BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
AB 928 (Olsen)
As Amended April 2, 2014
Hearing Date: June 10, 2014
Fiscal: Yes
Urgency: No
TH
SUBJECT
Personal Information: Privacy
DESCRIPTION
This bill would require each state department and state agency
to conspicuously post its privacy policy on its Internet Web
site.
BACKGROUND
In 1977, the Legislature enacted the Information Practices Act,
declaring that the individual right to privacy was threatened by
"the indiscriminate collection, maintenance, and dissemination
of personal information." (Civ. Code Sec. 1798.1.) The Act set
standards for the collection, retention, and disclosure of
information pertaining to individuals by the State of California
and its subsidiaries. In 1999, the Legislature augmented the
Act by requiring each state department and state agency to enact
and maintain a permanent privacy policy in adherence with the
Information Practices Act. Each agency or department's privacy
policy must, among other things, describe the purposes for which
personally identifiable data are collected, and state that the
consent of the consumer shall be required if such data is to be
disclosed, made available, or otherwise used for purposes other
than those specified by the agency at the time of collection.
This bill would require state departments and state agencies to
conspicuously post their privacy policies on their Internet Web
sites.
CHANGES TO EXISTING LAW
(more)
�
AB 928 (Olsen)
Page 2 of ?
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for the invasion of privacy, and provides that in order to state
a claim for a violation of the constitutional right to privacy a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
Existing law , the Information Practices Act of 1977, establishes
standards for state agency collection, retention, protection,
and disclosure of records containing personal information
relating to individuals. (Civ. Code Sec. 1798 et seq.)
Existing law requires each state department and state agency to
enact and maintain a permanent privacy policy, in adherence with
the Information Practices Act of 1977, which includes, but is
not limited to, the following principles:
personally identifiable information is only obtained through
lawful means;
the purposes for which personally identifiable data are
collected are specified at or prior to the time of collection,
and any subsequent use is limited to the fulfillment of
purposes not inconsistent with those purposes previously
specified;
personal data shall not be disclosed, made available, or
otherwise used for purposes other than those specified, except
with the consent of the subject of the data, or as authorized
by law or regulation;
personal data collected must be relevant to the purpose for
which it is collected;
the general means by which personal data is protected against
loss, unauthorized access, use modification or disclosure
shall be posted, unless that disclosure of general means would
compromise legitimate state department or state agency
objectives or law enforcement purposes; and
each state department or state agency shall designate a
position within the department or agency, the duties of which
�
AB 928 (Olsen)
Page 3 of ?
shall include, but not be limited to, responsibility for the
privacy policy within that department or agency. (Gov. Code
Sec. 11019.9.)
This bill would require each state department and state agency
to conspicuously post its privacy policy on its Internet Web
site.
This bill would specify that the term "conspicuously post" shall
include posting the privacy policy through any of the following
means:
an Internet Web page on which the actual privacy policy is
posted if the Internet Web page is the homepage or first
significant page after entering the Internet Web site;
an icon that hyperlinks to an Internet Web page on which the
actual privacy policy is posted, if the icon is located on the
homepage or the first significant page after entering the
Internet Web site, and if the icon contains the word
"privacy." The icon shall also use a color that contrasts
with the background color of the Internet Web page or is
otherwise distinguishable;
a text link that hyperlinks to an Internet Web page on which
the actual privacy policy is posted, if the text link is
located on the homepage or first significant page after
entering the Internet Web site, and if the text link does any
of the following:
o includes the word "privacy;"
o is written in capital letters equal to or greater in
size than the surrounding text;
o is written in larger type than the surrounding text or
in contrasting type, font, or color to the surrounding text
of the same size, or is set off from the surrounding text
of the same size by symbols or other marks that call
attention to the language; or
any other functional hyperlink that is so displayed that a
reasonable person would notice it.
COMMENT
1. Stated need for the bill
The author writes:
The Information Practices Act of 1977 requires a state agency,
among other things, to maintain in its records only the
personal information of an individual that is relevant and
�
AB 928 (Olsen)
Page 4 of ?
necessary for a required or authorized purpose. Government
Code 11019.9 requires that each state agency shall enact and
maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977.
AB 928 would enhance the Information Practices Act of 1977 by
making privacy policy statements conspicuously visible on
state agency and department websites. AB 928 ensures that
internet users will have easy access to their privacy rights
and protections while viewing and interacting with the
[s]tate.
