BILL ANALYSIS �Ó
AB 370
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 370 (Muratsuchi)
As Amended June 18, 2013
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |73-0 |(May 2, 2013) |SENATE: |37-0 |(August 22, |
| | | | | |2013) |
-----------------------------------------------------------------
Original Committee Reference: B.,P. & C. P.
SUMMARY : Requires privacy policies posted by an operator of a
commercial Web site or online service that collects personally
identifiable information (PII) to disclose how the operator
responds to Web browser "do not track" signals regarding the
collection of PII, and to disclose whether other parties may
collect PII about an individual consumer's online activities.
The Senate amendments delete the Assembly version of this bill,
and instead:
1)Require an operator's privacy policies to disclose how it
responds to Web browser "do not track" signals or other
mechanisms that provide consumers the ability to exercise
choice regarding the collection of PII about an individual
consumer's online activities over time and across third-party
Web sites or online services, if the operator engages in that
collection.
2)Require an operator's privacy policies to disclose whether
other parties may collect PII about an individual consumer's
online activities over time and across different Web sites
when a consumer uses the operator's Web site or service.
3)Permit an operator to satisfy the response disclosure
requirement for 'do not track' signals by providing a clear
and conspicuous hyperlink in the privacy policy to an online
location containing a description, including the effects, of
any program or protocol the operator follows that offers the
consumer that choice.
EXISTING LAW :
1)Requires an operator of a commercial Web site or online
�
AB 370
Page 2
service that collects PII through the Internet about consumers
residing in California who use or visit its commercial Web
site or online service to conspicuously post its privacy
policy on its Web site or online service, and further requires
an operator to comply with that policy. (Business and
Professions Code (BPC) Section 22575(a))
2)Requires, among other things, that the privacy policy identify
the categories of PII that the operator collects about
individual consumers who use or visit its Web site or online
service and third parties with whom the operator shares the
information. (BPC Section 22575(b))
FISCAL EFFECT : None. This bill is keyed non-fiscal by the
Legislative Counsel.
COMMENTS :
1)Purpose of this bill . This bill requires operators of
commercial Web sites and other online services that collect
PII to disclose whether or not they will honor a signal from
the consumer's Web browser requesting that the Web site not
collect the consumer's PII. It also requires operators to
disclose whether other parties may collect PII when a consumer
uses the operator's Web site or service. Many popular Web
browsers incorporate a voluntary do not track signal that a
consumer can use, but Web sites are not legally required to
honor that signal. This bill aims to better inform consumers
as to which Web sites or online services collect PII and which
do not. This bill is sponsored by the California Attorney
General's Office.
2)Author's statement . According to the author, "Since the
California Online Privacy Protection Act (CalOPPA) took effect
[in 2004], online commerce has burgeoned and evolving
technology and new business practices have raised new privacy
concerns. One practice that raises privacy concerns is online
tracking, also called online behavioral tracking. This is the
monitoring of an individual across multiple websites to build
a profile of behavior and interests. In the age of smart
phones and tablets, similar tracking is also done by
monitoring individuals as they use different apps and
different phone features. The resulting profiles are commonly
used to deliver targeted advertisements?
�
AB 370
Page 3
"This bill would increase consumer awareness of the
practice of online tracking by websites and online
services, such as mobile apps. AB 370 will allow
consumers to learn from a website's privacy policy
whether or not that website honors a Do Not Track signal.
This will allow the consumer to make an informed
decision about their use of the website or service."
3)Growth in online tracking and data auctions . On June 17,
2012, the Wall Street Journal published an article about
user-tailored advertising and the explosion in demand for
consumer data collected through Web browsers. The article
notes,"?[the] rapid rise in the number of companies collecting
data about individuals' Web-surfing behavior is testament to
the power of the $31 billion online-advertising business,
which increasingly relies on data about users' Web surfing
behavior to target advertisements."
This tracking often goes unnoticed by consumers and is made
possible by the use of "cookie" files that record the sites
visited by the consumer's Web browser. The Wall Street
Journal article notes that in one study, the average visit to
a Web page triggered 56 instances of data collection. The data
collected by these cookies are so valuable that online
auctions have sprung up among advertisers to compete for the
data.
4)The do not track movement . The Federal Trade Commission in
December 2010 released a preliminary staff report, Protecting
Consumer Privacy in an Era of Rapid Change, which endorsed the
idea of an easy-to-use, persistent, and effective do not track
system.
In practice, a consumer wishing to communicate a do not track
signal to Web sites would generally do so via their Web
browser controls, the presence of which would signal to a
visited Web site that it should disable its tracking for that
visit. The signal or "field" communicates that the consumer
either opts in to or opts out of data tracking.
According to the California Attorney General's Office,
"[s]ubsequently, all the major browser companies have offered
Do Not Track browser headers that signal to websites an
individual's choice not to be tracked. There is, however, no
legal requirement for sites to honor the headers."
�
AB 370
Page 4
There was no data immediately available to suggest how
frequently Web sites decline to honor a do not track signal,
although one list maintained by researchers at Stanford
reflects a running list of Web sites that honor the do not
track signal - that list shows only 20 Web sites, most of
which are not well-known with the exception of Twitter.
This bill would mandate that Web sites that track users must
also disclose if they are honoring the voluntary do not track
signal.
5)California Online Privacy Protection Act (CalOPPA) . In 2003,
the Legislature passed AB 68 (Simitian), Chapter 829, Statutes
of 2003, which generally requires operators of Web sites and
online services that collect PII about the users of their site
to conspicuously post their privacy policies on the Web site
and comply with them.
CalOPPA currently requires privacy policies to identify the
categories of PII collected, the categories of third-parties
with whom that PII may be shared, the process for consumers to
review and request changes to his or her PII, and the process
for notification of material changes to the policy.
An operator has 30 days to comply after receiving notice of
noncompliance with the posting requirement. Failure to comply
with the CalOPPA requirements or the provisions of the posted
privacy policy, if knowing and willful, or negligent and
material, is actionable under California's Unfair Competition
Law and may result in penalties of up to $2,500 for each
violation. Any violation of this bill would be enforceable as
a violation of CalOPPA.
6)Arguments in support . According to the California Attorney
General's Office, "AB 370 is a transparency proposal - not a
Do Not Track proposal. When a privacy policy discloses whether
or not an operator honors a Do Not Track signal from a
browser, individuals may make informed decisions about their
use of the site or service."
Analysis Prepared by : Hank Dempsey / B.,P. & C.P. / (916)
319-3301
�
AB 370
Page 5
FN:
0001764