BILL ANALYSIS Ó SENATE JUDICIARY COMMITTEE Senator Hannah-Beth Jackson, Chair 2013-2014 Regular Session AB 928 (Olsen) As Amended April 2, 2014 Hearing Date: June 10, 2014 Fiscal: Yes Urgency: No TH SUBJECT Personal Information: Privacy DESCRIPTION This bill would require each state department and state agency to conspicuously post its privacy policy on its Internet Web site. BACKGROUND In 1977, the Legislature enacted the Information Practices Act, declaring that the individual right to privacy was threatened by "the indiscriminate collection, maintenance, and dissemination of personal information." (Civ. Code Sec. 1798.1.) The Act set standards for the collection, retention, and disclosure of information pertaining to individuals by the State of California and its subsidiaries. In 1999, the Legislature augmented the Act by requiring each state department and state agency to enact and maintain a permanent privacy policy in adherence with the Information Practices Act. Each agency or department's privacy policy must, among other things, describe the purposes for which personally identifiable data are collected, and state that the consent of the consumer shall be required if such data is to be disclosed, made available, or otherwise used for purposes other than those specified by the agency at the time of collection. This bill would require state departments and state agencies to conspicuously post their privacy policies on their Internet Web sites. CHANGES TO EXISTING LAW (more) AB 928 (Olsen) Page 2 of ? Existing law provides that, among other rights, all people have an inalienable right to pursue and obtain privacy. (Cal. Const., art. I, Sec. 1.) Existing case law permits a person to bring an action in tort for the invasion of privacy, and provides that in order to state a claim for a violation of the constitutional right to privacy a plaintiff must establish the following three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by the defendant that constitutes a serious invasion of privacy. (Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.) Existing law recognizes four types of activities considered to be an invasion of privacy giving rise to civil liability, including the public disclosure of private facts. (Id.) Existing law , the Information Practices Act of 1977, establishes standards for state agency collection, retention, protection, and disclosure of records containing personal information relating to individuals. (Civ. Code Sec. 1798 et seq.) Existing law requires each state department and state agency to enact and maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977, which includes, but is not limited to, the following principles: personally identifiable information is only obtained through lawful means; the purposes for which personally identifiable data are collected are specified at or prior to the time of collection, and any subsequent use is limited to the fulfillment of purposes not inconsistent with those purposes previously specified; personal data shall not be disclosed, made available, or otherwise used for purposes other than those specified, except with the consent of the subject of the data, or as authorized by law or regulation; personal data collected must be relevant to the purpose for which it is collected; the general means by which personal data is protected against loss, unauthorized access, use modification or disclosure shall be posted, unless that disclosure of general means would compromise legitimate state department or state agency objectives or law enforcement purposes; and each state department or state agency shall designate a position within the department or agency, the duties of which AB 928 (Olsen) Page 3 of ? shall include, but not be limited to, responsibility for the privacy policy within that department or agency. (Gov. Code Sec. 11019.9.) This bill would require each state department and state agency to conspicuously post its privacy policy on its Internet Web site. This bill would specify that the term "conspicuously post" shall include posting the privacy policy through any of the following means: an Internet Web page on which the actual privacy policy is posted if the Internet Web page is the homepage or first significant page after entering the Internet Web site; an icon that hyperlinks to an Internet Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Internet Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Internet Web page or is otherwise distinguishable; a text link that hyperlinks to an Internet Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Internet Web site, and if the text link does any of the following: o includes the word "privacy;" o is written in capital letters equal to or greater in size than the surrounding text; o is written in larger type than the surrounding text or in contrasting type, font, or color to the surrounding text of the same size, or is set off from the surrounding text of the same size by symbols or other marks that call attention to the language; or any other functional hyperlink that is so displayed that a reasonable person would notice it. COMMENT 1. Stated need for the bill The author writes: The Information Practices Act of 1977 requires a state agency, among other things, to maintain in its records only the personal information of an individual that is relevant and AB 928 (Olsen) Page 4 of ? necessary for a required or authorized purpose. Government Code 11019.9 requires that each state agency shall enact and maintain a permanent privacy policy, in adherence with the Information Practices Act of 1977. AB 928 would enhance the Information Practices Act of 1977 by making privacy policy statements conspicuously visible on state agency and department websites. AB 928 ensures that internet users will have easy access to their privacy rights and protections while viewing and interacting with the [s]tate. 2. Fundamental right to privacy Staff notes that the right to privacy is a fundamental right protected by Section 1 of Article I of the Constitution