2. Fundamental right to privacy
Staff notes that the right to privacy is a fundamental right
protected by Section 1 of Article I of the Constitution of
California. This bill builds upon that fundamental right by
requiring state agencies and departments to publish their
privacy policies online. Since 2001, every state department and
agency that collects personal information from individuals
online has been obliged to post limited notices informing users
which of the agency's online resources gather personal
information, the type of information gathered by those
resources, the purpose for which the information is gathered,
and that users have the option to limit further use or
redistribution of gathered personal information. (See Gov. Code
Sec. 11015.5.) AB 928 would expand this existing notice
obligation by requiring state departments and agencies to post
the privacy policy mandated by existing law online. These
mandatory privacy policies disclose an agency's privacy
practices concerning all personal information collected and
maintained by the agency, not just information collected through
the use of an online resource. To the extent agencies do not
already post these policies online, this bill would help inform
the public about the privacy and personal information handling
practices of all state agencies and departments.
3. Conspicuous posting of privacy policies
In 2003, California enacted the Online Privacy Protection Act
(CalOPPA; Bus. & Prof. Code Sec. 22520, et seq.), a first in the
nation statute requiring operators of commercial Web sites to
post online privacy policies and adhere to their requirements.
Among other things, CalOPPA requires a Web site operator's
privacy policy to identify the categories of personally
identifiable information collected about individual consumers
�
AB 928 (Olsen)
Page 5 of ?
who use or visit the Web site, as well as to disclose the
categories of third-party persons or entities with whom the
operator may share that personally identifiable information.
CalOPPA mandates that Web site operators "conspicuously post" or
conspicuously hyperlink to their privacy policies on the first
significant page of a Web site, and the practice of
conspicuously linking to privacy policies on the first main page
of a site has since become a standard practice across the
internet.
The bill's requirement to "conspicuously post" privacy policies
online mirrors the requirement found in the Online Privacy
Protection Act. While the scope of information subject to
posting under this bill (agency-wide practices concerning
collection and use of personal information) differs from that
subject to posting under the Online Privacy Protection Act
(website operator practices concerning collection and use of
personal information), the policy considerations underlying each
are identical - that California residents have a right to know
when their personal information is being collected by others and
how it is being used. By adopting the same "conspicuously post"
standard used in CalOPPA, this bill will allow interested
members of the public to quickly locate an agency's privacy
policy on its Internet Web site.
4. Technical amendment
The author offers the following amendment to clarify the
definition of "conspicuously post:"
On page 4, line 16, strike "it." and replace with: "it and
understand it to hyperlink to the actual privacy policy."
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
�
AB 928 (Olsen)
Page 6 of ?
Prior Legislation :
AB 242 (Chau, 2013) would have required online privacy policies
mandated under the California Online Privacy Protection Act to
be no more than 100 words, written in clear and concise
language, written at no greater than an 8th grade reading level,
and include a statement indicating whether any personally
identifiable information may be sold or shared with others and,
if so, how and with whom. This bill died in the Assembly
Judiciary Committee.
AB 257 (Hall, 2013) would have required mobile computing
applications to comply with the California Online Privacy
Protection Act, and would have required operators and
advertising networks to satisfy various privacy policy
requirements for mobile applications, including allowing
consumers to access their own collected and retained personal
identifying information. This bill was substantively amended to
address a different subject and subsequently died in the
Assembly Judiciary Committee.
AB 1291 (Lowenthal, 2013) would have created the Right to Know
Act of 2013, repealing and reorganizing certain provisions of
existing law pertaining to the disclosure of a consumer's
personal information. This bill died in the Assembly Judiciary
Committee.
AB 2362 (Keene, 2008) would have required an agency, when
collecting personal information from a resident, to provide
notice to the resident that his or her personal information is
being handled in a secure manner that guards against
unauthorized disclosure and, in the event of a breach of the
security of the system, to provide timely and appropriate
notice. This bill died in the Senate Judiciary Committee.
AB 68 (Simitian, Ch. 829, Stats. 2003) enacted the California
Online Privacy Protection Act, which requires the operators of
Web sites and online services that collect personally
identifiable information from California residents for
commercial purposes to conspicuously post their privacy policy
on their Web site or online service and to comply with that
policy.
SB 129 (Peace, Ch. 984, Stats. 2000) required, among other
things, each state department and agency to enact and maintain a
permanent privacy policy, in adherence with the Information
�
AB 928 (Olsen)
Page 7 of ?
Practices Act of 1977.
SB 1386 (Leslie, Ch. 429, Stats. 1988) added the requirement
that state departments and agencies post online notices
informing users when an agency's online resources gather
personal information, the type of information gathered by those
resources, the purpose for which the information is gathered,
and that users have the option to limit further use or
redistribution of gathered personal information.
Prior Vote : Prior vote not relevant.
**************