BILL ANALYSIS ��
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 928|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 928
Author: Olsen (R)
Amended: 6/16/14 in Senate
Vote: 21
PRIOR VOTES NOT RELEVANT
SENATE JUDICIARY COMMITTEE : 6-0, 6/10/14
AYES: Jackson, Anderson, Lara, Leno, Monning, Vidak
NO VOTE RECORDED: Corbett
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SUBJECT : Personal information: privacy
SOURCE : Author
DIGEST : This bill requires each state department and state
agency to conspicuously post its privacy policy on its Internet
Web site.
ANALYSIS :
Existing law:
1. Provides that, among other rights, all people have an
inalienable right to pursue and obtain privacy.
2. Permits a person to bring an action in tort for the invasion
of privacy, and provides that in order to state a claim for a
CONTINUED
�
AB 928
Page
2
violation of the constitutional right to privacy a plaintiff
must establish the following three elements: (1) a legally
protected privacy interest; (2) a reasonable expectation of
privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy.
(Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th
1.) Existing law recognizes four types of activities
considered to be an invasion of privacy giving rise to civil
liability, including the public disclosure of private facts.
3. Establishes the Information Practices Act of 1977, standards
for state agency collection, retention, protection, and
disclosure of records containing personal information
relating to individuals.
4. Requires each state department and state agency to enact and
maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977, which includes, but is not
limited to, the following principles:
A. Personally identifiable information is only obtained
through lawful means;
B. The purposes for which personally identifiable data
are collected are specified at or prior to the time of
collection, and any subsequent use is limited to the
fulfillment of purposes not inconsistent with those
purposes previously specified;
C. Personal data shall not be disclosed, made available,
or otherwise used for purposes other than those
specified, except with the consent of the subject of the
data, or as authorized by law or regulation;
D. Personal data collected must be relevant to the
purpose for which it is collected;
E. The general means by which personal data is protected
against loss, unauthorized access, use modification or
disclosure shall be posted, unless that disclosure of
general means would compromise legitimate state
department or state agency objectives or law enforcement
purposes; and
CONTINUED
�
AB 928
Page
3
F. Each state department or state agency shall designate
a position within the department or agency, the duties
of which shall include, but not be limited to,
responsibility for the privacy policy within that
department or agency.
This bill:
1. Requires each state department and state agency to
conspicuously post its privacy policy on its Internet Web
site.
2. Specifies that the term "conspicuously post" shall include
posting the privacy policy through any of the following
means:
A. An Internet Web page on which the actual privacy policy
is posted if the Internet Web page is the homepage or
first significant page after entering the Internet Web
site;
B. An icon that hyperlinks to an Internet Web page on
which the actual privacy policy is posted, if the icon is
located on the homepage or the first significant page
after entering the Internet Web site, and if the icon
contains the word "privacy." The icon shall also use a
color that contrasts with the background color of the
Internet Web page or is otherwise distinguishable;
C. A text link that hyperlinks to an Internet Web page on
which the actual privacy policy is posted, if the text
link is located on the homepage or first significant page
after entering the Internet Web site, and if the text link
does any of the following:
(1) Includes the word "privacy;"
(2) Is written in capital letters equal to or
greater in size than the surrounding text;
(3) Is written in larger type than the surrounding
text or in contrasting type, font, or color to the
CONTINUED
�
AB 928
Page
4
surrounding text of the same size, or is set off from
the surrounding text of the same size by symbols or
other marks that call attention to the language; or
D. Any other functional hyperlink that is so
displayed that a reasonable person would notice it,
and understand it to hyperlink to the actual privacy
policy.
Background
In 1977, the Legislature enacted the Information Practices Act,
declaring that the individual right to privacy was threatened by
"the indiscriminate collection, maintenance, and dissemination
of personal information." The Act set standards for the
collection, retention, and disclosure of information pertaining
to individuals by the State of California and its subsidiaries.
In 1999, the Legislature augmented the Act by requiring each
state department and state agency to enact and maintain a
permanent privacy policy in adherence with the Information
Practices Act. Each agency or department's privacy policy must,
among other things, describe the purposes for which personally
identifiable data are collected, and state that the consent of
the consumer shall be required if such data is to be disclosed,
made available, or otherwise used for purposes other than those
specified by the agency at the time of collection.
Comments
According to the author's office, the Information Practices Act
of 1977 requires a state agency, among other things, to maintain
in its records only the personal information of an individual
that is relevant and necessary for a required or authorized
purpose. Government Code 11019.9 requires that each state
agency shall enact and maintain a permanent privacy policy, in
adherence with the Information Practices Act of 1977.
This bill enhances the Information Practices Act of 1977 by
making privacy policy statements conspicuously visible on state
agency and department Web sites. This bill ensures that
internet users will have easy access to their privacy rights and
CONTINUED
�
AB 928
Page
5
protections while viewing and interacting with the state.
Prior legislation
AB 2362 (Keene of 2008) would have required a state agency, when
collecting personal information from a resident, to provide
notice to the resident that his or her personal information is
being handled in a secure manner that guards against
unauthorized disclosure and, in the event of a breach of the
security of the system, to provide timely and appropriate
notice. This bill died in the Senate Judiciary Committee.
AB 68 (Simitian, Chapter 829, Statutes of 2003) enacted the
California Online Privacy Protection Act, which required the
operators of Web sites and online services that collect
personally identifiable information from California residents
for commercial purposes to conspicuously post their privacy
policy on their Internet Web site or online service and to
comply with that policy.
SB 129 (Peace, Chapter 984, Statutes of 2000) required, among
other things, each state department and agency to enact and
maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977.
SB 1386 (Leslie, Chapter 429, Statutes of 1988) added the
requirement that state departments and agencies post online
notices informing users when an agency's online resources gather
personal information, the type of information gathered by those
resources, the purpose for which the information is gathered,
and that users have the option to limit further use or
redistribution of gathered personal information.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: No
AL:d 7/2/14 Senate Floor Analyses
SUPPORT/OPPOSITION: NONE RECEIVED
**** END ****
CONTINUED
�
AB 928
Page
6
CONTINUED