Assembly Bill No. 68

CHAPTER 829

An act to add Chapter 22 (commencing with Section 22575) to

Division 8 of the Business and Professions Code, relating to privacy.

[Approved by Governor October 11, 2003. Filed

with Secretary of State October 12, 2003.]

LEGISLATIVE COUNSEL’S DIGEST

AB 68, Simitian. Online Privacy Protection Act of 2003.

Existing law does not regulate the security and confidentiality of

consumer personal and identifying information obtained by persons and

entities engaged in online business transactions.

This bill would require an operator, defined as a person or entity that

collects personally identifiable information from California residents

through an Internet Web site or online service for commercial purposes,

to conspicuously post its privacy policy on its Web site or online service

and to comply with that policy. The bill, among other things, would

require that the privacy policy identify the categories of personally

identifiable information that the operator collects about individual

consumers who use or visit its Web site or online service and 3rd parties

with whom the operator may share the information. The bill would

preempt and supersede laws of specified local government entities

regarding the posting of a privacy policy on an Internet Web site. The bill

would become operative on July 1, 2004.

The people of the State of California do enact as follows:

SECTION 1. This act shall be known as, and may be cited as, the

Online Privacy Protection Act of 2003.

SEC. 2. The Legislature finds and declares all of the following:

(a) Each operator of a commercial Web site or online service has an

obligation to post privacy policies that inform consumers who are

located in California of the Web site’s or online service’s information

practices with regard to consumers’ personally identifiable information

and to abide by those policies.

(b) It is the intent of the Legislature to require each operator of a

commercial Web site or online service to provide individual consumers

residing in California who use or visit the commercial Web site or online

service with notice of its privacy policies, thus improving the knowledge

these individuals have as to whether personally identifiable information

Ch. 829

 

—2—

93

obtained by the commercial Web site through the Internet may be

disclosed, sold, or shared.

(c) It is the intent of the Legislature that Internet service providers or

similar entities shall have no obligations under this act related to

personally identifiable information that they transmit or store at the

request of third parties.

SEC. 3. Chapter 22 (commencing with Section 22575) is added to

Division 8 of the Business and Professions Code, to read:

C

 

HAPTER 22. INTERNET PRIVACY REQUIREMENTS

22575. (a) An operator of a commercial Web site or online service

that collects personally identifiable information through the Internet

about individual consumers residing in California who use or visit its

commercial Web site or online service shall conspicuously post its

privacy policy on its Web site, or in the case of an operator of an online

service, make that policy available in accordance with paragraph (5) of

subdivision (b) of Section 22578. An operator shall be in violation of this

subdivision only if the operator fails to post its policy within 30 days

after being notified of noncompliance.

(b) The privacy policy required by subdivision (a) shall do all of the

following:

(1) Identify the categories of personally identifiable information that

the operator collects through the Web site or online service about

individual consumers who use or visit its commercial Web site or online

service and the categories of third-party persons or entities with whom

the operator may share that personally identifiable information.

(2) If the operator maintains a process for an individual consumer

who uses or visits its commercial Web site or online service to review

and request changes to any of his or her personally identifiable

information that is collected through the Web site or online service,

provide a description of that process.

(3) Describe the process by which the operator notifies consumers

who use or visit its commercial Web site or online service of material

changes to the operator’s privacy policy for that Web site or online

service.

(4) Identify its effective date.

22576. An operator of a commercial Web site or online service that

collects personally identifiable information through the Web site or

online service from individual consumers who use or visit the

commercial Web site or online service and who reside in California shall

be in violation of this section if the operator fails to comply with the

— 3 —

 

 

Ch. 829

93

provisions of Section 22575 or with the provisions of its posted privacy

policy in either of the following ways:

(a) Knowingly and willfully.

(b) Negligently and materially.

22577. For the purposes of this chapter, the following definitions

apply:

(a) The term ‘‘personally identifiable information’’ means

individually identifiable information about an individual consumer

collected online by the operator from that individual and maintained by

the operator in an accessible form, including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name

of a city or town.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting

of a specific individual.

(7) Information concerning a user that the Web site or online service

collects online from the user and maintains in personally identifiable

form in combination with an identifier described in this subdivision.

(b) The term ‘‘conspicuously post’’ with respect to a privacy policy

shall include posting the privacy policy through any of the following:

(1) A Web page on which the actual privacy policy is posted if the

Web page is the homepage or first significant page after entering the Web

site.

(2) An icon that hyperlinks to a Web page on which the actual privacy

policy is posted, if the icon is located on the homepage or the first

significant page after entering the Web site, and if the icon contains the

word ‘‘privacy.’’ The icon shall also use a color that contrasts with the

background color of the Web page or is otherwise distinguishable.

(3) A text link that hyperlinks to a Web page on which the actual

privacy policy is posted, if the text link is located on the homepage or

first significant page after entering the Web site, and if the text link does

one of the following:

(A) Includes the word ‘‘privacy.’’

(B) Is written in capital letters equal to or greater in size than the

surrounding text.

(C) Is written in larger type than the surrounding text, or in

contrasting type, font, or color to the surrounding text of the same size,

or set off from the surrounding text of the same size by symbols or other

marks that call attention to the language.

Ch. 829

 

—4—

93

(4) Any other functional hyperlink that is so displayed that a

reasonable person would notice it.

(5) In the case of an online service, any other reasonably accessible

means of making the privacy policy available for consumers of the

online service.

(c) The term ‘‘operator’’ means any person or entity that owns a Web

site located on the Internet or an online service that collects and

maintains personally identifiable information from a consumer residing

in California who uses or visits the Web site or online service if the Web

site or online service is operated for commercial purposes. It does not

include any third party that operates, hosts, or manages, but does not

own, a Web site or online service on the owner’s behalf or by processing

information on behalf of the owner.

(d) The term ‘‘consumer’’ means any individual who seeks or

acquires, by purchase or lease, any goods, services, money, or credit for

personal, family, or household purposes.

22578. It is the intent of the Legislature that this chapter is a matter

of statewide concern. This chapter supersedes and preempts all rules,

regulations, codes, ordinances, and other laws adopted by a city, county,

city and county, municipality, or local agency regarding the posting of

a privacy policy on an Internet Web site.

22579. This chapter shall become operative on July 1, 2004.

O