Amended in Assembly April 28, 2016

Amended in Assembly March 18, 2016

California Legislature—2015–16 Regular Session

Assembly BillNo. 2623


Introduced by Assemblybegin delete Member Gordonend deletebegin insert Members Gordon and Irwinend insert

February 19, 2016


An act tobegin delete add Section 22575.5 to the Business and Professions Code, relating to privacy. end deletebegin insert amend Section 11546.2 of the Government Code, relating to state government.end insert

LEGISLATIVE COUNSEL’S DIGEST

AB 2623, as amended, Gordon. begin deleteInternet privacy policy: commercial operator: short form.end deletebegin insert State information security costs: annual report.end insert

begin insert

Existing law requires each state agency and certain designated state entities to annually report to the Department of Technology a summary of its actual and projected information technology and telecommunications costs, as specified.

end insert
begin insert

This bill would additionally require these state agencies and entities to annually report to the department, beginning on or before February 1, 2017, a summary of there actual and projected information security costs, as specified.

end insert
begin delete

Existing law requires an operator, as defined, of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Web site or online service to conspicuously post, or make available, its privacy policy, as specified. Under existing law, an operator is in violation if the operator fails to post its policy within 30 days after being notified of noncompliance or if the operator’s failure to comply with the requirements, or with the provisions of its posted policy, is knowing and willful or negligent and material.

end delete
begin delete

This bill would additionally require the operator to provide a short form of the privacy policy to a consumer at the beginning of the privacy policy and, if the commercial Internet Web site or online service provides the consumer with a user licensing agreement or terms of service, above the agreement or terms, as specified. The bill would provide that an operator is in violation of this requirement only if the operator knowingly and willfully fails to comply with the requirement or if the operator fails to post its privacy policy short form within 30 days after being notified of noncompliance.

end delete

Vote: majority. Appropriation: no. Fiscal committee: begin deleteno end deletebegin insertyesend insert. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1begin insert

begin insertSECTION 1.end insert  

end insert

begin insertSection 11546.2 of the end insertbegin insertGovernment Codeend insertbegin insert is
2amended to read:end insert

3

11546.2.  

begin insert(a)end insertbegin insertend insert On or before Februarybegin delete 1, 2011, and annually
4thereafter,end delete
begin insert 1 of every year,end insert each state agency and state entity subject
5to Section 11546.1, shall submit, as instructed by the Department
6of Technology, a summary of its actual and projected information
7technology and telecommunications costs,begin delete includingend deletebegin insert including,
8but not limited to,end insert
personnel, for the immediately preceding fiscal
9year and current fiscal year, showing current expenses and
10projected expenses for the current fiscal year, in a format prescribed
11by the Department of Technology in order to capture statewide
12information technology expenditures.

begin insert

13
(b) On or before February 1, 2017, and annually thereafter,
14each state agency and state entity subject to Section 11546.1 shall
15submit, as instructed by the Department of Technology, a summary
16of its actual and projected information security costs, including,
17but not limited to, personnel, for the immediately preceding fiscal
18year and current fiscal year, showing current expenses and
19projected expenses for the current fiscal year, in a format
20prescribed by the Department of Technology in order to capture
21statewide information security expenditures, including the
P3    1expenditure of federal grant funds for information security
2purposes.

end insert
begin delete
3

SECTION 1.  

Section 22575.5 is added to the Business and
4Professions Code
, to read:

5

22575.5.  

(a) An operator of a commercial Internet Web site
6or online service that is required to post or make available its
7privacy policy pursuant to Section 22575 shall provide a short
8form of the privacy policy to a consumer at the beginning of the
9privacy policy and, if the commercial Internet Web site or online
10service provides the consumer with a user licensing agreement or
11terms of service, at the beginning of the agreement or terms.

12(b) The short form required by subdivision (a) shall do all of
13the following:

14(1) List the categories of personally identifiable information
15identified in the privacy policy pursuant to paragraph (1) of
16subdivision (b) of Section 22575, using the following specific
17descriptions:

18(A) For information described in paragraphs (1) to (6), inclusive,
19of subdivision (a) of Section 22577, the descriptions used in those
20paragraphs.

21(B) For information described in paragraph (7) of subdivision
22(a) of Section 22577, the following descriptions:

23(i) Browser history.

24(ii) Phone or text logs.

25(iii) Contact lists.

26(iv) Biometrics.

27(v) Financial information.

28(vi) Health, medical, or therapeutic information.

29(vii) Location.

30(viii) User files.

31(2) (A) List the categories of third-party persons or entities
32identified in the privacy policy pursuant to paragraph (1) of
33subdivision (b) of Section 22575, using the following specific
34descriptions:

35(i) Advertising networks.

36(ii) Telecommunication carriers.

37(iii) Commercial data resellers.

38(iv) Data analytics providers.

39(v) Operating systems and platforms.

40(vi) Social networks.

P4    1(B) Compliance with subparagraph (A) is not required when a
2contract between the commercial Internet Web site or online service
3and the third party explicitly does both of the following:

4(i) Limits the uses of the information provided by the
5commercial Internet Web site or online service to the third party
6solely to provide a service to, or on behalf of, the commercial
7Internet Web site or online service.

8(ii) Prohibits the sharing of the consumer information by that
9third party with subsequent third parties.

10(3) State whether or not the operator maintains a process that,
11if maintained, would be required to be described by the privacy
12policy pursuant to paragraph (2) of subdivision (b) of Section
1322575.

14(4) If the operator satisfies the requirements of paragraph (5)
15of subdivision (b) of Section 22575 by providing a hyperlink
16pursuant to paragraph (7) of subdivision (b) of Section 22575,
17include a hyperlink to the same online location.

18(c) An operator shall be in violation of this section only if the
19operator knowingly and willfully fails to comply with this section
20or if the operator fails to post its privacy policy short form within
2130 days after being notified of noncompliance.

end delete


O

    97