BILL NUMBER: AB 2623 AMENDED BILL TEXT AMENDED IN ASSEMBLY APRIL 28, 2016 AMENDED IN ASSEMBLY MARCH 18, 2016 INTRODUCED BY AssemblyMemberGordonMembers Gordon and Irwin FEBRUARY 19, 2016 An act toadd Section 22575.5 to the Business and Professions Code, relating to privacy.amend Section 11546.2 of the Government Code, relating to state government. LEGISLATIVE COUNSEL'S DIGEST AB 2623, as amended, Gordon.Internet privacy policy: commercial operator: short form.State information security costs: annual report. Existing law requires each state agency and certain designated state entities to annually report to the Department of Technology a summary of its actual and projected information technology and telecommunications costs, as specified. This bill would additionally require these state agencies and entities to annually report to the department, beginning on or before February 1, 2017, a summary of there actual and projected information security costs, as specified.Existing law requires an operator, as defined, of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit the commercial Web site or online service to conspicuously post, or make available, its privacy policy, as specified. Under existing law, an operator is in violation if the operator fails to post its policy within 30 days after being notified of noncompliance or if the operator's failure to comply with the requirements, or with the provisions of its posted policy, is knowing and willful or negligent and material.This bill would additionally require the operator to provide a short form of the privacy policy to a consumer at the beginning of the privacy policy and, if the commercial Internet Web site or online service provides the consumer with a user licensing agreement or terms of service, above the agreement or terms, as specified. The bill would provide that an operator is in violation of this requirement only if the operator knowingly and willfully fails to comply with the requirement or if the operator fails to post its privacy policy short form within 30 days after being notified of noncompliance.Vote: majority. Appropriation: no. Fiscal committee:noyes . State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 11546.2 of the Government Code is amended to read: 11546.2. (a) On or before February1, 2011, and annually thereafter,1 of every year, each state agency and state entity subject to Section 11546.1, shall submit, as instructed by the Department of Technology, a summary of its actual and projected information technology and telecommunications costs,includingincluding, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in a format prescribed by the Department of Technology in order to capture statewide information technology expenditures. (b) On or before February 1, 2017, and annually thereafter, each state agency and state entity subject to Section 11546.1 shall submit, as instructed by the Department of Technology, a summary of its actual and projected information security costs, including, but not limited to, personnel, for the immediately preceding fiscal year and current fiscal year, showing current expenses and projected expenses for the current fiscal year, in a format prescribed by the Department of Technology in order to capture statewide information security expenditures, including the expenditure of federal grant funds for information security purposes.SECTION 1.Section 22575.5 is added to the Business and Professions Code, to read: 22575.5. (a) An operator of a commercial Internet Web site or online service that is required to post or make available its privacy policy pursuant to Section 22575 shall provide a short form of the privacy policy to a consumer at the beginning of the privacy policy and, if the commercial Internet Web site or online service provides the consumer with a user licensing agreement or terms of service, at the beginning of the agreement or terms. (b) The short form required by subdivision (a) shall do all of the following: (1) List the categories of personally identifiable information identified in the privacy policy pursuant to paragraph (1) of subdivision (b) of Section 22575, using the following specific descriptions: (A) For information described in paragraphs (1) to (6), inclusive, of subdivision (a) of Section 22577, the descriptions used in those paragraphs. (B) For information described in paragraph (7) of subdivision (a) of Section 22577, the following descriptions: (i) Browser history. (ii) Phone or text logs. (iii) Contact lists. (iv) Biometrics. (v) Financial information. (vi) Health, medical, or therapeutic information. (vii) Location. (viii) User files. (2) (A) List the categories of third-party persons or entities identified in the privacy policy pursuant to paragraph (1) of subdivision (b) of Section 22575, using the following specific descriptions: (i) Advertising networks. (ii) Telecommunication carriers. (iii) Commercial data resellers. (iv) Data analytics providers. (v) Operating systems and platforms. (vi) Social networks. (B) Compliance with subparagraph (A) is not required when a contract between the commercial Internet Web site or online service and the third party explicitly does both of the following: (i) Limits the uses of the information provided by the commercial Internet Web site or online service to the third party solely to provide a service to, or on behalf of, the commercial Internet Web site or online service. (ii) Prohibits the sharing of the consumer information by that third party with subsequent third parties. (3) State whether or not the operator maintains a process that, if maintained, would be required to be described by the privacy policy pursuant to paragraph (2) of subdivision (b) of Section 22575. (4) If the operator satisfies the requirements of paragraph (5) of subdivision (b) of Section 22575 by providing a hyperlink pursuant to paragraph (7) of subdivision (b) of Section 22575, include a hyperlink to the same online location. (c) An operator shall be in violation of this section only if the operator knowingly and willfully fails to comply with this section or if the operator fails to post its privacy policy short form within 30 days after being notified of noncompliance.