AB 370
Page
6
about their online activity is gathered."
The Microsoft Corporation writes in support of this bill and
"believes that government and industry must partner to protect
consumer's privacy and data security while still enabling and
fostering innovation, productivity, and cost-efficiency offered
by new technology."
ASSEMBLY FLOOR : 73-0, 5/2/13
AYES: Achadjian, Alejo, Allen, Ammiano, Bigelow, Blumenfield,
Bocanegra, Bonilla, Bonta, Bradford, Brown, Buchanan, Ian
Calderon, Campos, Chau, Chávez, Chesbro, Conway, Cooley,
Dahle, Daly, Dickinson, Eggman, Fong, Fox, Frazier, Beth
Gaines, Garcia, Gatto, Gomez, Gordon, Gorell, Gray, Grove,
Hagman, Harkey, Roger Hernández, Holden, Jones-Sawyer, Levine,
Linder, Logue, Lowenthal, Maienschein, Mansoor, Medina,
Melendez, Mitchell, Morrell, Mullin, Muratsuchi, Nazarian,
Nestande, Olsen, Pan, Patterson, Perea, V. Manuel Pérez,
Quirk, Quirk-Silva, Rendon, Salas, Skinner, Stone, Ting,
Torres, Wagner, Waldron, Weber, Wieckowski, Wilk, Yamada, John
A. Pérez
NO VOTE RECORDED: Atkins, Bloom, Donnelly, Hall, Jones,
Williams, Vacancy
MW:nl 8/8/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****