BILL ANALYSIS                                                                                                                                                                                                    






                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                              2013-2014 Regular Session


          AB 928 (Olsen)
          As Amended April 2, 2014
          Hearing Date: June 10, 2014
          Fiscal: Yes
          Urgency: No
          TH


                                        SUBJECT
                                           
                            Personal Information: Privacy

                                      DESCRIPTION  

          This bill would require each state department and state agency  
          to conspicuously post its privacy policy on its Internet Web  
          site.

                                      BACKGROUND  

          In 1977, the Legislature enacted the Information Practices Act,  
          declaring that the individual right to privacy was threatened by  
          "the indiscriminate collection, maintenance, and dissemination  
          of personal information."  (Civ. Code Sec. 1798.1.)  The Act set  
          standards for the collection, retention, and disclosure of  
          information pertaining to individuals by the State of California  
          and its subsidiaries.  In 1999, the Legislature augmented the  
          Act by requiring each state department and state agency to enact  
          and maintain a permanent privacy policy in adherence with the  
          Information Practices Act.  Each agency or department's privacy  
          policy must, among other things, describe the purposes for which  
          personally identifiable data are collected, and state that the  
          consent of the consumer shall be required if such data is to be  
          disclosed, made available, or otherwise used for purposes other  
          than those specified by the agency at the time of collection.

          This bill would require state departments and state agencies to  
          conspicuously post their privacy policies on their Internet Web  
          sites.

                                CHANGES TO EXISTING LAW
                                                                (more)



          AB 928 (Olsen)
          Page 2 of ?



           
           Existing law  provides that, among other rights, all people have  
          an inalienable right to pursue and obtain privacy.  (Cal.  
          Const., art. I, Sec. 1.)

           Existing case law  permits a person to bring an action in tort  
          for the invasion of privacy, and provides that in order to state  
          a claim for a violation of the constitutional right to privacy a  
          plaintiff must establish the following three elements: (1) a  
          legally protected privacy interest; (2) a reasonable expectation  
          of privacy in the circumstances; and (3) conduct by the  
          defendant that constitutes a serious invasion of privacy.  (Hill  
          v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)   
          Existing law recognizes four types of activities considered to  
          be an invasion of privacy giving rise to civil liability,  
          including the public disclosure of private facts.  (Id.)
          
           Existing law  , the Information Practices Act of 1977, establishes  
          standards for state agency collection, retention, protection,  
          and disclosure of records containing personal information  
          relating to individuals.  (Civ. Code Sec. 1798 et seq.)

           Existing law  requires each state department and state agency to  
          enact and maintain a permanent privacy policy, in adherence with  
          the Information Practices Act of 1977, which includes, but is  
          not limited to, the following principles:
           personally identifiable information is only obtained through  
            lawful means;
           the purposes for which personally identifiable data are  
            collected are specified at or prior to the time of collection,  
            and any subsequent use is limited to the fulfillment of  
            purposes not inconsistent with those purposes previously  
            specified;
           personal data shall not be disclosed, made available, or  
            otherwise used for purposes other than those specified, except  
            with the consent of the subject of the data, or as authorized  
            by law or regulation;
           personal data collected must be relevant to the purpose for  
            which it is collected;
           the general means by which personal data is protected against  
            loss, unauthorized access, use modification or disclosure  
            shall be posted, unless that disclosure of general means would  
            compromise legitimate state department or state agency  
            objectives or law enforcement purposes; and
           each state department or state agency shall designate a  
            position within the department or agency, the duties of which  
                                                                      



          AB 928 (Olsen)
          Page 3 of ?



            shall include, but not be limited to, responsibility for the  
            privacy policy within that department or agency.  (Gov. Code  
            Sec. 11019.9.)

           This bill  would require each state department and state agency  
          to conspicuously post its privacy policy on its Internet Web  
          site.

           This bill  would specify that the term "conspicuously post" shall  
          include posting the privacy policy through any of the following  
          means:
           an Internet Web page on which the actual privacy policy is  
            posted if the Internet Web page is the homepage or first  
            significant page after entering the Internet Web site;
           an icon that hyperlinks to an Internet Web page on which the  
            actual privacy policy is posted, if the icon is located on the  
            homepage or the first significant page after entering the  
            Internet Web site, and if the icon contains the word  
            "privacy."  The icon shall also use a color that contrasts  
            with the background color of the Internet Web page or is  
            otherwise distinguishable;
           a text link that hyperlinks to an Internet Web page on which  
            the actual privacy policy is posted, if the text link is  
            located on the homepage or first significant page after  
            entering the Internet Web site, and if the text link does any  
            of the following:
             o    includes the word "privacy;"
             o    is written in capital letters equal to or greater in  
               size than the surrounding text;
             o    is written in larger type than the surrounding text or  
               in contrasting type, font, or color to the surrounding text  
               of the same size, or is set off from the surrounding text  
               of the same size by symbols or other marks that call  
               attention to the language; or
           any other functional hyperlink that is so displayed that a  
            reasonable person would notice it.

                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
            The Information Practices Act of 1977 requires a state agency,  
            among other things, to maintain in its records only the  
            personal information of an individual that is relevant and  
                                                                      



          AB 928 (Olsen)
          Page 4 of ?



            necessary for a required or authorized purpose.  Government  
            Code 11019.9 requires that each state agency shall enact and  
            maintain a permanent privacy policy, in adherence with the  
            Information Practices Act of 1977.

            AB 928 would enhance the Information Practices Act of 1977 by  
            making privacy policy statements conspicuously visible on  
            state agency and department websites.  AB 928 ensures that  
            internet users will have easy access to their privacy rights  
            and protections while viewing and interacting with the  
            [s]tate.

