Amended in Senate June 16, 2014

Amended in Senate April 2, 2014

Amended in Senate July 10, 2013

Amended in Assembly May 14, 2013

California Legislature—2013–14 Regular Session

Assembly BillNo. 928


Introduced by Assembly Member Olsen

February 22, 2013


An act to amend Section 11019.9 of the Government Code, relating to state government.

LEGISLATIVE COUNSEL’S DIGEST

AB 928, as amended, Olsen. Personal information: privacy.

The Information Practices Act of 1977 requires a state agency, among other things, to maintain in its records only personal information, as defined, that is relevant and necessary for a required or authorized purpose. Existing law requires a state department or state agency to enact and maintain a permanent privacy policy in adherence with that act that includes, but is not limited to, specified principles.

This bill would require each state department and state agency to conspicuously post, as defined, its privacy policy on its Internet Web site. The bill would also make related nonsubstantive changes.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 11019.9 of the Government Code is
2amended to read:

3

11019.9.  

(a) Each state department and state agency shall enact
4and maintain a permanent privacy policy, in adherence with the
5Information Practices Act of 1977 (Title 1.8 (commencing with
6Section 1798) of Part 4 of Division 3 of the Civil Code). Each state
7department and state agency shall conspicuously post its privacy
8policy on its Internet Web site.

9(b) The privacy policy required by subdivision (a) shall include,
10but is not limited to, the following principles:

11(1) Personally identifiable information is only obtained through
12lawful means.

13(2) The purposes for which personally identifiable data are
14collected are specified at or before the time of collection, and any
15subsequent use is limited to the fulfillment of purposes not
16inconsistent with those purposes previously specified.

17(3) Personal data shall not be disclosed, made available, or
18otherwise used for purposes other than those specified, except with
19the consent of the subject of the data, or as authorized by law or
20regulation.

21(4) Personal data collected must be relevant to the purpose for
22which it is collected.

23(5) The general means by which personal data is protected
24against loss, unauthorized access, use modification or disclosure
25shall be posted, unless that disclosure of general means would
26compromise legitimate state department or state agency objectives
27or law enforcement purposes.

28(6) Each state department or state agency shall designate a
29position within the department or agency, the duties of which shall
30include, but not be limited to, responsibility for the privacy policy
31within that department or agency.

32(c) For purposes of this section, the term “conspicuously post”
33shall include posting the privacy policy through any of the
34following means:

35(1) An Internet Web page on which the actual privacy policy is
36posted if the Internet Web page is the homepage or first significant
37page after entering the Internet Web site.

P3    1(2) An icon that hyperlinks to an Internet Web page on which
2the actual privacy policy is posted, if the icon is located on the
3homepage or the first significant page after entering the Internet
4Web site, and if the icon contains the word “privacy.” The icon
5shall also use a color that contrasts with the background color of
6the Internet Web page or is otherwise distinguishable.

7(3) A text link that hyperlinks to an Internet Web page on which
8the actual privacy policy is posted, if the text link is located on the
9homepage or first significant page after entering the Internet Web
10site, and if the text link does any of the following:

11(A) Includes the word “privacy.”

12(B) Is written in capital letters equal to or greater in size than
13the surrounding text.

14(C) Is written in larger type than the surrounding text or in
15contrasting type, font, or color to the surrounding text of the same
16size, or is set off from the surrounding text of the same size by
17symbols or other marks that call attention to the language.

18(4) Any other functional hyperlink that is so displayed that a
19reasonable person would noticebegin delete it.end deletebegin insert it and understand it to hyperlink
20to the actual privacy policy.end insert



O

    95