BILL NUMBER: AB 257	AMENDED
	BILL TEXT

	AMENDED IN ASSEMBLY  APRIL 17, 2013

INTRODUCED BY   Assembly Member Hall

                        FEBRUARY 7, 2013

   An act to amend Section  22577   22575 
of  , and to add Sections 22575.1, 22575.2, and 22575.3 to,
 the Business and Professions Code, relating to privacy.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 257, as amended, Hall. Privacy:  mobile devices.
  commercial Web sites and online services. 
   Existing law requires an operator of a commercial Web site or
online service that collects personally identifiable information
through the Internet about individual consumers residing in
California who use or visit its commercial Web site or online service
to make its privacy policy available to  the 
consumers, as specified  , including, among others, the
requirement that the policy identifies the categories of personally
identifiable information that the operator collects through the Web
site or online service about individual consumers  . 
   This bill would define an online service for purposes of these
provisions to include mobile applications designed to be downloaded
to and installed on a mobile device. This bill would require the
operator of a mobile application to satisfy various requirements,
including specified privacy policy requirements, procedures to allow
a consumer to access their own personally identifiable information
collected and retained, safeguards to protect personally identifiable
information, a requirement that the operator provide a supplemental
privacy policy if an application collects information not essential
to the application's basic function, and a requirement that the
operator provide a special notice if the application accesses
specified devices and information. The bill would require a mobile
application market, as defined, to comply with specified procedures
allowing access to an application's privacy policy and a means for
users to report applications in violation of the applicable terms of
service or law. The bill would also establish specified requirements
for an advertising network delivering an advertisement through a
mobile application, including a privacy policy requirement, a
requirement that the network obtain prior consent to display an
advertisement in specified circumstances, a requirement that
advertisements be clearly attributable to the host application in
specified circumstances, and required procedures for identifying a
consumer and transmitting information.  
   This bill would require that policy to identify the uses and
retention period for each category of personally identifiable
information, and to describe the process the operator maintains
allowing an individual consumer to review and request changes to any
of his or her personally identifiable information. The bill would
also require the operator to use reasonable security safeguards to
protect personally identifiable information from unauthorized access,
use, disclosure, modification, or destruction, and to describe these
safeguards in its privacy policy. 
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1.    Section 22575 of the  
Business and Professions Code  is amended to read: 
   22575.  (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
   (b) The privacy policy required by subdivision (a) shall do all of
the following:
   (1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service  , the uses and retention period for each
category of personally identifiable information collected,  and
the categories of third-party persons or entities with whom the
operator may share that personally identifiable information.
   (2)  If the operator maintains a   Describe
the  process  for   the operator maintains
allowing  an individual consumer who uses or visits its
commercial Web site or online service to review and request changes
to any of his or her personally identifiable information that is
collected through the Web site or online service  , provide a
description of that process  .
   (3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
   (4) Identify its effective date. 
   (5) Describe the security safeguards used to comply with the
requirements of subdivision (c).  
   (c) An operator described in subdivision (a) shall use reasonable
security safeguards to protect personally identifiable information
from unauthorized access, use, disclosure, modification, or
destruction.  
  SECTION 1.    Section 22575.1 is added to the
Business and Professions Code, to read:
   22575.1.  (a) The privacy policy for a mobile application shall
specify and limit practices regarding information retention and
collection, including the types of information collected, the use and
retention period for each category of information, the categories of
third parties with whom personally identifiable information will be
shared, and the choices a consumer has regarding the collection, use,
and sharing of personally identifiable information.
   (b) The operator of a mobile application shall:
   (1) Provide consumers access to their own personally identifiable
information that the application collects and retains.
   (2) Use security safeguards to protect personally identifiable
information from unauthorized access, use, disclosure, modification,
or destruction.
   (3) Provide a supplemental privacy policy with enhanced measures
if an application collects personally identifiable information that
is not essential to the application's basic function.
   (4) Provide consumers with a special notice if the application
accesses text messages, call logs, the camera, the dialer, or the
microphone, or collects location information, financial information,
medical information, or passwords. A special notice shall deliver
notice to the consumer of the information collection. A special
notice shall explain the intended uses of the information and
disclose the type of third parties to whom the information may be
disclosed.
   (c) The requirements for a mobile application privacy policy are
in addition to the requirements specified elsewhere in this chapter.
 
  SEC. 2.    Section 22575.2 is added to the
Business and Professions Code, to read:
   22575.2.  (a) In the application submission process for a new or
updated mobile application, a mobile application market shall include
either of the following:
   (1) An optional data field for a hyperlink to the application's
privacy policy or a statement describing the application's privacy
practices.
   (2) An optional data field for the text of the application's
privacy policy or a statement describing the application's privacy
practices.
   (b) A mobile application market shall:
   (1) Implement a means for users to report applications that do not
comply with the applicable terms of service or law.
   (2) Implement a process for responding to reported instances of
noncompliance with applicable terms of service or law. 

  SEC. 3.    Section 22575.3 is added to the
Business and Professions Code, to read:
   22575.3.  An advertising network delivering an advertisement
through a mobile application shall:
   (a) Include a privacy policy governing the collection, use,
disclosure, and retention of personally identifiable information.
This policy shall be made available to users of mobile applications
and application developers.
   (b) Obtain prior consent before displaying an advertisement
delivered through an application and displayed outside the context of
the application.
   (c) Provide clear attribution of the host application responsible
for an advertisement delivered through an application and displayed
outside the context of the application.
   (d) Obtain prior consent before accessing personally identifiable
information.
   (e) Use application-specific or temporary device identifiers, not
unchangeable device-specific identifiers.
   (f) Transmit user data securely, using encryption for permanent
unique device identifiers and personal information. 

  SEC. 4.    Section 22577 of the Business and
Professions Code is amended to read:
   22577.  For the purposes of this chapter, the following
definitions apply:
   (a) The term "personally identifiable information" means
individually identifiable information about an individual consumer
collected online by the operator from that individual and maintained
by the operator in an accessible form, including any of the
following:
   (1) A first and last name.
   (2) A home or other physical address, including street name and
name of a city or town.
   (3) An e-mail address.
   (4) A telephone number.
   (5) A social security number.
   (6) Any other identifier that permits the physical or online
contacting of a specific individual.
   (7) Information concerning a user that the Web site or online
service collects online from the user and maintains in personally
identifiable form in combination with an identifier described in this
subdivision.
   (b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
   (1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
   (2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
   (3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
   (A) Includes the word "privacy."
   (B) Is written in capital letters equal to or greater in size than
the surrounding text.
   (C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
   (4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
   (5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service, except for a mobile application, which shall
follow the requirements in Section 22575.1.
   (c) The term "operator" means any person or entity that owns a Web
site located on the Internet or an online service that collects and
maintains personally identifiable information from a consumer
residing in California who uses or visits the Web site or online
service if the Web site or online service is operated for commercial
purposes. It does not include any third party that operates, hosts,
or manages, but does not own, a Web site or online service on the
owner's behalf or by processing information on behalf of the owner.
   (d) The term "consumer" means any individual who seeks or
acquires, by purchase or lease, any goods, services, money, or credit
for personal, family, or household purposes.
   (e) The term "online service" includes, but shall not be limited
to, a mobile application.
   (f) The term "mobile application" means an application designed to
be downloaded to and installed on a mobile device, such as a mobile
phone, a tablet, or a smart phone.
   (g) The term "mobile application market" means a computerized
system where a person can purchase a mobile application and download
the mobile application directly to a mobile device.