Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

AB-2826 California Platform Accountability and Transparency Act.(2021-2022)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 03/28/2022 02:00 PM
AB2826:v98#DOCUMENT

Amended  IN  Assembly  March 28, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 2826


Introduced by Assembly Member Muratsuchi

February 18, 2022


An act to amend Section 22576 of the Business and Professions Code, relating to privacy. add Chapter 5.9 (commencing with 11549.75) to Part 1 of Division 3 of Title 2 of the Government Code, relating to technology.


LEGISLATIVE COUNSEL'S DIGEST


AB 2826, as amended, Muratsuchi. Privacy: internet privacy requirements. California Platform Accountability and Transparency Act.
Existing law establishes the Department of Technology within the Government Operations Agency, which is supervised by the Director of Technology, to exercise various powers in creating and managing the information technology policy of the state. Existing law requires the department to be responsible for the approval and oversight of information technology projects, including, among other duties, establishing and maintaining a framework of policies, procedures, and requirements for the initiation, approval, implementation, management, oversight, and continuation of information technology projects.
By July 1, 2023, this bill would require the department to establish a process to solicit research guideline applications from researchers in order to identify qualified research projects and guidelines and criteria used to determine how the department will review research applications seeking approval to be a qualified research project, as specified. The bill would require the department to establish reasonable privacy and cybersecurity safeguards for the qualified data and information, as defined, that the platform must share with qualified researchers pursuant to a qualified research project, and inform the platform of these requirements.
This bill would require a platform to provide qualified data and information to qualified researchers under the terms dictated by the department to carry out a qualified research project, and limit the purposes for which a qualified researcher may use the data and information, as prescribed. The bill would require the department to issue specified regulations, including requiring platforms to make specified disclosures regarding the information those platforms share with qualified researchers.
By July 1, 2024, and annually thereafter, this bill would require the director to submit a report to the Chairs of the Assembly Privacy and Consumer Protection Committee and the Senate Judiciary Committee concerning operations of the department relating to these provisions, and would require that report to include specified information pertaining to a detailed statement of all qualified research projects. The bill would impose prescribed civil penalties upon a platform or qualified researcher that violates these provisions, and would exempt an individual who engages in certain activities related to qualified research projects from civil or criminal liability.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.

Existing law requires an operator of a commercial website or online service that collects personally identifiable information through the website or online service from individual consumers who use or visit the commercial website or online service and who reside in California to comply with specified provisions. Noncompliance, as described, constitutes a violation of these provisions.

This bill would make nonsubstantive changes to these provisions.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NOYES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 5.9 (commencing with Section 11549.75) is added to Part 1 of Division 3 of Title 2 of the Government Code, to read:
CHAPTER  5.9. California Platform Accountability and Transparency Act

11549.75.
 (a) This chapter shall be known, and may be cited, as the California Platform Accountability and Transparency Act (C-PATA).
(b) Subject to an appropriation by the Legislature for this express purpose, the department shall implement this chapter.

11549.76.
 For purposes of this chapter, the following definitions apply:
(a) “Department” means the Department of Technology.
(b) “Director” means the Director of Technology.
(c) “Personal information” means any information that identifies or describes an individual user, including, but not limited to, their name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, email address, and information that reveals any network location or identity.
(d) “Platform” means an internet website, desktop application, or mobile application that is made available to residents of the state and has at least 25,000,000 unique monthly users in the United States for a majority of the months in the most recent 12-month period, and that does all of the following:
(1) Permits a person to become a registered user, establish an account, or create a profile for the purpose of allowing the user to create, share, and view user-generated content through that account or profile.
(2) Enables one or more users to generate content that can be viewed by other users of the platform.
(3) Primarily serves as a medium for users to interact with content generated by other users of the platform and for the platform to deliver ads to users.
(e) (1) “Qualified data and information” means data and information from a platform that the department determines is necessary to allow a qualified researcher to carry out the research contemplated under a qualified research project.
(2) Notwithstanding paragraph (1), “qualified data and information” is limited to data and information that is possible for the platform to provide and proportionate to the needs of a qualified researcher to complete the qualified research project.
(f) “Qualified researcher” means a university-affiliated researcher specifically identified in a research proposal that is approved by the department to conduct research as a qualified research project.
(g) “User” means a person or entity that uses a platform or online marketplace for any purpose, including advertisers and sellers, regardless of whether that person has an account or is otherwise registered with the platform.

