~CEIVEcJ FEB 2 4 2014



Similar documents
Preprinted Logo will go here

BACKGROUND. August 28, Hon. Kamala D. Harris Attorney General 1300 I Street, 17 th Floor Sacramento, California Initiative Coordinator

Optum Website Privacy Policy

Products Liability: Putting a Product on the U.S. Market. Natalia R. Medley Crowell & Moring LLP 14 November 2012

Privacy Policy Last Updated September 10, 2015

ADVANCED CABLE COMMUNICATIONS WEBSITE PRIVACY POLICY COLLECTION AND USE OF INFORMATION FROM USERS

Drug and Alcohol Testing of Doctors. Medical Negligence Lawsuits. Initiative Statute.

STATE OF OKLAHOMA. 2nd Session of the 53rd Legislature (2012) AS INTRODUCED

Your Rights As a Consumer Report Agency

nexusfordevelopment.org Privacy Policy

Privacy Policy EMA Online

We may collect the following types of information during your visit on our Site:

Covered California. Terms and Conditions of Use

San Juan County Abstract & Title Company 111 North Orchard Avenue Farmington, NM (505) FAX (505)

Table of Contents Biennial Budget Attorney General

Zep Inc.: Global Online Privacy Notice

Florida Senate SB 872

Notes on Drafting LC0074 REQUIRING COMMERCIAL WEBSITES TO POST PRIVACY POLICIES

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities.

ASSURANCE OF DISCONTINUANCE. The Office of the Attorney General of the State of New York (sometimes referred to as

Drug and Alcohol Testing of Doctors. Medical Negligence Lawsuits. Initiative Statute.

Koch Communications Privacy Policy

Zubi Advertising Privacy Policy

Information About Our Organization and General Data Collection Practices. Lotlinx Website and Dealer Customers Marketing Efforts

CHAPTER 149 FORMERLY SENATE SUBSTITUTE NO. 1 FOR SENATE BILL NO. 79

Online Privacy and Security Statement

Troy Cablevision, Inc. Subscriber Privacy Policy

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Privacy Impact Assessment of the Supervisory Enforcement Actions and Special Examinations Tracking System

ASSEMBLY BILL No. 597

Comment [1]: BDERIV. Comment [2]: EDERIV

The Rosenthal Fair Debt Collection Practices Act California Civil Code 1788 et seq.

PRIVACY POLICY. The Policy is incorporated into Terms of Use and is subject to the terms laid down therein.

PRIVACY POLICY. Mil y Un Consejos Network. Mil y Un Consejos Network ( Company or we or us or our ) respects the privacy of

Privacy Policy/Your California Privacy Rights Last Updated: May 28, 2015 Introduction

H&R Block Digital Tax Preparation, Online, and Mobile Application Privacy Practices and Principles

What personal information do we collect from the people that visit our blog, website or app?

Web Sites Covered This policy covers NASBA.org and all other NASBA affiliated sites that link to this policy.

Key Definitions: VT LEG # v.1

FOUR BLOCK FOUNDATION, INC. PRIVACY POLICY November 6, 2015

VES Privacy Policy Effective Date: June 25, 2015

New Hampshire Statutes Title 31 Trade and Commerce Chapter 359-B Consumer Credit Reporting

PROPOSAL. Expansion of Drug Treatment Diversion Programs. December 18, 2007

Security Awareness Training

Johnson Controls Privacy Notice

False or Exaggerated Bond Claims: What Can A Surety To Do Combat This Increasingly Prevalent Practice?

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

Public Information Program

BUSINESS CHICKS, INC. Privacy Policy

If You Purchased StarKist Tuna, You May Benefit From A Proposed Class Action Settlement

How We Use Your Personal Information On An Afinion International Ab And Afion International And Afinion Afion Afion

Secretary of the Senate. Chief Clerk of the Assembly. Private Secretary of the Governor

Appendix L: Nebraska s False Medicaid Claims Act Nebraska Statues Chapter 68 November 2013 Section Terms, defined.

CUSTOMER PRIVACY STATEMENT

Privacy Policy of Dessauer Group II LLC

Personal Information - How Do We Collect?

