BILL ANALYSIS                                                                                                                                                                                                    �



                                                                AB 928
                                                                Page  1

        CONCURRENCE IN SENATE AMENDMENTS
        AB 928 (Olsen)
        As Amended June 16, 2014
        Majority vote
         
         ----------------------------------------------------------------- 
        |ASSEMBLY:  |     |(May 29, 2013)  |SENATE: |36-0 |(August 7,     |
        |           |     |                |        |     |2014)          |
         ----------------------------------------------------------------- 
             (vote not relevant)

         ----------------------------------------------------------------------- 
        |COMMITTEE VOTE:  |10-0 |(August 19, 2014)  |RECOMMENDATION:  |concur   |
        |(Jud.)           |     |                   |                 |         |
         ----------------------------------------------------------------------- 

        Original Committee Reference:    ED.  

         SUMMARY  :  Requires each state department and state agency to  
        conspicuously post its privacy policy on its Internet Web site.

         The Senate amendments  delete the Assembly version of this bill, and  
        instead:

        1)Require each state department and state agency to conspicuously  
          post its privacy policy on its Internet Web site.

        2)Specify that the term "conspicuously post" shall include posting  
          the privacy policy through any of the following means:

           a)   An Internet Web page on which the actual privacy policy is  
             posted if the Internet Web page is the homepage or first  
             significant page after entering the Internet Web site;

           b)   An icon that hyperlinks to an Internet Web page on which the  
             actual privacy policy is posted, if the icon is located on the  
             homepage or the first significant page after entering the  
             Internet Web site, and if the icon contains the word "privacy."  
              The icon shall also use a color that contrasts with the  
             background color of the Internet Web page or is otherwise  
             distinguishable; or

           c)   A text link that hyperlinks to an Internet Web page on which  
             the actual privacy policy is posted, as specified.  









                                                               AB 928
                                                                Page  2

        EXISTING LAW  :

        1)Establishes, under the California Information Practices Act of  
          1977 (Act), standards for state agency collection, retention,  
          protection, and disclosure of records containing personal  
          information relating to individuals.  

        2)Requires each state department and state agency to enact and  
          maintain a permanent privacy policy, in adherence with the Act,  
          which includes, but is not limited to, the following principles:

           a)   Personally identifiable information is only obtained through  
             lawful means.

           b)   The purposes for which personally identifiable data are  
             collected are specified at or prior to the time of collection,  
             and any subsequent use is limited to the fulfillment of  
             purposes not inconsistent with those purposes previously  
             specified.
           c)   Personal data shall not be disclosed, made available, or  
             otherwise used for purposes other than those specified, except  
             with the consent or as otherwise expressly exempted.

           d)   Personal data collected must be relevant to the purpose for  
             which it is collected.

           e)   The general means by which personal data is protected  
             against loss, unauthorized access, use modification or  
             disclosure shall be posted, unless that disclosure of general  
             means would compromise legitimate state department or state  
             agency objectives or law enforcement purposes.

           f)   Each state department or state agency shall designate a  
             position within the department or agency, the duties of which  
             shall include, but not be limited to, responsibility for the  
             privacy policy within that department or agency.  

         FISCAL EFFECT  :  According to the Senate Appropriations Committee,  
        pursuant to Senate Rule 28.8, negligible state costs.

         COMMENTS  :  Enacted in 1977, the Act expressed legislative concern  
        that the "indiscriminate collection, maintenance, and dissemination  
        of personal information" by state agencies posed a threat to  
        individual privacy, and that the "increasing use of computers and  
        other sophisticated information technology has greatly magnified the  








                                                                AB 928
                                                                Page  3

        potential risk to personal privacy that can occur from the  
        maintenance of personal information."  At the risk of stating the  
        obvious, since 1977 the "sophisticated information technology" has  
        become exponentially more sophisticated and the corresponding threat  
        to individual privacy more "magnified."  

        Although private entities also collect, maintain, and disclose a  
        vast amount of personal information, the Act only applies to state  
        entities.  The Act establishes principles and set minimum standards  
        relating to the collection, retention, and disclosure of personal  
        information pertaining to individuals by any state departments or  
        agencies.  As a general rule, no state agency may disclose and  
        personal information in a manner that would link the information  
        disclosed to the individual to whom it pertains, unless the  
        individual consents to the disclosure or if the disclosure falls  
        under one of several exemptions to the general rule.  Those  
        principles include limiting collection only to those items of  
        personal information necessary for the agency to carry out its  
        duties, and retaining that information for only as long as is  
        necessary.  A 1999 amendment to the Government Code required each  
        state agency to enact and maintain a permanent privacy policy that  
        conformed to the standards and principles of the Act.  
          
        This bill would require state departments and state agencies to  
        conspicuously post their privacy policies on their Internet Web  
        sites, which apparently many if not most state agencies already do.   
        Those agencies that do not already post these policies online will  
        be required to do so under this bill.

         
        Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334 


                                                                 FN: 0004914