11549.77.
 (a) Before July 1, 2023, the department shall establish both of the following:
(1) A process to solicit research applications from researchers in order to identify qualified research projects.
(2) Guidelines and criteria used to determine how the department will review research applications seeking approval to be a qualified research project.
(b) The department shall not approve a research application as a qualified research project unless it aims to study activity on a platform.

11549.78.
 The department shall establish reasonable privacy and cybersecurity safeguards for the qualified data and information that the platform shares with a qualified researcher pursuant to a qualified research project and inform the platform of these requirements. Reasonable privacy and cybersecurity safeguards may include, but not be limited to, all of the following:
(a) Encryption of the data in transit and when not in use.
(b) Delivery of the data in a format that is not reasonably capable of being associated or linked with a particular individual.
(c) Use and monitoring of a secure environment to facilitate delivery of the qualified data and information to a qualified researcher while protecting against unauthorized use of that data.

11549.79.
 (a) Upon the department’s determination of final reasonable privacy and cybersecurity safeguards for qualified data and information pursuant to 11549.78, a platform shall provide qualified data and information to a qualified researcher under the terms dictated by the department for the purpose of carrying out a qualified research project.
(b) A platform may provide comments and recommendations to the department regarding the safeguards prescribed by the department pursuant to Section 11549.78 in order to ensure the security of qualified data and information throughout the course of the qualified research project.
(c) In accordance with Chapter 3.5 (commencing with Section 11340), the department shall issue regulations requiring platforms, through posting of notices or other appropriate means, to keep users informed of their privacy protections and the information that the platform is required to share with a qualified researcher pursuant to this chapter.
(d) A cause of action under state or federal law arising solely from the release of qualified data and information to a qualified researcher in furtherance of a qualified research project approved pursuant to this chapter shall not be brought against any platform that complies with the reasonable privacy and cybersecurity safeguards prescribed by the department pursuant to Section 11549.78.

11549.80.
 (a) A qualified researcher who accesses qualified data and information shall use the qualified data and information only for the purposes of conducting research authorized under the qualified research project’s terms and under the safeguards prescribed by the department pursuant to Section 11549.78.
(b) A qualified researcher shall comply with applicable federal, state, or local information sharing and privacy laws or regulations or any rules, standards, regulations, or orders issued by the department pursuant to this chapter that are applicable to the qualified researcher’s actions and conduct.
(c) A qualified researcher shall not attempt to reidentify, access, or publish personal information derived from qualified data and information that is accessible to the qualified researcher.
(d) (1) A cause of action arising solely from a qualified researcher’s access and use of qualified data and information in furtherance of a qualified research project approved pursuant to this chapter shall not be brought against a qualified researcher who conducts a qualified research project in compliance with this chapter and abides by the safeguards prescribed by the department pursuant to Section 11549.78. This immunity includes immunity from potential liability under applicable federal, state, and local laws, including any potential liability for a violation of a platform’s terms of service that arises solely from the qualified researcher’s access and use of qualified data and information.
(2) A qualified researcher who intentionally violates the safeguards prescribed by the department pursuant to Section 11549.78 shall be subject to civil or criminal enforcement, as applicable under federal, state, and local law.

