Assembly Bill No.

370

CHAPTER 390

An act to amend Section 22575 of the Business and Professions Code,

relating to consumers.

[Approved by Governor September 27, 2013. Filed with

Secretary of State September 27, 2013.]

legislative counsels digest

AB 370, Muratsuchi. Consumers: internet privacy.
Existing law requires an operator of a commercial Internet Web site or
online service that collects personally identifiable information through the
Internet about consumers residing in California who use or visit its
commercial Web site or online service to conspicuously post its privacy
policy on its Web site or online service and to comply with that policy.
Existing law, among other things, requires that the privacy policy identify
the categories of personally identifiable information that the operator collects
about individual consumers who use or visit its Web site or online service
and 3rd parties with whom the operator shares the information.
This bill would require an operator to disclose how it responds to do not
track signals or other mechanisms that provide consumers a choice
regarding the collection of personally identifiable information about an
individual consumers online activities over time and across different Web
sites or online services. The bill would require the operator to disclose
whether other parties may collect personally identifiable information when
a consumer uses the operators Web site or service.

The people of the State of California do enact as follows:

SECTION 1. Section 22575 of the Business and Professions Code is

amended to read:
22575. (a)An operator of a commercial Web site or online service that
collects personally identifiable information through the Internet about
individual consumers residing in California who use or visit its commercial
Web site or online service shall conspicuously post its privacy policy on its
Web site, or in the case of an operator of an online service, make that policy
available in accordance with paragraph (5) of subdivision (b) of Section
22577. An operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified of
noncompliance.
(b)The privacy policy required by subdivision (a) shall do all of the
following:

94
Ch. 390 2

(1)Identify the categories of personally identifiable information that the

operator collects through the Web site or online service about individual
consumers who use or visit its commercial Web site or online service and
the categories of third-party persons or entities with whom the operator may
share that personally identifiable information.
(2)If the operator maintains a process for an individual consumer who
uses or visits its commercial Web site or online service to review and request
changes to any of his or her personally identifiable information that is
collected through the Web site or online service, provide a description of
that process.
(3)Describe the process by which the operator notifies consumers who
use or visit its commercial Web site or online service of material changes
to the operators privacy policy for that Web site or online service.
(4)Identify its effective date.
(5)Disclose how the operator responds to Web browser do not track
signals or other mechanisms that provide consumers the ability to exercise
choice regarding the collection of personally identifiable information about
an individual consumers online activities over time and across third-party
Web sites or online services, if the operator engages in that collection.
(6)Disclose whether other parties may collect personally identifiable
information about an individual consumers online activities over time and
across different Web sites when a consumer uses the operators Web site
or service.
(7)An operator may satisfy the requirement of paragraph (5) by providing
a clear and conspicuous hyperlink in the operators privacy policy to an
online location containing a description, including the effects, of any program
or protocol the operator follows that offers the consumer that choice.

94
 AB 370
Page 1

CONCURRENCE IN SENATE AMENDMENTS

AB 370 (Muratsuchi)
As Amended June 18, 2013
Majority vote

ASSEMBLY: 73-0 (May 2, 2013) SENATE: 37-0 (August 22, 2013)

Original Committee Reference: B.,P. & C. P.

SUMMARY: Requires privacy policies posted by an operator of a commercial Web site or

online service that collects personally identifiable information (PII) to disclose how the operator
responds to Web browser do not track signals regarding the collection of PII, and to disclose
whether other parties may collect PII about an individual consumers online activities.

The Senate amendments delete the Assembly version of this bill, and instead:

1) Require an operator's privacy policies to disclose how it responds to Web browser do not
track signals or other mechanisms that provide consumers the ability to exercise choice
regarding the collection of PII about an individual consumers online activities over time and
across third-party Web sites or online services, if the operator engages in that collection.

2) Require an operator's privacy policies to disclose whether other parties may collect PII about
an individual consumers online activities over time and across different Web sites when a
consumer uses the operators Web site or service.

3) Permit an operator to satisfy the response disclosure requirement for 'do not track' signals by
providing a clear and conspicuous hyperlink in the privacy policy to an online location
containing a description, including the effects, of any program or protocol the operator
follows that offers the consumer that choice.

EXISTING LAW:

1) Requires an operator of a commercial Web site or online service that collects PII through the
Internet about consumers residing in California who use or visit its commercial Web site or
online service to conspicuously post its privacy policy on its Web site or online service, and
further requires an operator to comply with that policy. (Business and Professions Code
(BPC) Section 22575(a))

2) Requires, among other things, that the privacy policy identify the categories of PII that the
operator collects about individual consumers who use or visit its Web site or online service
and third parties with whom the operator shares the information. (BPC Section 22575(b))

FISCAL EFFECT: None. This bill is keyed non-fiscal by the Legislative Counsel.

