BILL ANALYSIS                                                                                                                                                                                                    �



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                        AB 928|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  AB 928
          Author:   Olsen (R)
          Amended:  6/16/14 in Senate
          Vote:     21


          PRIOR VOTES NOT RELEVANT
           
           SENATE JUDICIARY COMMITTEE  : 6-0, 6/10/14
          AYES: Jackson, Anderson, Lara, Leno, Monning, Vidak
          NO VOTE RECORDED: Corbett

           SENATE APPROPRIATIONS COMMITTEE  : Senate Rule 28.8


           SUBJECT  :    Personal information:  privacy

           SOURCE :     Author


           DIGEST  :    This bill requires each state department and state  
          agency to conspicuously post its privacy policy on its Internet  
          Web site.

           ANALYSIS  :    

          Existing law:

          1. Provides that, among other rights, all people have an  
             inalienable right to pursue and obtain privacy.  

          2. Permits a person to bring an action in tort for the invasion  
             of privacy, and provides that in order to state a claim for a  
                                                                CONTINUED





                                                                     AB 928
                                                                     Page  
          2

             violation of the constitutional right to privacy a plaintiff  
             must establish the following three elements:  (1) a legally  
             protected privacy interest; (2) a reasonable expectation of  
             privacy in the circumstances; and (3) conduct by the  
             defendant that constitutes a serious invasion of privacy.   
             (Hill v. National Collegiate Athletic Assn. (1994) 7 Cal.4th  
             1.)  Existing law recognizes four types of activities  
             considered to be an invasion of privacy giving rise to civil  
             liability, including the public disclosure of private facts.   


          3. Establishes the Information Practices Act of 1977, standards  
             for state agency collection, retention, protection, and  
             disclosure of records containing personal information  
             relating to individuals.

          4. Requires each state department and state agency to enact and  
             maintain a permanent privacy policy, in adherence with the  
             Information Practices Act of 1977, which includes, but is not  
             limited to, the following principles:

             A.    Personally identifiable information is only obtained  
                through lawful means;

             B.    The purposes for which personally identifiable data  
                are collected are specified at or prior to the time of  
                collection, and any subsequent use is limited to the  
                fulfillment of purposes not inconsistent with those  
                purposes previously specified;

             C.    Personal data shall not be disclosed, made available,  
                or otherwise used for purposes other than those  
                specified, except with the consent of the subject of the  
                data, or as authorized by law or regulation;

             D.    Personal data collected must be relevant to the  
                purpose for which it is collected;

             E.    The general means by which personal data is protected  
                against loss, unauthorized access, use modification or  
                disclosure shall be posted, unless that disclosure of  
                general means would compromise legitimate state  
                department or state agency objectives or law enforcement  
                purposes; and

                                                                CONTINUED





                                                                     AB 928
                                                                     Page  
          3


             F.    Each state department or state agency shall designate  
                a position within the department or agency, the duties  
                of which shall include, but not be limited to,  
                responsibility for the privacy policy within that  
                department or agency.  


          This bill:

          1. Requires each state department and state agency to  
             conspicuously post its privacy policy on its Internet Web  
             site.

          2. Specifies that the term "conspicuously post" shall include  
             posting the privacy policy through any of the following  
             means:

             A.    An Internet Web page on which the actual privacy policy  
                is posted if the Internet Web page is the homepage or  
                first significant page after entering the Internet Web  
                site;

             B.    An icon that hyperlinks to an Internet Web page on  
                which the actual privacy policy is posted, if the icon is  
                located on the homepage or the first significant page  
                after entering the Internet Web site, and if the icon  
                contains the word "privacy."  The icon shall also use a  
                color that contrasts with the background color of the  
                Internet Web page or is otherwise distinguishable;

             C.    A text link that hyperlinks to an Internet Web page on  
                which the actual privacy policy is posted, if the text  
                link is located on the homepage or first significant page  
                after entering the Internet Web site, and if the text link  
                does any of the following:

                (1)      Includes the word "privacy;"

                (2)      Is written in capital letters equal to or  
                   greater in size than the surrounding text;

                (3)      Is written in larger type than the surrounding  
                   text or in contrasting type, font, or color to the  

                                                                CONTINUED





                                                                     AB 928
                                                                     Page  
          4

                   surrounding text of the same size, or is set off from  
                   the surrounding text of the same size by symbols or  
                   other marks that call attention to the language; or

                D.       Any other functional hyperlink that is so  
                   displayed that a reasonable person would notice it,  
                   and understand it to hyperlink to the actual privacy  
                   policy.

           


          Background
           
          In 1977, the Legislature enacted the Information Practices Act,  
          declaring that the individual right to privacy was threatened by  
          "the indiscriminate collection, maintenance, and dissemination  
          of personal information."  The Act set standards for the  
          collection, retention, and disclosure of information pertaining  
          to individuals by the State of California and its subsidiaries.   
          In 1999, the Legislature augmented the Act by requiring each  
          state department and state agency to enact and maintain a  
          permanent privacy policy in adherence with the Information  
          Practices Act.  Each agency or department's privacy policy must,  
          among other things, describe the purposes for which personally  
          identifiable data are collected, and state that the consent of  
          the consumer shall be required if such data is to be disclosed,  
          made available, or otherwise used for purposes other than those  
          specified by the agency at the time of collection.

          Comments

           According to the author's office, the Information Practices Act  
          of 1977 requires a state agency, among other things, to maintain  
          in its records only the personal information of an individual  
          that is relevant and necessary for a required or authorized  
          purpose.  Government Code 11019.9 requires that each state  
          agency shall enact and maintain a permanent privacy policy, in  
          adherence with the Information Practices Act of 1977.

          This bill enhances the Information Practices Act of 1977 by  
          making privacy policy statements conspicuously visible on state  
          agency and department Web sites.  This bill ensures that  
          internet users will have easy access to their privacy rights and  

                                                                CONTINUED





                                                                     AB 928
                                                                     Page  
          5

          protections while viewing and interacting with the state.  
           
           Prior legislation
           
          AB 2362 (Keene of 2008) would have required a state agency, when  
          collecting personal information from a resident, to provide  
          notice to the resident that his or her personal information is  
          being handled in a secure manner that guards against  
          unauthorized disclosure and, in the event of a breach of the  
          security of the system, to provide timely and appropriate  
          notice.  This bill died in the Senate Judiciary Committee.

          AB 68 (Simitian, Chapter 829, Statutes of 2003) enacted the  
          California Online Privacy Protection Act, which required the  
          operators of Web sites and online services that collect  
          personally identifiable information from California residents  
          for commercial purposes to conspicuously post their privacy  
          policy on their Internet Web site or online service and to  
          comply with that policy.

          SB 129 (Peace, Chapter 984, Statutes of 2000) required, among  
          other things, each state department and agency to enact and  
          maintain a permanent privacy policy, in adherence with the  
          Information Practices Act of 1977.

          SB 1386 (Leslie, Chapter 429, Statutes of 1988) added the  
          requirement that state departments and agencies post online  
          notices informing users when an agency's online resources gather  
          personal information, the type of information gathered by those  
          resources, the purpose for which the information is gathered,  
          and that users have the option to limit further use or  
          redistribution of gathered personal information.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  No


          AL:d  7/2/14   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  NONE RECEIVED

                                   ****  END  ****



                                                                CONTINUED





                                                                     AB 928
                                                                     Page  
          6














































                                                                CONTINUED