BILL ANALYSIS ��
AB 928
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 928 (Olsen)
As Amended June 16, 2014
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: | |(May 29, 2013) |SENATE: |36-0 |(August 7, |
| | | | | |2014) |
-----------------------------------------------------------------
(vote not relevant)
-----------------------------------------------------------------------
|COMMITTEE VOTE: |10-0 |(August 19, 2014) |RECOMMENDATION: |concur |
|(Jud.) | | | | |
-----------------------------------------------------------------------
Original Committee Reference: ED.
SUMMARY : Requires each state department and state agency to
conspicuously post its privacy policy on its Internet Web site.
The Senate amendments delete the Assembly version of this bill, and
instead:
1)Require each state department and state agency to conspicuously
post its privacy policy on its Internet Web site.
2)Specify that the term "conspicuously post" shall include posting
the privacy policy through any of the following means:
a) An Internet Web page on which the actual privacy policy is
posted if the Internet Web page is the homepage or first
significant page after entering the Internet Web site;
b) An icon that hyperlinks to an Internet Web page on which the
actual privacy policy is posted, if the icon is located on the
homepage or the first significant page after entering the
Internet Web site, and if the icon contains the word "privacy."
The icon shall also use a color that contrasts with the
background color of the Internet Web page or is otherwise
distinguishable; or
c) A text link that hyperlinks to an Internet Web page on which
the actual privacy policy is posted, as specified.
�
AB 928
Page 2
EXISTING LAW :
1)Establishes, under the California Information Practices Act of
1977 (Act), standards for state agency collection, retention,
protection, and disclosure of records containing personal
information relating to individuals.
2)Requires each state department and state agency to enact and
maintain a permanent privacy policy, in adherence with the Act,
which includes, but is not limited to, the following principles:
a) Personally identifiable information is only obtained through
lawful means.
b) The purposes for which personally identifiable data are
collected are specified at or prior to the time of collection,
and any subsequent use is limited to the fulfillment of
purposes not inconsistent with those purposes previously
specified.
c) Personal data shall not be disclosed, made available, or
otherwise used for purposes other than those specified, except
with the consent or as otherwise expressly exempted.
d) Personal data collected must be relevant to the purpose for
which it is collected.
e) The general means by which personal data is protected
against loss, unauthorized access, use modification or
disclosure shall be posted, unless that disclosure of general
means would compromise legitimate state department or state
agency objectives or law enforcement purposes.
f) Each state department or state agency shall designate a
position within the department or agency, the duties of which
shall include, but not be limited to, responsibility for the
privacy policy within that department or agency.
FISCAL EFFECT : According to the Senate Appropriations Committee,
pursuant to Senate Rule 28.8, negligible state costs.
COMMENTS : Enacted in 1977, the Act expressed legislative concern
that the "indiscriminate collection, maintenance, and dissemination
of personal information" by state agencies posed a threat to
individual privacy, and that the "increasing use of computers and
other sophisticated information technology has greatly magnified the
�
AB 928
Page 3
potential risk to personal privacy that can occur from the
maintenance of personal information." At the risk of stating the
obvious, since 1977 the "sophisticated information technology" has
become exponentially more sophisticated and the corresponding threat
to individual privacy more "magnified."
Although private entities also collect, maintain, and disclose a
vast amount of personal information, the Act only applies to state
entities. The Act establishes principles and set minimum standards
relating to the collection, retention, and disclosure of personal
information pertaining to individuals by any state departments or
agencies. As a general rule, no state agency may disclose and
personal information in a manner that would link the information
disclosed to the individual to whom it pertains, unless the
individual consents to the disclosure or if the disclosure falls
under one of several exemptions to the general rule. Those
principles include limiting collection only to those items of
personal information necessary for the agency to carry out its
duties, and retaining that information for only as long as is
necessary. A 1999 amendment to the Government Code required each
state agency to enact and maintain a permanent privacy policy that
conformed to the standards and principles of the Act.
This bill would require state departments and state agencies to
conspicuously post their privacy policies on their Internet Web
sites, which apparently many if not most state agencies already do.
Those agencies that do not already post these policies online will
be required to do so under this bill.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0004914