          2.  Fundamental right to privacy
             
          Staff notes that the right to privacy is a fundamental right  
          protected by Section 1 of Article I of the Constitution of  
          California.  This bill builds upon that fundamental right by  
          requiring state agencies and departments to publish their  
          privacy policies online.  Since 2001, every state department and  
          agency that collects personal information from individuals  
          online has been obliged to post limited notices informing users  
          which of the agency's online resources gather personal  
          information, the type of information gathered by those  
          resources, the purpose for which the information is gathered,  
          and that users have the option to limit further use or  
          redistribution of gathered personal information.  (See Gov. Code  
          Sec. 11015.5.)  AB 928 would expand this existing notice  
          obligation by requiring state departments and agencies to post  
          the privacy policy mandated by existing law online.  These  
          mandatory privacy policies disclose an agency's privacy  
          practices concerning all personal information collected and  
          maintained by the agency, not just information collected through  
          the use of an online resource.  To the extent agencies do not  
          already post these policies online, this bill would help inform  
          the public about the privacy and personal information handling  
          practices of all state agencies and departments.

          3.  Conspicuous posting of privacy policies  

          In 2003, California enacted the Online Privacy Protection Act  
          (CalOPPA; Bus. & Prof. Code Sec. 22520, et seq.), a first in the  
          nation statute requiring operators of commercial Web sites to  
          post online privacy policies and adhere to their requirements.   
          Among other things, CalOPPA requires a Web site operator's  
          privacy policy to identify the categories of personally  
          identifiable information collected about individual consumers  
                                                                      



          AB 928 (Olsen)
          Page 5 of ?



          who use or visit the Web site, as well as to disclose the  
          categories of third-party persons or entities with whom the  
          operator may share that personally identifiable information.   
          CalOPPA mandates that Web site operators "conspicuously post" or  
          conspicuously hyperlink to their privacy policies on the first  
          significant page of a Web site, and the practice of  
          conspicuously linking to privacy policies on the first main page  
          of a site has since become a standard practice across the  
          internet.

          The bill's requirement to "conspicuously post" privacy policies  
          online mirrors the requirement found in the Online Privacy  
          Protection Act.  While the scope of information subject to  
          posting under this bill (agency-wide practices concerning  
          collection and use of personal information) differs from that  
          subject to posting under the Online Privacy Protection Act  
          (website operator practices concerning collection and use of  
          personal information), the policy considerations underlying each  
          are identical - that California residents have a right to know  
          when their personal information is being collected by others and  
          how it is being used.  By adopting the same "conspicuously post"  
          standard used in CalOPPA, this bill will allow interested  
          members of the public to quickly locate an agency's privacy  
          policy on its Internet Web site.

          4.   Technical amendment  

          The author offers the following amendment to clarify the  
          definition of "conspicuously post:"

            On page 4, line 16, strike "it." and replace with: "it and  
            understand it to hyperlink to the actual privacy policy."


           Support  :  None Known

           Opposition  :  None Known



                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  :  None Known

                                                                      



          AB 928 (Olsen)
          Page 6 of ?



           Prior Legislation  :

          AB 242 (Chau, 2013) would have required online privacy policies  
          mandated under the California Online Privacy Protection Act to  
          be no more than 100 words, written in clear and concise  
          language, written at no greater than an 8th grade reading level,  
          and include a statement indicating whether any personally  
          identifiable information may be sold or shared with others and,  
          if so, how and with whom.  This bill died in the Assembly  
          Judiciary Committee.

          AB 257 (Hall, 2013) would have required mobile computing  
          applications to comply with the California Online Privacy  
          Protection Act, and would have required operators and  
          advertising networks to satisfy various privacy policy  
          requirements for mobile applications, including allowing  
          consumers to access their own collected and retained personal  
          identifying information.  This bill was substantively amended to  
          address a different subject and subsequently died in the  
          Assembly Judiciary Committee.

          AB 1291 (Lowenthal, 2013) would have created the Right to Know  
          Act of 2013, repealing and reorganizing certain provisions of  
          existing law pertaining to the disclosure of a consumer's  
          personal information.  This bill died in the Assembly Judiciary  
          Committee.

          AB 2362 (Keene, 2008) would have required an agency, when  
          collecting personal information from a resident, to provide  
          notice to the resident that his or her personal information is  
          being handled in a secure manner that guards against  
          unauthorized disclosure and, in the event of a breach of the  
          security of the system, to provide timely and appropriate  
          notice.  This bill died in the Senate Judiciary Committee.

          AB 68 (Simitian, Ch. 829, Stats. 2003) enacted the California  
          Online Privacy Protection Act, which requires the operators of  
          Web sites and online services that collect personally  
          identifiable information from California residents for  
          commercial purposes to conspicuously post their privacy policy  
          on their Web site or online service and to comply with that  
          policy.

          SB 129 (Peace, Ch. 984, Stats. 2000) required, among other  
          things, each state department and agency to enact and maintain a  
          permanent privacy policy, in adherence with the Information  
                                                                      



          AB 928 (Olsen)
          Page 7 of ?



          Practices Act of 1977.

          SB 1386 (Leslie, Ch. 429, Stats. 1988) added the requirement  
          that state departments and agencies post online notices  
          informing users when an agency's online resources gather  
          personal information, the type of information gathered by those  
          resources, the purpose for which the information is gathered,  
          and that users have the option to limit further use or  
          redistribution of gathered personal information.  

           Prior Vote  :  Prior vote not relevant.

                                   **************