BILL ANALYSIS ��
AB 2147
Page 1
Date of Hearing: April 29, 2014
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 2147 (Melendez) - As Amended: April 22, 2014
As Proposed to be Amended
SUBJECT : state informaton practices
KEY ISSUES :
1)Should a state agency that collects personal information
online disclose to the person submitting the information that
the information may be shared with other agencies or private
parties?
2)Should a state agency be prohibited from using or sharing
information from partially completed online forms?
SYNOPSIS
In December of 2013 the Los Angeles Times reported that
California's Health Benefits Exchange, also known as Covered
California, raised consumer privacy concerns by sharing personal
information from partially completed online applications for
Covered California health coverage with authorized insurance
agents. Those agents, in turn, subsequently contacted the
applicants about health insurance options. The author believes
that the personal information of Californians should not be
shared with third parties without their knowledge and consent.
This bill would do two things. First, the bill requires a state
agency that collects personal information in an online form, and
shares that information with other agencies or private parties,
to prominently display a notice informing the person submitting
the information that his or her information may be shared with
another state agency or a private party. Second, the bill
prohibits a state agency from using or sharing information from
a partially completed online form. Existing law, the
Information Practices Act, already prohibits a state agency from
disclosing personal information in a manner that would link the
information disclosed to the person to whom it pertains, subject
to certain exceptions. Existing law, for example, permits
disclosure with the subject's consent. With or without consent,
however, a state agency under existing law may disclose
�
AB 2147
Page 2
information to other agencies or private parties to the extent
necessary to perform a legitimate function or as otherwise
required or authorized by law. There is, however, no existing
provision that requires an agency to provide a notice by which a
person acknowledges that his or her submitted information may be
shared with other agencies or private parties. There is no
opposition to this bill. The author has agreed to take
clarifying amendments that are reflected in the bill summary and
listed in the analysis.
SUMMARY : Requires a state entity to provide notice of its
information sharing practices and prohibits a state agency from
using or sharing information from partially completed online
forms. Specifically, this bill :
1)Requires a state agency, as defined, that uses an Internet Web
site to obtain information by means of an electronic form and
shares that information with another state entity or private
party to include a clearly displayed notice which states that
the person submitting the form acknowledges that information
collected may be shared with another state agency or a private
party in accordance with the requirements of the Information
Practices Act, as specified.
2)Prohibits a state entity that uses an Internet Web site to
obtain information by means of an electronic form from using
or sharing information provided on the form until the person
entering the information into the form specifically acts to
submit the form. Specifies that information in partially
completed forms that has not been formally submitted shall not
be used or otherwise shared.
EXISTING LAW :
1)Prohibits a state agency from disclosing any personal
information in a manner that would link the information
disclosed to the individual to whom it pertains, subject to
numerous exceptions. Exceptions include, among other things,
the following disclosures:
a) To the individual to whom the information pertains, or
to the guardian, conservator, or agent of that individual,
as specified.
b) With the prior written voluntary consent of the
individual to whom the information pertains, but only if
�
AB 2147
Page 3
that consent has been obtained not more than 30 days before
the disclosure or in the time limit agreed to by the
individual in the written consent.
c) To those officers, employees, attorneys, agents, or
volunteers of the agency that has custody of the
information if the disclosure is relevant and necessary to
the ordinary course of their official duties and is related
to the purpose for which the information was obtained, or
to another agency if the transfer is necessary for the
transferee agency to perform its constitutional or
statutory duties, and the use is compatible with a purpose
for which the information was collected, as specified.
d) Pursuant to a subpoena, search warrant, or court order,
as specified.
e) Pursuant to the California Public Records Act.
f) To a person who has provided the agency with advance,
adequate, written assurance that the information will be
used solely for statistical research or reporting purposes,
but only if the information is disclosed in a form that
will not identify the individual.
g) To other persons and agencies, as specified, when
disclosure is necessary for a specified purpose, including
research, institutional review, public health, criminal
investigation, or to protect the health and safety of the
person to whom the information pertains. (Civil Code
Section 1798.24.)
