BILL ANALYSIS                                                                                                                                                                                                    



                                                                  AB 370
                                                                  Page  1

          CONCURRENCE IN SENATE AMENDMENTS
          AB 370 (Muratsuchi)
          As Amended  June 18, 2013
          Majority vote
           
           ----------------------------------------------------------------- 
          |ASSEMBLY:  |73-0 |(May 2, 2013)   |SENATE: |37-0 |(August 22,    |
          |           |     |                |        |     |2013)          |
           ----------------------------------------------------------------- 
            
           Original Committee Reference:    B.,P. & C. P.  

           SUMMARY  :  Requires privacy policies posted by an operator of a  
          commercial Web site or online service that collects personally  
          identifiable information (PII) to disclose how the operator  
          responds to Web browser "do not track" signals regarding the  
          collection of PII, and to disclose whether other parties may  
          collect PII about an individual consumer's online activities.  

           The Senate amendments  delete the Assembly version of this bill,  
          and instead:

          1)Require an operator's privacy policies to disclose how it  
            responds to Web browser "do not track" signals or other  
            mechanisms that provide consumers the ability to exercise  
            choice regarding the collection of PII about an individual  
            consumer's online activities over time and across third-party  
            Web sites or online services, if the operator engages in that  
            collection.

          2)Require an operator's privacy policies to disclose whether  
            other parties may collect PII about an individual consumer's  
            online activities over time and across different Web sites  
            when a consumer uses the operator's Web site or service.

          3)Permit an operator to satisfy the response disclosure  
            requirement for 'do not track' signals by providing a clear  
            and conspicuous hyperlink in the privacy policy to an online  
            location containing a description, including the effects, of  
            any program or protocol the operator follows that offers the  
            consumer that choice.

           EXISTING LAW  : 
               
          1)Requires an operator of a commercial Web site or online  








                                                                  AB 370
                                                                  Page  2

            service that collects PII through the Internet about consumers  
            residing in California who use or visit its commercial Web  
            site or online service to conspicuously post its privacy  
            policy on its Web site or online service, and further requires  
            an operator to comply with that policy. (Business and  
            Professions Code (BPC) Section 22575(a))

          2)Requires, among other things, that the privacy policy identify  
            the categories of PII that the operator collects about  
            individual consumers who use or visit its Web site or online  
            service and third parties with whom the operator shares the  
            information. (BPC Section 22575(b))

           FISCAL EFFECT  :  None. This bill is keyed non-fiscal by the  
          Legislative Counsel. 

           COMMENTS  :   

           1)Purpose of this bill  .  This bill requires operators of  
            commercial Web sites and other online services that collect  
            PII to disclose whether or not they will honor a signal from  
            the consumer's Web browser requesting that the Web site not  
            collect the consumer's PII.  It also requires operators to  
            disclose whether other parties may collect PII when a consumer  
            uses the operator's Web site or service.  Many popular Web  
            browsers incorporate a voluntary do not track signal that a  
            consumer can use, but Web sites are not legally required to  
            honor that signal.  This bill aims to better inform consumers  
            as to which Web sites or online services collect PII and which  
            do not.  This bill is sponsored by the California Attorney  
            General's Office.   
           
           2)Author's statement  .  According to the author, "Since the  
            California Online Privacy Protection Act (CalOPPA) took effect  
            [in 2004], online commerce has burgeoned and evolving  
            technology and new business practices have raised new privacy  
            concerns.  One practice that raises privacy concerns is online  
            tracking, also called online behavioral tracking. This is the  
            monitoring of an individual across multiple websites to build  
            a profile of behavior and interests.  In the age of smart  
            phones and tablets, similar tracking is also done by  
            monitoring individuals as they use different apps and  
            different phone features.  The resulting profiles are commonly  
            used to deliver targeted advertisements? 









