Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

AB-257 Privacy: commercial Web sites and online services.(2013-2014)

SHARE THIS: share this bill in Facebook share this bill in Twitter
AB257:v98#DOCUMENT

Amended  IN  Assembly  April 17, 2013

CALIFORNIA LEGISLATURE— 2013–2014 REGULAR SESSION

Assembly Bill
No. 257

Introduced by Assembly Member Hall

February 07, 2013

An act to amend Section 22577 22575 of, and to add Sections 22575.1, 22575.2, and 22575.3 to, the Business and Professions Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 257, as amended, Hall. Privacy: mobile devices. commercial Web sites and online services.
Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service to make its privacy policy available to the consumers, as specified, including, among others, the requirement that the policy identifies the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers.

This bill would define an online service for purposes of these provisions to include mobile applications designed to be downloaded to and installed on a mobile device. This bill would require the operator of a mobile application to satisfy various requirements, including specified privacy policy requirements, procedures to allow a consumer to access their own personally identifiable information collected and retained, safeguards to protect personally identifiable information, a requirement that the operator provide a supplemental privacy policy if an application collects information not essential to the application’s basic function, and a requirement that the operator provide a special notice if the application accesses specified devices and information. The bill would require a mobile application market, as defined, to comply with specified procedures allowing access to an application’s privacy policy and a means for users to report applications in violation of the applicable terms of service or law. The bill would also establish specified requirements for an advertising network delivering an advertisement through a mobile application, including a privacy policy requirement, a requirement that the network obtain prior consent to display an advertisement in specified circumstances, a requirement that advertisements be clearly attributable to the host application in specified circumstances, and required procedures for identifying a consumer and transmitting information.

This bill would require that policy to identify the uses and retention period for each category of personally identifiable information, and to describe the process the operator maintains allowing an individual consumer to review and request changes to any of his or her personally identifiable information. The bill would also require the operator to use reasonable security safeguards to protect personally identifiable information from unauthorized access, use, disclosure, modification, or destruction, and to describe these safeguards in its privacy policy.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 22575 of the Business and Professions Code is amended to read:

22575.
 (a) An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.
(b) The privacy policy required by subdivision (a) shall do all of the following:
(1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service, the uses and retention period for each category of personally identifiable information collected, and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.
(2) If the operator maintains a Describe the process for the operator maintains allowing an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.
(4) Identify its effective date.
(5) Describe the security safeguards used to comply with the requirements of subdivision (c).
(c) An operator described in subdivision (a) shall use reasonable security safeguards to protect personally identifiable information from unauthorized access, use, disclosure, modification, or destruction.

SECTION 1.Section 22575.1 is added to the Business and Professions Code, to read:
22575.1.

(a)The privacy policy for a mobile application shall specify and limit practices regarding information retention and collection, including the types of information collected, the use and retention period for each category of information, the categories of third parties with whom personally identifiable information will be shared, and the choices a consumer has regarding the collection, use, and sharing of personally identifiable information.

(b)The operator of a mobile application shall:

(1)Provide consumers access to their own personally identifiable information that the application collects and retains.

(2)Use security safeguards to protect personally identifiable information from unauthorized access, use, disclosure, modification, or destruction.

(3)Provide a supplemental privacy policy with enhanced measures if an application collects personally identifiable information that is not essential to the application’s basic function.

(4)Provide consumers with a special notice if the application accesses text messages, call logs, the camera, the dialer, or the microphone, or collects location information, financial information, medical information, or passwords. A special notice shall deliver notice to the consumer of the information collection. A special notice shall explain the intended uses of the information and disclose the type of third parties to whom the information may be disclosed.

(c)The requirements for a mobile application privacy policy are in addition to the requirements specified elsewhere in this chapter.

SEC. 2.Section 22575.2 is added to the Business and Professions Code, to read:
22575.2.

(a)In the application submission process for a new or updated mobile application, a mobile application market shall include either of the following:

(1)An optional data field for a hyperlink to the application’s privacy policy or a statement describing the application’s privacy practices.

(2)An optional data field for the text of the application’s privacy policy or a statement describing the application’s privacy practices.

(b)A mobile application market shall:

(1)Implement a means for users to report applications that do not comply with the applicable terms of service or law.

(2)Implement a process for responding to reported instances of noncompliance with applicable terms of service or law.

SEC. 3.Section 22575.3 is added to the Business and Professions Code, to read:
22575.3.

An advertising network delivering an advertisement through a mobile application shall:

(a)Include a privacy policy governing the collection, use, disclosure, and retention of personally identifiable information. This policy shall be made available to users of mobile applications and application developers.

(b)Obtain prior consent before displaying an advertisement delivered through an application and displayed outside the context of the application.

(c)Provide clear attribution of the host application responsible for an advertisement delivered through an application and displayed outside the context of the application.

(d)Obtain prior consent before accessing personally identifiable information.

(e)Use application-specific or temporary device identifiers, not unchangeable device-specific identifiers.

(f)Transmit user data securely, using encryption for permanent unique device identifiers and personal information.

SEC. 4.Section 22577 of the Business and Professions Code is amended to read:
22577.

For the purposes of this chapter, the following definitions apply:

(a)The term “personally identifiable information” means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

(1)A first and last name.

(2)A home or other physical address, including street name and name of a city or town.

(3)An e-mail address.

(4)A telephone number.

(5)A social security number.

(6)Any other identifier that permits the physical or online contacting of a specific individual.

(7)Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

(b)The term “conspicuously post” with respect to a privacy policy shall include posting the privacy policy through any of the following:

(1)A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site.

(2)An icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word “privacy.” The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable.

(3)A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following:

(A)Includes the word “privacy.”

(B)Is written in capital letters equal to or greater in size than the surrounding text.

(C)Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.

(4)Any other functional hyperlink that is so displayed that a reasonable person would notice it.

(5)In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service, except for a mobile application, which shall follow the requirements in Section 22575.1.

(c)The term “operator” means any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner’s behalf or by processing information on behalf of the owner.

(d)The term “consumer” means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

(e)The term “online service” includes, but shall not be limited to, a mobile application.

(f)The term “mobile application” means an application designed to be downloaded to and installed on a mobile device, such as a mobile phone, a tablet, or a smart phone.

(g)The term “mobile application market” means a computerized system where a person can purchase a mobile application and download the mobile application directly to a mobile device.