Connecticut Seal

General Assembly

 

Raised Bill No. 5765

February Session, 2008

 

LCO No. 2439

 

*02439_______GL_*

Referred to Committee on General Law

 

Introduced by:

 

(GL)

 

AN ACT CONCERNING ONLINE ADVERTISING AND PRIVACY.

Be it enacted by the Senate and House of Representatives in General Assembly convened:

Section 1. (NEW) (Effective October 1, 2008) (a) As used in this section:

(1) "Consumer" means a natural person using or accessing a web site, web page or online service that includes the display of advertisements.

(2) "Nonpersonally identifiable information" means information collected or logged by a third-party advertising network that cannot be used, by itself, to contact, identify or locate a particular person. Nonpersonally identifiable information is typically compiled from click stream information compiled as a browser moves among different web sites serviced by a particular third-party advertising network, but may also include other information collected directly by the third-party advertising network or provided by third parties, provided the information is not personally identifiable to the third-party advertising network.

(3) "Online preference marketing" means third-party advertising delivery and reporting whereby data is collected over time and across multiple web pages controlled by different publishers to determine or predict consumer characteristics or preference for use in advertising delivery on the Internet. Online preference marketing may include the use of personally or nonpersonally identifiable information. Online preference marketing excludes the use of data provided by a publisher directly to a third-party advertising network and used by that third-party advertising network for Internet advertising solely on behalf of such publisher.

(4) "Personally identifiable information" means data that, by itself, can be used to identify, contact or locate a person, including name, address, telephone number or email address.

(5) "Publisher" means a company, individual or other group that has a web site, web page or other Internet page.

(6) "Third-party advertising delivery and reporting" means: (A) Providing an advertisement to a third-party web site; (B) statistical reporting in connection with the activity on a third-party web site; (C) tracking the number of advertisements served on a particular day to a particular third-party web site; and (D) any other activity related to the delivery of advertisements on a third-party web site and that involves the collection or logging of personally or nonpersonally identifiable information about individual visits by a consumer or web browser on the third-party web site.

(7) "Third-party advertising network" means a company, individual or other group that is collecting personally or nonpersonally identifiable information for the purposes of third-party advertising delivery and reporting.

(b) A third-party advertising network shall post clear and conspicuous notice on its own web site about its data collection and use practices related to its third-party advertising delivery and reporting activities. Such notice shall include, without limitation, clear descriptions of the following: (1) The types of information that are collected by the third-party advertising network through its third-party advertising delivery and reporting activities; (2) the types of additional data that may be combined with data collected through third-party advertising delivery and reporting; (3) how personally and nonpersonally identifiable information will be used by the third-party advertising network including transfer, if any, of nonaggregate data to a third-party; and (4) the approximate length of time that such information will be retained by the third-party advertising network. If the third-party advertising network engages in online preference marketing, such notice shall also include clear descriptions of the following: (A) Profiling activities undertaken by the third-party advertising network, including all the types of personally and nonpersonally identifiable information that may be used for online preference marketing; and (B) procedures for opting out of such data use, including a description of circumstances that would make it necessary for a consumer to renew the opt out, such as when a consumer changes computers, changes browsers or deletes relevant cookies. If the third-party advertising network seeks consent from consumers for the use of sensitive information for the purposes of online preference marketing, such notice shall also include a clear description of the types of sensitive information to be used and the procedures for revoking such consent. If the third-party advertising network seeks consent from consumers for the merger of personally identifiable information with nonpersonally identifiable information, such notice shall also include a clear description of the types of nonpersonally identifiable information and personally identifiable information that may be merged and the procedures for revoking such consent for any further merger on a prospective basis. If a third-party advertising network materially changes its data collection and use policy, prior notice shall be posted on its web site. Any such material change shall apply only to information collected following the change in policy. Information collected prior to the material change in policy shall be governed by the policy in effect at the time the information was collected, unless the consumer receives direct notice of the change and an opportunity to choose not to have previously collected information governed by the new policy.