                                                                  AB 370
                                                                  Page  3

            "This bill would increase consumer awareness of the  
            practice of online tracking by websites and online  
            services, such as mobile apps.  AB 370 will allow  
            consumers to learn from a website's privacy policy  
            whether or not that website honors a Do Not Track signal.  
             This will allow the consumer to make an informed  
            decision about their use of the website or service."

           3)Growth in online tracking and data auctions  .  On June 17,  
            2012, the Wall Street Journal published an article about  
            user-tailored advertising and the explosion in demand for  
            consumer data collected through Web browsers.  The article  
            notes,"?[the] rapid rise in the number of companies collecting  
            data about individuals' Web-surfing behavior is testament to  
            the power of the $31 billion online-advertising business,  
            which increasingly relies on data about users' Web surfing  
            behavior to target advertisements." 

          This tracking often goes unnoticed by consumers and is made  
            possible by the use of "cookie" files that record the sites  
            visited by the consumer's Web browser.  The Wall Street  
            Journal article notes that in one study, the average visit to  
            a Web page triggered 56 instances of data collection. The data  
            collected by these cookies are so valuable that online  
            auctions have sprung up among advertisers to compete for the  
            data.   

           4)The do not track movement  .  The Federal Trade Commission in  
            December 2010 released a preliminary staff report, Protecting  
            Consumer Privacy in an Era of Rapid Change, which endorsed the  
            idea of an easy-to-use, persistent, and effective do not track  
            system. 

          In practice, a consumer wishing to communicate a do not track  
            signal to Web sites would generally do so via their Web  
            browser controls, the presence of which would signal to a  
            visited Web site that it should disable its tracking for that  
            visit.  The signal or "field" communicates that the consumer  
            either opts in to or opts out of data tracking.  

          According to the California Attorney General's Office,  
            "[s]ubsequently, all the major browser companies have offered  
            Do Not Track browser headers that signal to websites an  
            individual's choice not to be tracked. There is, however, no  
            legal requirement for sites to honor the headers." 








                                                                  AB 370
                                                                  Page  4


          There was no data immediately available to suggest how  
            frequently Web sites decline to honor a do not track signal,  
            although one list maintained by researchers at Stanford  
            reflects a running list of Web sites that honor the do not  
            track signal - that list shows only 20 Web sites, most of  
            which are not well-known with the exception of Twitter.  

          This bill would mandate that Web sites that track users must  
            also disclose if they are honoring the voluntary do not track  
            signal.  
            
           5)California Online Privacy Protection Act (CalOPPA)  .  In 2003,  
            the Legislature passed AB 68 (Simitian), Chapter 829, Statutes  
            of 2003, which generally requires operators of Web sites and  
            online services that collect PII about the users of their site  
            to conspicuously post their privacy policies on the Web site  
            and comply with them. 

          CalOPPA currently requires privacy policies to identify the  
            categories of PII collected, the categories of third-parties  
            with whom that PII may be shared, the process for consumers to  
            review and request changes to his or her PII, and the process  
            for notification of material changes to the policy. 

          An operator has 30 days to comply after receiving notice of  
            noncompliance with the posting requirement.  Failure to comply  
            with the CalOPPA requirements or the provisions of the posted  
            privacy policy, if knowing and willful, or negligent and  
            material, is actionable under California's Unfair Competition  
            Law and may result in penalties of up to $2,500 for each  
            violation.  Any violation of this bill would be enforceable as  
            a violation of CalOPPA.

           6)Arguments in support .  According to the California Attorney  
            General's Office, "AB 370 is a transparency proposal - not a  
            Do Not Track proposal. When a privacy policy discloses whether  
            or not an operator honors a Do Not Track signal from a  
            browser, individuals may make informed decisions about their  
            use of the site or service."

           
          Analysis Prepared by  :    Hank Dempsey / B.,P. & C.P. / (916)  
          319-3301 









                                                                  AB 370
                                                                  Page  5


          FN:  
          0001764