SB 576, as introduced, Leno. Mobile applications: geolocation information: privacy.
Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet, about individual consumers residing in California who use or visit its commercial Internet Web site or online service, to make a privacy policy available to consumers and to include specified information relating to the collection of personally identifiable information within that privacy policy.
This bill would require the operator of a mobile application to provide clear and conspicuous notice that fully informs consumers when, how, and why their geolocation information, as defined, will be collected, used, and shared upon installation of the application. The bill would require the operator of a mobile application to obtain consent before collecting or using geolocation information and to obtain separate consent before disclosing that information.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 22575.1 is added to the Business and
2Professions Code, to read:
(a) An operator of a mobile application shall provide
2clear and conspicuous notice that fully informs consumers when,
3how, and why their geolocation information will be collected,
4used, and shared upon installation of the application.
5(b) An operator of a mobile application shall obtain a user’s
6affirmative express consent before collecting or using the user’s
7geolocation information. The operator shall separately obtain the
8user’s affirmative express consent before disclosing the user’s
9geolocation information.
Section 22577 of the Business and Professions Code
11 is amended to read:
For the purposes of this chapter, the following
13definitions apply:
14(a) The term “personally identifiable information” means
15individually identifiable information about an individual consumer
16collected online by the operator from that individual and
17maintained by the operator in an accessible form, including any
18of the following:
19(1) A first and last name.
20(2) A home or other physical address, including street name and
21name of a city or town.
22(3) Anbegin delete e-mailend deletebegin insert
emailend insert address.
23(4) A telephone number.
24(5) A social security number.
25(6) Any other identifier that permits the physical or online
26contacting of a specific individual.
27(7) Information concerning a user that thebegin insert Internetend insert Web site or
28online service collects online from the user and maintains in
29personally identifiable form in combination with an identifier
30described in this subdivision.
31(b) The term “conspicuously post” with respect to a privacy
32policy shall include posting the privacy policy through any of the
33following:
34(1) A Web page on which the actual privacy policy is posted if
35thebegin insert Internetend insert Web page is the homepage or first significant page
36after entering thebegin insert Internetend insert Web site.
37(2) An icon that hyperlinks tobegin delete aend deletebegin insert an Internetend insert Web page on which
38the actual privacy policy is posted, if the icon is located on the
39homepage or the first significant page after entering thebegin insert Internetend insert
40 Web site, and if
the icon contains the word “privacy.” The icon
P3 1shall also use a color that contrasts with the background color of
2thebegin insert Internetend insert Web page or is otherwise distinguishable.
3(3) A text link that hyperlinks tobegin delete aend deletebegin insert an Internetend insert Web page on
4which the actual privacy policy is posted, if the text link is located
5on the homepage or first significant page after entering thebegin insert Internetend insert
6 Web site, and if the text link does one of the following:
7(A) Includes the word “privacy.”
8(B) Is written in capital letters equal to or greater in size than
9the surrounding text.
10(C) Is written in larger type than the surrounding text, or in
11contrasting type, font, or color to the surrounding text of the same
12size, or set off from the surrounding text of the same size by
13symbols or other marks that call attention to the language.
14(4) Any other functional hyperlink that is so displayed that a
15reasonable person would notice it.
16(5) In the case of an online service, any other reasonably
17accessible means of making the privacy policy available for
18consumers of the online service.
19(c) The term “operator” means any person or entity that owns
20begin delete aend deletebegin insert
an Internetend insert Web sitebegin delete located on the Internetend delete or an online servicebegin insert,
21including a mobile application,end insert that collects and maintains
22personally identifiable information from a consumer residing in
23California who uses or visits thebegin insert Internetend insert Web site or online service
24if thebegin insert Internetend insert Web site or online service is operated for commercial
25purposes. It does not include any third party that operates, hosts,
26or manages, but does not own,begin delete aend deletebegin insert
an Internetend insert Web site or online
27service on the owner’s behalf or by processing information on
28behalf of the owner.
29(d) The term “consumer” means any individual who seeks or
30acquires, by purchase or lease, any goods, services, money, or
31credit for personal, family, or household purposes.
32(e) The term “geolocation information” means information that
33can be used to identify the physical location of an electronic device
34or its user.
O
99