BILL NUMBER: AB 370AMENDED BILL TEXT AMENDED IN SENATE JUNE 18, 2013 AMENDED IN SENATE JUNE 3, 2013 AMENDED IN ASSEMBLY MARCH 19, 2013 INTRODUCED BY Assembly Member Muratsuchi FEBRUARY 14, 2013 An act to amendSections 22575 and 22577Sec tion 22575 of the Business and Professions Code, relating to consumers. LEGISLATIVE COUNSEL'S DIGEST AB 370, as amended, Muratsuchi. Consumers:online tracking.internet privacy. Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information. This bill would require an operator to disclosewhether or not it honors a request from a consumer to disable online tracking, as defined, of the consumer who visits or uses its commercial Web site or online service. The bill would also require an operator to disclose if it allows 3rd parties to conduct online tracking on the commercial Web site or online service and whether there is a means to disable this tracking.how it responds to "do not track" signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across different Web sites or online services. The bill would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator's Web site or service. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 22575 of the Business and Professions Code is amended to read: 22575. (a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance. (b) The privacy policy required by subdivision (a) shall do all of the following: (1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. (2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process. (3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. (4) Identify its effective date. (5) Disclose how the operator responds to Web browser "do not track" signals or othersimilarmechanisms that provide consumers the ability to exercise choice regardingonline tracking, as defined in subdivision (e) of Section 22577, when an individual consumer uses or visits the commercial Web site or online servicethe collection of personally identifiable information about an individual consumer's online activities over time and across third-party Web sites or online services, if the operator engages in that c ollection . (6) Disclose whether other partieson the operator's commercial Web site or online service are or may be conducting online tracking, as defined in subdivision (e) of Section 22577, and what, if any, program, solution, protocol, or mechanism the operator follows that offers consumers who use or visit its commercial Web site or online service the ability to exercise a choice regarding whether to permit this collection. The operator shall also offer information regarding how the consumer can use the program, solution, protocol, or mechanismmay collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service . (7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.SEC. 2.Section 22577 of the Business and Professions Code is amended to read: 22577. For the purposes of this chapter, the following definitions apply: (a) The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision. (b) The term "conspicuously post" with respect to a privacy policy shall include posting the privacy policy through any of the following: (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site. (2) An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy." The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable. (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following: (A) Includes the word "privacy." (B) Is written in capital letters equal to or greater in size than the surrounding text. (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it. (5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service. (c) The term "operator" means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner. (d) The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. (e) The term "online tracking" means the practice of collecting personally identifiable information about an individual consumer's online activities over time and across different Web sites and online services, for any use other than the internal business purposes of the commercial Web site or online service through which the tracking is conducted. (f) The term "internal business purposes" means those activities necessary to maintain or analyze the functioning of the commercial Web site or online service, perform network communications, authenticate users of the commercial Web site or online service, and ensure legal or regulatory compliance, provided that the information collected for these activities is not used or disclosed for any other purpose.