11549.81.
 (a) By January 1, 2024, and in accordance with Chapter 3.5 (commencing with Section 11340), the department shall issue regulations to require platforms to disclose, on an ongoing basis, information regarding content on the platform that meets any of the following criteria:
(1) Has been sufficiently disseminated according to metrics that the department deems appropriate, including, but not limited to, engagement, views, reach, impressions, or other metrics.
(2) Was originated or spread by major public accounts.
(3) Meets other criteria as the department may designate.
(b) The regulations issued under subdivision (a) shall further require platforms to disclose, on an ongoing basis, statistically representative samplings of public content, including, at a minimum, a sampling that is weighted by the number of impressions the content receives.
(c) The information required to be disclosed about content pursuant to subdivisions (a) and (b) shall include, as appropriate, all of the following:
(1) The underlying content itself, including any public uniform resource locator link to the content.
(2) Metrics about the extent of dissemination of or engagement with the content.
(3) Metrics about the audience reached with the content.
(4) Information about whether the content has been determined to violate the platform’s policies.
(5) Information about the extent to which the content was recommended by the platform or otherwise amplified by platform algorithms.
(6) Information about the user accounts responsible for the content, including whether those accounts posted content deemed violating by the platform in the past.
(7) Other information as the department deems appropriate.
(d) By January 1, 2024, and in accordance with Chapter 3.5 (commencing with Section 11340), the department shall issue regulations to require platforms to disclose, on an ongoing basis, information regarding advertising on the platform.
(e) (1) By January 1, 2024, and on a semiannual basis thereafter, and in accordance with Chapter 3.5 (commencing with Section 11340), the department shall issue regulations to require platforms to report on their use of algorithms and metrics.
(2) The reporting required to be disclosed pursuant to this subdivision shall include, as appropriate, all of the following:
(A) A description of all product features that made use of algorithms during the reporting period.
(B) A summary of signals and features used as inputs to the described algorithms, including an explanation of all user data incorporated into these inputs, ranked based on the significance of their impact on the algorithms’ outputs.
(C) A summary of data-driven models, including those based on machine learning or other artificial intelligence techniques, utilized in the described algorithms, including the optimization objective of those models, including, but not limited to, predictions of user behavior or engagement, ranked based on the significance of their impact on the algorithms’ outputs.
(D) A summary of metrics used by the platform to score or rank content, ranked based on the significance of their impact on the algorithms’ outputs.
(E) A summary of metrics calculated by the company to assess product changes or new features, with an assessment of their relative importance in company decisionmaking.
(F) A description of significant datasets in the platform’s possession relating to content on or users of the platform, enforcement of content policy, or advertising, as necessary or appropriate to inform and facilitate researcher data access requests.
(G) Significant changes during the reporting period from the last report.
(H) Other information as the department deems appropriate.
(3) The information required to be disclosed pursuant to this subdivision shall include, as appropriate, all of the following:
(A) Statistics regarding the amount of content that the platform has determined violated its policies, broken down by the following factors:
(i) The violated policy.
(ii) The action taken in response to the violation.
(iii) The methods the platform used to identify the violating content, including, but not limited to, artificial intelligence, user report, or human moderator review.
(iv) The extent to which the content was recommended or otherwise amplified by platform algorithms.
(v) The extent to which the user chose to follow the account that originated or spread the violating content, and if so, whether that account had been recommended to the user by the platform.
(vi) Geographic and demographic factors as the department deems appropriate.
(B) Statistics regarding the number of times violating content was viewed by users and the number of users who viewed it.
(C) Estimates by the platform about the prevalence of violating content, including as measured by the number of impressions of violating content, broken down by the factors described in subparagraph (A) as the department deems appropriate.
(D) Other information as the department deems appropriate.

11549.82.
 (a) The department shall ensure that the reporting or disclosures required pursuant to Section 11549.81 does not infringe upon reasonable expectations of personal privacy of users of platforms or of other persons, or require dissemination of confidential business information or trade secrets.
(b) The department may require the reporting or disclosures required pursuant to Section 11549.81 to be made available to the public, to qualified researchers, or to some combination thereof. The department may specify privacy or other safeguards for reporting or disclosures made available to qualified researchers.
(c) The department shall endeavor to make the reporting or disclosures required pursuant to Section 11549.81 available to the public unless inconsistent with subdivision (a) or otherwise not in the public interest.

11549.83.
 (a) At least 30 days before the proposed public release of an analysis by a qualified researcher derived from a qualified research project, the qualified researcher shall submit a prepublication version of their research to any platforms that were the source of the qualified data and information in the qualified research project, and to the department for evaluation to confirm that the analysis does not expose personal information, trade secrets, or confidential commercial information, or otherwise violate applicable laws.
(b) A platform that provided qualified data and information with respect to a qualified research project may object to the publication or release of any analysis derived from the project that would expose personal information or otherwise violate federal, state, or local information sharing and privacy laws or regulations or any applicable rules, standards, regulations, or orders issued by the department. A platform shall make objections in writing to the director, or the director’s designee, within 15 days of the date that the qualified researcher submits the prepublication version of the analysis.

11549.84.
 By July 1, 2024, and annually thereafter, the director shall submit to the Chairs of the Assembly Privacy and Consumer Protection Committee and the Senate Judiciary Committee a report of the operations of the department under this chapter, which shall include a detailed statement of all qualified research projects, including, with respect to each project, all of the following:
(a) The identity of any authorized qualified researcher and the institution the researcher is affiliated with.
(b) The platforms required to provide qualified data and information to qualified researchers.
(c) The categories of qualified data and information each platform was required to provide.
(d) The terms of the safeguards prescribed by the department pursuant to Section 11549.78 to ensure the security of the qualified data and information.
(e) Any recommendations for improvements to the operation of this chapter in order to facilitate its aim of providing enhanced researcher access to platforms as the director deems appropriate.