COMMENTS:

1) Purpose of this bill. This bill requires operators of commercial Web sites and other online
services that collect PII to disclose whether or not they will honor a signal from the
consumer's Web browser requesting that the Web site not collect the consumer's PII. It also
 AB 370
Page 2

requires operators to disclose whether other parties may collect PII when a consumer uses the
operator's Web site or service. Many popular Web browsers incorporate a voluntary do not
track signal that a consumer can use, but Web sites are not legally required to honor that
signal. This bill aims to better inform consumers as to which Web sites or online services
collect PII and which do not. This bill is sponsored by the California Attorney General's
Office.

2) Author's statement. According to the author, "Since the California Online Privacy Protection
Act (CalOPPA) took effect [in 2004], online commerce has burgeoned and evolving
technology and new business practices have raised new privacy concerns. One practice that
raises privacy concerns is online tracking, also called online behavioral tracking. This is the
monitoring of an individual across multiple websites to build a profile of behavior and
interests. In the age of smart phones and tablets, similar tracking is also done by monitoring
individuals as they use different apps and different phone features. The resulting profiles are
commonly used to deliver targeted advertisements

"This bill would increase consumer awareness of the practice of online tracking by
websites and online services, such as mobile apps. AB 370 will allow consumers to
learn from a websites privacy policy whether or not that website honors a Do Not
Track signal. This will allow the consumer to make an informed decision about their
use of the website or service."

3) Growth in online tracking and data auctions. On June 17, 2012, the Wall Street Journal
published an article about user-tailored advertising and the explosion in demand for
consumer data collected through Web browsers. The article notes,"[the] rapid rise in the
number of companies collecting data about individuals' Web-surfing behavior is testament to
the power of the $31 billion online-advertising business, which increasingly relies on data
about users' Web surfing behavior to target advertisements."

This tracking often goes unnoticed by consumers and is made possible by the use of "cookie"
files that record the sites visited by the consumer's Web browser. The Wall Street Journal
article notes that in one study, the average visit to a Web page triggered 56 instances of data
collection. The data collected by these cookies are so valuable that online auctions have
sprung up among advertisers to compete for the data.

4) The do not track movement. The Federal Trade Commission in December 2010 released a
preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change, which
endorsed the idea of an easy-to-use, persistent, and effective do not track system.

In practice, a consumer wishing to communicate a do not track signal to Web sites would
generally do so via their Web browser controls, the presence of which would signal to a
visited Web site that it should disable its tracking for that visit. The signal or "field"
communicates that the consumer either opts in to or opts out of data tracking.

According to the California Attorney General's Office, "[s]ubsequently, all the major browser
companies have offered Do Not Track browser headers that signal to websites an individuals
choice not to be tracked. There is, however, no legal requirement for sites to honor the
headers."
 AB 370
Page 3

There was no data immediately available to suggest how frequently Web sites decline to
honor a do not track signal, although one list maintained by researchers at Stanford reflects a
running list of Web sites that honor the do not track signal that list shows only 20 Web
sites, most of which are not well-known with the exception of Twitter.

This bill would mandate that Web sites that track users must also disclose if they are
honoring the voluntary do not track signal.

5) California Online Privacy Protection Act (CalOPPA). In 2003, the Legislature passed AB 68
(Simitian), Chapter 829, Statutes of 2003, which generally requires operators of Web sites
and online services that collect PII about the users of their site to conspicuously post their
privacy policies on the Web site and comply with them.

CalOPPA currently requires privacy policies to identify the categories of PII collected, the
categories of third-parties with whom that PII may be shared, the process for consumers to
review and request changes to his or her PII, and the process for notification of material
changes to the policy.

An operator has 30 days to comply after receiving notice of noncompliance with the posting
requirement. Failure to comply with the CalOPPA requirements or the provisions of the
posted privacy policy, if knowing and willful, or negligent and material, is actionable under
Californias Unfair Competition Law and may result in penalties of up to $2,500 for each
violation. Any violation of this bill would be enforceable as a violation of CalOPPA.

6) Arguments in support. According to the California Attorney General's Office, "AB 370 is a
transparency proposal not a Do Not Track proposal. When a privacy policy discloses
whether or not an operator honors a Do Not Track signal from a browser, individuals may
make informed decisions about their use of the site or service."

Analysis Prepared by: Hank Dempsey / B.,P. & C.P. / (916) 319-3301

FN: 0001764