HP0868, LD 1187, item 1, 123rd Maine State Legislature An Act To Recoup Health Care Funds through the Maine False Claims Act

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2005 H 2 HOUSE BILL 629 Committee Substitute Favorable 5/18/05

NEVADA DEPARTMENT OF JUSTICE Office of the Attorney General A GUIDE TO NON-PROFITS. Catherine Cortez Masto, Attorney General

Online Privacy Notice

STOP SMART METERS. If a utility company installed a Smart Meter on your property or residence, you can do something about it. Who Can Take Action?

RezScore SM Privacy Policy

Chapter RECORDS MANAGEMENT Sections:

PRIVACY POLICY. Effective date: February 11, Holiday Privacy Statement

GlaxoSmithKline Single Sign On Portal for ClearView and Campaign Tracker - Privacy Statement

Last Approval Date: May Page 1 of 12 I. PURPOSE

What Personally Identifiable Information does EducationDynamics collect?

Iowa Student Loan Online Privacy Statement

Beasley Broadcast Group, Inc. Privacy Policy

ASSEMBLY BILL No. 597

DISCLAIMER, TERMS & CONDITIONS OF USE

Privacy Policy and Notice of Information Practices

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA

CALIFORNIA FALSE CLAIMS ACT GOVERNMENT CODE SECTION

Privacy Policy. Effective Date: September 3, 2015

DailyMailz may collect and process the following personal information about you:

Indiana Social Security Number Disclosure and Security Breach Legislation

State Enforcement of Privacy Laws. Phil Ziperman. Mark Pacella. Allen Brandt, CIPP/US, CIPP/E

CALIFORNIA FAIR DEBT COLLECTION PRACTICES ACT Updated 1 January 2012

SAP Splash Privacy Statement

BILL ANALYSIS. Senate Research Center C.S.S.B By: Wentworth Jurisprudence 4/5/2007 Committee Report (Substituted)

Issue Brief. Arizona State Senate IDENTITY THEFT AND CONSUMER PROTECTION INTRODUCTION IDENTITY THEFT. September 17, 2015.

Table of Contents Governors Budget - Attorney General. Agency Profile. - Attorney General... 1

APPENDIX A that is not acceptable. Arbitration settled by arbitration arbitration shall be held in New Jersey substantive law of New Jersey

Cyber and data Policy wording

ARRIS WHOLE HOME SOLUTION PRIVACY POLICY AND CALIFORNIA PRIVACY RIGHTS STATEMENT

As Amended by Senate Committee SENATE BILL No. 408

Halloween Costume Ideas for the Wii Game

How To Protect Your Privacy On A Safari

Privacy is the ability of an individual or group to keep their lives and

California s Domestic Violence & Mandatory Reporting Law: Requirements for Health Care Practitioners

The following is an excerpt from the 2012 Manual on Town Government. LIABILITY

Privacy Policy for culinarydreamsinc.com

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Our collection of information

Definitions. As used in through , the following definitions apply:

Privacy Policy

Student Online - First of January 0

North Carolina General Statutes Chapter 75 Monopolies, Trusts, and Consumer Protection Article 2A Identity Theft Protection Act

WellDyneRxWEST Customer (TPA, Broker, Consultant, Group Health Plan, and other).

Transcription:

February 21, 2014 Hon. Kamala D. Harris Attorney General 13 00 I Street, 1 ih Floor Sacramento, California 95814 Attention: Ms. Ashley Johansson Initiative Coordinator ~CEIVEcJ FEB 2 4 2014 INITIATIVE COORDINATOR ATTORNEY GENERAL'S OFFICE Dear Attorney General Harris: Pursuant to Elections Code Section 9005, we have reviewed the proposed statutory initiative related to the online collection and use of personal information (A.G. File No. 14-0006). Background Personal Information Accessible to Online Entities. Once individuals connect to the Internet, their personal information is accessible to various online entities, such as the companies that make the web browsers individuals typically use to access the Internet. In some cases, the information is provided directly to an online entity by an individual. While in other cases, the information is collected by an entity without an individual actively providing it. For example, any text typed on a website can be scanned and read by online service and webpage providers, including search terms, addresses, login names and passwords, and e-mails. Additionally, in order to connect to the Internet, a computer needs an Internet Protocol (IP) address, which is a numerical label that identifies the computer when connecting to the Internet. Although the IP address does not specifically contain personal information identifying the user of the computer, it can report the location of the computer. We note that an IP address can be used by online service providers to track the activity and information provided online by the user of that computer, such as which websites the user visited. Individuals who connect to the Internet with their smart phones also make their personal information accessible when using mobile applications. This is because such applications often require individuals to provide access to their personal information before they can install the applications. This includes access to phone and email contacts, Internet data, the smart phone's unique identifiers, how the application is used, and the phone's geographic location. Online Entities Mainly Use Personal Information for Marketing. The majority of personal information tracked and collected by online entities is used for marketing, as well as assessing how individuals use websites. For example, websites often want the personal information of Internet users to help them attract new customers, retain old customers, and increase the amount oftime customers spend on their site. Similarly, online advertisement companies use search Legislative Analyst's Office California Legislature Mac Taylor Legislative Analyst 925 L Street, Suite 1000 Sacramento CA 95814 (916) 445-4656 FAX 324-4281