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
COMMENTS : According to the author, this bill was in response to
a Los Angeles Times report at the end of last year that the
California Health Benefits Exchange, known as Covered
California, raised consumer privacy concerns by sharing personal
information from partially completed online applications with
insurance agents. These agents, in turn, subsequently contacted
the persons who had failed to complete the process to provide
them with more information about health insurance options under
Covered California. In this way, this bill shares a common
origin with two other bills, AB 1560 and AB 1830, which were
similarly motivated by the Los Angeles Times report. However,
unlike AB 1560 and AB 1830, which focused only on the Exchange,
this measure would apply to all state agencies that collect
information from Californians through the use of an online
electronic form. Specifically, this bill does two things.
�
AB 2147
Page 4
First, it would require a state agency that collects information
through the use of an online form to disclose to the person
completing the form that information may be shared with other
state agencies and private parties, so long as those disclosures
comply with the Information Practices Act. Second, this bill
would prohibit the state agency from using or sharing any
information from a partially completed form or a form that had
not yet been formally submitted. This latter provision is
apparently in direct response to reports that Covered California
provided insurance agents with the information of persons who
had visited the website and begun, but who had not actually
completed, the application process.
Existing Limitations on State Agencies : The Information
Practices Act (IPA) of 1977 outlines the procedures that state
agencies must follow when they collect, maintain, or share the
personal information of Californians who, for any number of
reasons, submit information to the agency. The general rule in
the IPA is that agencies shall not disclose any personal
information that would link the information disclosed to the
person to whom it pertains. However, the IPA also incorporates
a number of reasonable exceptions to this rule. For example, a
state agency may disclose information to the person to whom the
information pertains or if that person has provided prior
written consent to the information's release, so long as the
consent was obtained not more than 30 days before the
disclosure, or for any agreed upon time limit. With or without
such consent, however, the agency may disclose information to
employees, attorneys, or agents of the agency if disclosure is
relevant or necessary to perform the ordinary duties of the
agency. Similarly, an agency may disclose the information to
another state agency for its legitimate uses, so long as the use
is consistent with the original reason for which the information
was collected. In addition, the IPA contains other exemptions
that apply to specific agencies and specific uses. (Civil Code
Section 1798.24.) However, even in those situations in which
an agency may disclose information without the express consent
of the person to whom the information applies, there is no
requirement that the agencies obtain prior consent or even
provide notice that such information will be shared. Of course
state agencies, like any other commercial Web site operator,
must provide on its Web site a link to its privacy policy that,
in general terms, tells the user how information is collected
and shared, if at all.
�
AB 2147
Page 5
This bill, therefore, expands existing requirements by requiring
an express notice, in bold print and in close proximity to the
"submit" button, which will make it clear to the user that, by
clicking the "submit" button, the user acknowledges that he or
she understands that the agency may share the information
submitted on the online form, so long as it is used and shared
in a manner that complies with the Information Practices Act.
Bill Does Not Cover "Cookies" and Other Forms of Information
Tracking : Presumably, this measure will only apply where a
state agency asks a Web site user to fill out data fields and
then asks the user to click a "submit" button after the
information has been provided. However, it should be noted that
a state agency Web site, like any commercial Web site, can, with
the use of "cookies" or similar tracking devices, obtain
information about the user without the user ever voluntarily
entering information into a field. Unlike the information
typically entered into a data field - name, address, credit card
number, etc. - cookies and other tracking devices typically make
inferences about the user - sometimes quite precise inferences -
based on browsing patterns. As to the state agency's policies
about this type of information, a consumer would still need to
proactively consult the Web site's privacy policy.
Proposed Author Amendments : The author will take the following
clarifying amendments in this Committee.
- On page 2 delete lines 3-5 and insert: For purposes of
this section, "state agency" includes every state office,
officer, department, division, bureau, board, and
commission, including the California State University.
- On page 2 line 6, change "state entity" to "state
agency"
- On page 2, line 7, after "form" insert: and shares that
information with another state agency or private party
- On page 2, line 17, change "state entity" to "state
agency"
- On page 2, line 19, after "provided insert: on the form
REGISTERED SUPPORT / OPPOSITION :
�
AB 2147
Page 6
Support
None on file
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334