(c) A third-party advertising network, when entering into a contract with a publisher for third-party advertising delivery and reporting services, shall require that the publisher post a privacy policy that clearly and conspicuously discloses the publisher's use of a third-party advertising network and the type of information that may be collected by the third-party advertising network. If the third-party advertising delivery and reporting services include online preference marketing, then the notice shall also clearly and conspicuously disclose that the consumer has the ability to opt out of online preference marketing and include a link to the opt out page. The third-party advertising network shall make every reasonable effort to ensure that any publisher using its third-party advertising delivery and reporting services post a privacy policy on the publisher's web site as required by this section.

(d) A third-party advertising network that engages in online preference marketing shall provide a method for consumers to opt out of online preference marketing by the third-party advertising network. Such method shall be accessible at a designated opt out page on the third-party advertising network's web site.

(e) Third-party advertising networks shall not use information about sensitive medical or financial data, sexual behavior or sexual orientation for the purposes of online preference marketing without the affirmative consent of the consumer. A third-party advertising network that seeks such consent must also provide a means of revoking such consent on a prospective basis. Such means shall be accessible at a designated location on the third-party advertising network's web site.

(f) Third-party advertising networks shall not merge nonpersonally identifiable information collected through third-party advertising delivery and reporting activities with personally identifiable information without the consumer's prior consent to such merger. If the merger involves nonpersonally identifiable information collected on a prospective basis only, prominent notice and an opportunity to opt out is required. The means of opting out must remain available at a designated location on the third-party advertising network's web site. When a consumer exercises the opt out at a later time, after information has been merged, the effect of that choice shall be to revoke consent for further mergers of such information on a prospective basis only. If the merger involves previously collected nonpersonally identifiable information, affirmative opt in consent is required. A third-party advertising network that seeks such consent shall also provide a means of revoking consent for further mergers of such data on a prospective basis. Such means shall be accessible at a designated location on the third-party advertising network's web site.

(g) Third-party advertising networks shall make reasonable efforts to protect data they collect or log as a result of third-party advertising delivery and reporting from loss, misuse, alteration, destruction or improper access. Third-party advertising networks that collect both nonpersonally identifiable information through advertising delivery and reporting activities and personally identifiable information directly from consumers or from third parties shall implement reasonable technical and procedural protections to prevent the merger of personally identifiable information and nonpersonally identifiable information in the absence of the consent of the consumer as required by this act.

(h) Third-party advertising networks shall provide consumers with reasonable access to personally identifiable information and other information that is directly associated with personally identifiable information retained by the third-party advertising network for third-party advertising delivery and reporting uses. The provisions of this subsection shall not require a third-party advertising network to provide an individual with access where: (1) The consumer requesting access cannot reasonably verify his or her identity as the person to whom the personally identifiable information relates; (2) the rights of persons other than the consumer would be violated; (3) the burden or expense of providing access would be disproportionate to the risks of harm to the consumer in the case in question; (4) proprietary or confidential information, technology or business processes would be revealed as a result; (5) revealing the information would likely affect litigation or judicial proceeding in which the third-party advertising network has an interest; or (6) revealing the information would be unlawful, or would likely interfere with the detection or prevention of unlawful activity.

(i) A third-party advertising network may charge a reasonable fee for providing access in accordance with the provisions of this act, which shall not exceed the greater of: (1) The actual cost to the third-party advertising network of responding to the consumer's access request, or (2) the average cost to the third-party advertising network of responding to access requests of a similar type. The obligation to provide access does not, by itself, create an obligation on the organization to retain personally identifiable information.

(j) A violation of subsections (b) to (h), inclusive, of this act shall constitute an unfair trade practice pursuant to subsection (a) of section 42 -110b of the general statutes.

This act shall take effect as follows and shall amend the following sections:

Section 1

October 1, 2008

New section

Statement of Purpose:

To protect consumers from unscrupulous Internet advertising practices.

[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not underlined.]