Hon. Kamala D. Harris 2 February 21, 2014 terms, demographic information, and online purchase history to tailor advertisements, advertisement placement, and products for target audiences. For example, if an individual starts spending time on websites with pregnancy information, that individual might start seeing more advertisements on their web browser for baby clothing. Internet Users Have Some Tools to Increase Privacy. To some extent, individuals can control what personal information is collected about them while on the Internet. For example, most major web browsers offer "private browsing" tools to increase privacy and, thus, reduce the amount of personal information that can be accessed by online entities. These tools can include mechanisms to block devices that seek to track the personal information of an individual on the Internet, as well as a "Do Not Track" (DNT) setting that sends a signal to websites and online operators that the individual does not want to be tracked. While this setting is typically recognized by online service providers, there is no legal requirement that such providers adhere to it. We also note that when individuals use "cloud computing," their ability to control the amount of personal information accessible by online entities is limited. (Cloud computing involves computers or drives operating as data storage centers connected through a network, such as the Internet, rather than on the individual's own computer, so that the individual can connect to other computers to store data and later access that data from any device connected to the same network.) This is because data stored on cloud drives can be read by the online service storing the data and its affiliates, and the data can sometimes be accessed illegally online by other entities. State and Federal Privacy Laws. The State Constitution guarantees individuals the right to privacy. In addition, state and federal statutes place limits on the types of personal information that governments and private entities can disclose to others. For example, the Department of Motor Vehicles generally may not release an individual's residence address. State law also requires banks to obtain a customer's permission before sharing his or her financial information with other companies. Similarly, federal law prohibits health care providers from sharing a patient's medical information without permission. State law requires all operators of commercial websites and online services that collect personally identifiable information to clearly state their privacy policy on their website. The policy must specify (1) all personal information that is collected, (2) the types of entities the information may be shared with, and (3) how the website or online service responds to a DNT signal that is received. Currently, the courts have interpreted this law to require compliance from both in-state and out-of-state organizations. Federal law requires website operators and online services directed to children to provide notice of what personal information is collected from children and how it is used. These entities must also obtain parental consent for the collection, use, or disclosure of such information. Enforcement of Privacy Laws. The California Attorney General can enforce privacy laws by prosecuting crimes (such as identity theft and criminal invasion of privacy) and by bringing civil lawsuits against entities that violate privacy laws. In addition, individuals can bring their own lawsuits against governments and private entities that unlawfully share their personal information or negligently fail to protect it from unintended breaches. In order for such a lawsuit

