With industry efforts to create do not track standards reaching an impasse and disputes over whether DNT requests should be honored in cases where DNT is the browser’s default setting (e.g., Firefox), the California legislature has stepped into the debate by passing a bill requiring websites to disclose how they handle DNT requests.
Specifically, the website privacy policy must disclose
- the categories of personally identifiable information (“PII”) collected;
- the categories of third-parties with whom the information is shared;
- whether there is a process for the consumer to review information collected and/or make changes;
- whether 3rd parties collect a user’s PII; and
- how the website responds to DNT requests.
The bill is one of several that the Net Choice Coalition strongly condemned as going too far.
| Introduced by Assembly Member Muratsuchi |
| February 14, 2013 |
An act to amend Section 22575 of the Business and Professions Code, relating to consumers.
LEGISLATIVE COUNSEL’S DIGEST
AB 370, Muratsuchi. Consumers: internet privacy.
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
This bill would require an operator to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different Web sites or online services. The bill would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service.
DIGEST KEY
Vote: majority Appropriation: no Fiscal Committee: no Local Program: no
BILL TEXT
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1.
Section 22575 of the Business and Professions Code is amended to read:
22575.
(a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
(b) The privacy policy required by subdivision (a) shall do all of the following:
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.
(4) Identify its effective date.
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
Cyber Report 
Pingback: Do Not Track, Social Media Snooping and Revenge Porn Bills on Gov. Brown’s Desk | Cyber Report