BILL ANALYSIS ��
AB 928
Page 1
Date of Hearing: August 19, 2014
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 928 (Olsen) - As Amended: June 16, 2014
FOR CONCURRENCE
SUBJECT : State Agencies: Internet Privacy Policies
KEY ISSUE : Should state agencies be required to post their
privacy policies online?
SYNOPSIS
California's Information Practices Act of 1977 establishes
certain standards that a state agency must adhere to as to the
collection, maintenance, and disclosure of records that contain
an individual's personal information. Each state agency must
develop a privacy policy that adheres to the standards and
principles of the Act. This non-controversial bill would
require a state agency to post its privacy policy on its
Internet Website, something most state agencies apparently
already do. There is no known opposition to this bill.
SUMMARY : Requires each state department and state agency to
conspicuously post its privacy policy on its Internet Web site.
Specifically, this bill :
1)Requires each state department and state agency to
conspicuously post its privacy policy on its Internet Web
site.
2)Specifies that the term "conspicuously post" shall include
posting the privacy policy through any of the following means:
a) An Internet Web page on which the actual privacy policy
is posted if the Internet Web page is the homepage or first
significant page after entering the Internet Web site;
b) An icon that hyperlinks to an Internet Web page on which
the actual privacy policy is posted, if the icon is located
on the homepage or the first significant page after
entering the Internet Web site, and if the icon contains
the word "privacy." The icon shall also use a color that
�
AB 928
Page 2
contrasts with the background color of the Internet Web
page or is otherwise distinguishable; or
c) A text link that hyperlinks to an Internet Web page on
which the actual privacy policy is posted, as specified.
EXISTING LAW :
1)Establishes, under the Information Practices Act of 1977,
standards for state agency collection, retention, protection,
and disclosure of records containing personal information
relating to individuals. (Civil Code Sections 1798 et seq.)
2)Requires each state department and state agency to enact and
maintain a permanent privacy policy, in adherence with the
Information Practices Act of 1977, which includes, but is not
limited to, the following principles:
a) Personally identifiable information is only obtained
through lawful means.
b) The purposes for which personally identifiable data are
collected are specified at or prior to the time of
collection, and any subsequent use is limited to the
fulfillment of purposes not inconsistent with those
purposes previously specified.
c) Personal data shall not be disclosed, made available, or
otherwise used for purposes other than those specified,
except with the consent or as otherwise expressly exempted.
d) Personal data collected must be relevant to the purpose
for which it is collected.
e) The general means by which personal data is protected
against loss, unauthorized access, use modification or
disclosure shall be posted, unless that disclosure of
general means would compromise legitimate state department
or state agency objectives or law enforcement purposes.
f) Each state department or state agency shall designate a
position within the department or agency, the duties of
which shall include, but not be limited to, responsibility
for the privacy policy within that department or agency.
(Government Code Section 11019.9.)
�
AB 928
Page 3
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
COMMENTS : Enacted in 1977, California's Information Practices
Act (Act) expressed legislative concern that the "indiscriminate
collection, maintenance, and dissemination of personal
information" by state agencies posed a threat to individual
privacy, and that the "increasing use of computers and other
sophisticated information technology has greatly magnified the
potential risk to personal privacy that can occur from the
maintenance of personal information." (Civil Code Section
1798.1 (a)-(b).) At the risk of stating the obvious, since 1977
the "sophisticated information technology" has become
exponentially more sophisticated and the corresponding threat to
individual privacy more "magnified."
Although private entities also collect, maintain, and disclose a
vast amount of personal information, the Act only applies to
state entities. The Act establishes principles and set minimum
standards relating to the collection, retention, and disclosure
of personal information pertaining to individuals by any state
departments or agencies. As a general rule, no state agency may
disclose and personal information in a manner that would link
the information disclosed to the individual to whom it pertains,
unless the individual consents to the disclosure or if the
disclosure falls under one of several exemptions to the general
rule. Those principles include limiting collection only to
those items of personal information necessary for the agency to
carry out its duties, and retaining that information for only as
long as is necessary. A 1999 amendment to the Government Code
required each state agency to enact and maintain a permanent
privacy policy that conformed to the standards and principles of
the Act.
This bill would require state departments and state agencies to
conspicuously post their privacy policies on their Internet Web
sites, which apparently many if not most state agencies already
do. Those agencies that do not already post these policies
online will be required to do so under this bill.
Comparison to Privacy Policy Required by Commercial Websites :
The author's background information makes reference to the
California Online Privacy Protection Act (Cal OPPA), which
requires operators of commercial Web sites to post online
�
AB 928
Page 4
privacy policies. It should be noted that Cal OPPA requirements
only apply to personal information from individual consumers who
use or visit the Web site. This bill, however, would require
the state agency to post a privacy policy that relates to the
agency's personal information practices more generally, whether
the information was collected online or from any other source.
However, the overall intent of this bill is similar to Cal OPPA:
it will allow those who want to know how their personal
information is collected, used, and disclosed to easily discover
this by visiting an agency's Internet Website.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334