11549.85.
 (a) Actions for relief pursuant to this chapter may be prosecuted exclusively in a court of competent jurisdiction in a civil action brought in the name of the people of the State of California by the Attorney General, or by any district attorney or city attorney.
(b) A platform that violates this chapter shall be subject to a civil penalty not to exceed ten thousand dollars ($10,000) for each violation, to be assessed and collected in a civil action. If the action is brought by the Attorney General, the penalty shall be deposited into the General Fund. If the action is brought by a district attorney or city attorney, the penalty shall be paid to the treasurer of the jurisdiction in which the judgment was entered.
(c) Remedies in an injunctive action brought by the Attorney General, or by any district attorney or city attorney, pursuant to this chapter shall be limited to an order enjoining, restraining, or preventing any act or practice that constitutes a violation of this chapter.
(d) The remedies and penalties provided by this section are cumulative with, and available in addition to, the remedies or penalties available under any other law.

11549.86.
 (a) A person collecting covered information as part of a news-gathering or research project on a platform shall not be subject to civil or criminal liability with respect to those news-gathering or research activities if all of the following apply:
(1) The information is collected through a covered method of digital investigation, and person takes reasonable measures to protect the privacy of the platform’s users.
(2) The purpose of the project is to inform the general public about matters of public concern, and the information is only used to inform the general public about a matter of public concern.
(3) With respect to the creation and use of a research account, the person takes reasonable measures to avoid misleading the platform’s users.
(4) The project does not materially burden the technical operation of the platform.
(b) (1) By July 1, 2024, and in accordance with Chapter 3.5 (commencing with Section 11340), the department shall promulgate regulations that define the terms identified in paragraph (2) according to the requirements provided in paragraph (2).
(2) (A) The term “covered method of digital investigation” shall encompass at least all of the following:
(i) The collection of data from a platform through automated means.
(ii) The collection of data voluntarily donated by users, including through a browser extension or plug-in.
(iii) The creation or use of research accounts.
(B) The term “covered information” shall encompass at least all of the following:
(i) Publicly available information, except that this term should not exclude data merely because an individual must log into an account in order to see it.
(ii) Information about advertisements shown on the platform, including the advertisements themselves, the advertiser’s name and disclosure string, and information the platform provides to users about how an advertisement was targeted.
(iii) Any other category of information the collection of which the department determines will not unduly burden user privacy.
(C) The term “reasonable measures to protect the privacy of the platform’s users” shall specify at least what measures must be taken to achieve all of the following:
(i) Prevent the theft and accidental disclosure of any data collected.
(ii) Ensure that the data at issue is not used for any purpose other than to inform the general public about matters of public concern.
(iii) Restrict the publication or other disclosure of any data that would readily identify a user without the user’s consent, except when that user is a public official or public figure.
(c) Commencing January 1, 2025, and every January thereafter, the department shall require an operator of a platform to submit an annual report to the department that addresses whether the measures prescribed under subdivision (b) are adequately protecting the platform’s users.

11549.87.
 The department may assist the public, journalists, researchers, or other governmental agencies to more effectively do any of the following:
(a) Assess the impact of platforms, including the impact of their design and policy decisions and the impact of content that they host and disseminate, on consumers, institutions, and society.
(b) Promote the advancement of scientific and other research and understanding through data available via platforms.
(c) Ensure that platforms are in compliance with all applicable laws, including statutes enforced by the department.

SEC. 2.

 The Legislature finds and declares that Section 1 of this act, which adds Sections 11549.82 and 11549.83 to the Government Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
This act strikes a balance between informing the public about the activities of the platforms they use, and protecting the privacy of users and the sensitive information of businesses.
SECTION 1.Section 22576 of the Business and Professions Code is amended to read:
22576.

An operator of a commercial website or online service that collects personally identifiable information through the website or online service from individual consumers who use or visit the commercial website or online service and who reside in California shall be in violation of this section if the operator fails to comply with the requirements specified in Section 22575 or with the provisions of its posted privacy policy in either of the following ways:

(a)Knowingly and willfully.

(b)Negligently and materially.