Hon. Kamala D. Harris 3 February 21, 2014 to succeed, a person must prove that he or she suffered harm (such as financial loss or emotional distress) as a result of the privacy violation. Proposal Classifies Certain Online Entities. This measure classifies certain online entities as firstparty or third-party online services. According to the measure, a first-party online service is a service that individuals intentionally interact with, as well as any service that is owned and controlled by, and shares common branding with the service that the individual is interacting with. For example, an online store that an individual purchases products from is considered a first-party online service. The measure also states that a contractor hired by a first-party online service to provide certain services is also considered a first-party online service, if the contractor: (1) acts only as an information processor on behalf of the first-party online service, (2) only provides the information it collects and uses to the first-party online service, (3) has no independent right to the information it collects (except as necessary to provide the services it is paid for), and (4) has a contract with the first-party online service that outlines these restrictions. A third-party online service is a service operated by a for-profit or nonprofit organization that is not considered a first-party online service under the measure. Places Restrictions on Computing Services. The measure places various restrictions on online and cloud computing service providers regarding the use of personal information of California residents. The measure defines personal information to include (1) various forms of identification (such as a driver's license number), (2) contact information (such as an e-mail address), (3) financial information (such as a credit card number), (4) information that could be used to identify a particular individual or device (such as an IP address), and (5) an individual's online activity. Specifically, the measure: Restricts First-Party Online Services From Sharing Personal Information. The measure restricts a first-party online service from requiring that an individual provide consent to the tracking of his or her personal information as a condition of accessing certain content or services. In addition, if an individual sends the first-party online service a DNT signal, the service cannot share, sell, or transfer personal information of that individual to another entity. The measure defines a DNT signal as any means of communication used by individuals to request that their personal information not be tracked. Based on the way the measure is written, it is unclear if government entities would be considered first-party online services. Courts could potentially interpret this measure to apply to government entities providing first-party online services, and such entities could be prohibited from information sharing. Requires Third-Party Services to Comply With DNT Signals. The measure specifies that an operator of a third-party online service shall not track the personal information of an individual who sends a DNT signal, except as necessary to prevent fraud or to comply with a request of a law enforcement agency. Restricts Use of Personal Information by Certain Cloud Computing Services. Under this measure, cloud computing services that provide service to state or local governmental institutions, as well as public or private educational institutions, cannot

Hon. Kamala D. Harris 4 February 21, 2014 use any personal information collected for any purpose other than directly providing services to those institutions. The measure defmes a cloud computing service as any service that connects computers using real-time communications. Changes Related to Litigation and Civil Penalties. The measure creates a legal presumption that the tracking of personal information in a manner prohibited by the measure caused harm to the individual whose information was tracked. This is a change from current law, which typically requires that individuals prove that they were harmed by the tracking of their personal information. The measure allows such individuals, the California Attorney General, any district or city attorney, or county counsel to bring civil action against operators of any online service that violates the restrictions established by this measure. Such online operators would be subject to a civil penalty not to exceed $10,000 per violation, with the penalty revenue going to the jurisdiction on whose behalf the action was brought. If the action is brought by an individual, the penalty revenue would go to the state. In addition, the measure states that when the action is brought on behalf of individuals, the online operator would be required to surrender all consideration received in connection with the violation. For each violation, the measure requires the operator to pay individuals the greater of $1,000 or actual damages. However, in cases where the operator tracked the individual in knowing and willful violation of the measure, the measure requires the operator to pay the individual the greater of $10,000 or actual damages for each violation. Fiscal Effects The magnitude of the fiscal impact of the measure would depend on how the courts interpret various provisions of the measure (such as whether government entities would be considered first-party online services), as well as how governments, private entities, and the public respond to the new law. As we discuss below, the measure would (1) increase costs related to state courts and the enforcement of the measure and (2) create revenue from new civil penalties it authorizes. For the purposes of our analysis, we assume that government entities are not considered firstparty online services. Additional Costs Related to State Courts and Enforcement. To the extent this measure leads to more or lengthier civil actions against online service operators, there would be additional workload for state courts. In addition, the California Attorney General's office and local governments would experience increased costs to the extent they brought civil action against online service operators accused of violating provisions of the measure. The magnitude of these workload costs is uncertain and would depend on how individuals, state and local governments, and private entities respond to the law. Depending on these factors, the above costs could reach millions of dollars in some years. Civil Penalty Revenue. The measure would result in increased penalty revenue for state and local governments resulting from the new civil penalties authorized by the measure. The actual amount of revenue is subject to significant uncertainty and would depend on how the courts interpret various provisions of the measure, as well as how governments, private entities, and the public respond to the new law. Depending on these factors, the increased revenue could reach the tens of millions of dollars in some years.

Hon. Kamala D. Harris 5 February 21, 2014 Summary of Fiscal Effects. This measure would have the following fiscal effects: Sincerely, Increased costs potentially reaching millions of dollars in some years to state and local governments primarily from additional or more costly civil actions and increased court workload. Increased penalty revenue potentially reaching tens of millions of dollars in some years to state and local governments resulting from new civil penalties authorized by the measure. -A-~M hj ~Mac Taylor Legislative Analyst

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information