of California. This bill builds upon that fundamental right by requiring state agencies and departments to publish their privacy policies online. Since 2001, every state department and agency that collects personal information from individuals online has been obliged to post limited notices informing users which of the agency's online resources gather personal information, the type of information gathered by those resources, the purpose for which the information is gathered, and that users have the option to limit further use or redistribution of gathered personal information. (See Gov. Code Sec. 11015.5.) AB 928 would expand this existing notice obligation by requiring state departments and agencies to post the privacy policy mandated by existing law online. These mandatory privacy policies disclose an agency's privacy practices concerning all personal information collected and maintained by the agency, not just information collected through the use of an online resource. To the extent agencies do not already post these policies online, this bill would help inform the public about the privacy and personal information handling practices of all state agencies and departments. 3. Conspicuous posting of privacy policies In 2003, California enacted the Online Privacy Protection Act (CalOPPA; Bus. & Prof. Code Sec. 22520, et seq.), a first in the nation statute requiring operators of commercial Web sites to post online privacy policies and adhere to their requirements. Among other things, CalOPPA requires a Web site operator's privacy policy to identify the categories of personally identifiable information collected about individual consumers AB 928 (Olsen) Page 5 of ? who use or visit the Web site, as well as to disclose the categories of third-party persons or entities with whom the operator may share that personally identifiable information. CalOPPA mandates that Web site operators "conspicuously post" or conspicuously hyperlink to their privacy policies on the first significant page of a Web site, and the practice of conspicuously linking to privacy policies on the first main page of a site has since become a standard practice across the internet. The bill's requirement to "conspicuously post" privacy policies online mirrors the requirement found in the Online Privacy Protection Act. While the scope of information subject to posting under this bill (agency-wide practices concerning collection and use of personal information) differs from that subject to posting under the Online Privacy Protection Act (website operator practices concerning collection and use of personal information), the policy considerations underlying each are identical - that California residents have a right to know when their personal information is being collected by others and how it is being used. By adopting the same "conspicuously post" standard used in CalOPPA, this bill will allow interested members of the public to quickly locate an agency's privacy policy on its Internet Web site. 4. Technical amendment The author offers the following amendment to clarify the definition of "conspicuously post:" On page 4, line 16, strike "it." and replace with: "it and understand it to hyperlink to the actual privacy policy." Support : None Known Opposition : None Known HISTORY Source : Author Related Pending Legislation : None Known AB 928 (Olsen) Page 6 of ? Prior Legislation : AB 242 (Chau, 2013) would have required online privacy policies mandated under the California Online Privacy Protection Act to be no more than 100 words, written in clear and concise language, written at no greater than an 8th grade reading level, and include a statement indicating whether any personally identifiable information may be sold or shared with others and, if so, how and with whom. This bill died in the Assembly Judiciary Committee. AB 257 (Hall, 2013) would have required mobile computing applications to comply with the California Online Privacy Protection Act, and would have required operators and advertising networks to satisfy various privacy policy requirements for mobile applications, including allowing consumers to access their own collected and retained personal identifying information. This bill was substantively amended to address a different subject and subsequently died in the Assembly Judiciary Committee. AB 1291 (Lowenthal, 2013) would have created the Right to Know Act of 2013, repealing and reorganizing certain provisions of existing law pertaining to the disclosure of a consumer's personal information. This bill died in the Assembly Judiciary Committee. AB 2362 (Keene, 2008) would have required an agency, when collecting personal information from a resident, to provide notice to the resident that his or her personal information is being handled in a secure manner that guards against unauthorized disclosure and, in the event of a breach of the security of the system, to provide timely and appropriate notice. This bill died in the Senate Judiciary Committee. AB 68 (Simitian, Ch. 829, Stats. 2003) enacted the California Online Privacy Protection Act, which requires the operators of Web sites and online services that collect personally identifiable information from California residents for commercial purposes to conspicuously post their privacy policy on their Web site or online service and to comply with that policy. SB 129 (Peace, Ch. 984, Stats. 2000) required, among other things, each state department and agency to enact and maintain a permanent privacy policy, in adherence with the Information AB 928 (Olsen) Page 7 of ? Practices Act of 1977. SB 1386 (Leslie, Ch. 429, Stats. 1988) added the requirement that state departments and agencies post online notices informing users when an agency's online resources gather personal information, the type of information gathered by those resources, the purpose for which the information is gathered, and that users have the option to limit further use or redistribution of gathered personal information. Prior Vote : Prior vote not relevant. **************