california legislature--2013-14 regular session ASSEMBLY BILL No. 242 Introduced by Assembly Member Chau February 6, 2013 An act to amend Section 22575 of the Business and Professions Code, relating to privacy. legislative counsel's digest AB 242, as introduced, Chau. Privacy: Internet. Existing law requires an operator of a commercial Web site or online service that collects personally identifiable information through the Internet, about individual consumers residing in California who use or visit its commercial Web site or online service, to make its privacy policy available to consumers, as specified. This bill would require the privacy policy to be no more than 100 words, be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no. The people of the State of California do enact as follows: line line line line 1 2 3 4 SECTION 1. Section 22575 of the Business and Professions Code is amended to read: 22575. (a) An operator of a commercial Web site or online service that collects personally identifiable information through 99 AB 242 line 1 line 2 line 3 line 4 line 5 line 6 line 7 line 8 line 9 line 10 line 11 line 12 line 13 line 14 line 15 line 16 line 17 line 18 line 19 line 20 line 21 line 22 line 23 line 24 line 25 line 26 line 27 line 28 line 29 line 30 line 31 line 32 --2-- the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance. (b) The privacy policy required by subdivision (a) shall do all of the following: (1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. (2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process. (3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. (4) Identify its effective date. (c) The privacy policy required by this section shall be no more than 100 words and shall be written in clear and concise language at no greater than an eighth grade reading level. The privacy policy shall include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared. O 99