General Assembly |
File No. 148 |
February Session, 2008 |
House of Representatives, March 25, 2008
The Committee on General Law reported through REP. STONE of the 9th Dist., Chairperson of the Committee on the part of the House, that the substitute bill ought to pass.
AN ACT CONCERNING ONLINE ADVERTISING AND PRIVACY.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. (NEW) (Effective October 1, 2008) (a) As used in this section:
(1) "Consumer" means a natural person using an online Internet service to access a web site or web page that includes the display of advertisements.
(2) "Nonpersonally identifiable information" means information collected by a third-party advertising network that cannot be used, by itself, to contact, identify or locate a particular person. Nonpersonally identifiable information is compiled from information obtained as an Internet browser moves among different web sites serviced by a particular third-party advertising network, but may also include other information collected directly by the third-party advertising network or provided by third parties, provided the information is not personally identifiable to the third-party advertising network.
(3) "Online preference marketing" means third-party advertising delivery and reporting whereby data is collected over time and across multiple web pages controlled by different publishers to determine or predict consumer characteristics or preference for use in advertising delivery on the Internet. Online preference marketing may include the use of personally or nonpersonally identifiable information. Online preference marketing shall not include the use of data provided by a publisher directly to a third-party advertising network and used by that third-party advertising network for Internet advertising solely on behalf of such publisher.
(4) "Personally identifiable information" means data that, by itself, can be used to identify, contact or locate a person, including name, address, telephone number or email address.
(5) "Publisher" means a company, individual or other group that has a web site, web page or other Internet page.
(6) "Third-party advertising delivery and reporting" means: (A) Providing an advertisement to a third-party Internet web site; (B) statistical reporting in connection with the activity on a third-party web site; (C) tracking the number of advertisements served on a particular day to a particular third-party web site; and (D) any other activity related to the delivery of advertisements on a third-party web site and that involves the collection of personally or nonpersonally identifiable information about individual visits to a third-party web site by a consumer or web browser.
(7) "Third-party advertising network" means a company, individual or other group that is collecting personally or nonpersonally identifiable information for the purposes of third-party advertising delivery and reporting.
(b) A third-party advertising network shall post clear and conspicuous notice on its own web site about its data collection and use practices related to its third-party advertising delivery and reporting activities. Such notice shall include, without limitation, clear descriptions of the following: (1) The types of information that are collected by the third-party advertising network through its third-party advertising delivery and reporting activities; (2) the types of additional data that may be combined with data collected through third-party advertising delivery and reporting; (3) how personally and nonpersonally identifiable information will be used by the third-party advertising network including transfer, if any, of nonaggregate data to a third-party; and (4) the approximate length of time that such information will be retained by the third-party advertising network. If the third-party advertising network engages in online preference marketing, such notice shall also include clear descriptions of the following: (A) Profiling activities undertaken by the third-party advertising network, including all the types of personally and nonpersonally identifiable information that may be used for online preference marketing; and (B) procedures for opting out of such data use, including a description of circumstances that would make it necessary for a consumer to renew the opt out, such as when a consumer changes computers, changes browsers or deletes relevant cookies. If the third-party advertising network seeks consent from consumers for the use of sensitive information for the purposes of online preference marketing, such notice shall also include a clear description of the types of sensitive information to be used and the procedures for revoking such consent. If the third-party advertising network seeks consent from consumers for the merger of personally identifiable information with nonpersonally identifiable information, such notice shall also include a clear description of the types of nonpersonally identifiable information and personally identifiable information that may be merged and the procedures for revoking such consent for any further merger on a prospective basis. If a third-party advertising network materially changes its data collection and use policy, prior notice shall be posted on its web site. Any such material change shall apply only to information collected following the change in policy. Information collected prior to the material change in policy shall be governed by the policy in effect at the time the information was collected, unless the consumer receives direct notice of the change and an opportunity to choose not to have previously collected information governed by the new policy.
(c) A third-party advertising network, when entering into a contract with a publisher for third-party advertising delivery and reporting services, shall require that the publisher post a privacy policy that clearly and conspicuously discloses the publisher's use of a third-party advertising network and the type of information that may be collected by the third-party advertising network. If the third-party advertising delivery and reporting services include online preference marketing, then the notice shall also clearly and conspicuously disclose that the consumer has the ability to opt out of online preference marketing and include a link to the opt out page. The third-party advertising network shall make every reasonable effort to ensure that any publisher using its third-party advertising delivery and reporting services post a privacy policy on the publisher's web site as required by this section.
(d) A third-party advertising network that engages in online preference marketing shall provide a method for consumers to opt out of online preference marketing by the third-party advertising network. Such method shall be accessible at a designated opt out page on the third-party advertising network's web site.
(e) Third-party advertising networks shall not use information about sensitive medical or financial data, sexual behavior or sexual orientation for the purposes of online preference marketing without the affirmative consent of the consumer. A third-party advertising network that seeks such consent must also provide a means of revoking such consent on a prospective basis. Such means shall be accessible at a designated location on the third-party advertising network's web site.
(f) Third-party advertising networks shall not merge nonpersonally identifiable information collected through third-party advertising delivery and reporting activities with personally identifiable information without the consumer's prior consent to such merger. If the merger involves nonpersonally identifiable information collected on a prospective basis only, prominent notice and an opportunity to opt out is required. The means of opting out must remain available at a designated location on the third-party advertising network's web site. When a consumer exercises the opt out at a later time, after information has been merged, the effect of that choice shall be to revoke consent for further mergers of such information on a prospective basis only. If the merger involves previously collected nonpersonally identifiable information, affirmative opt in consent is required. A third-party advertising network that seeks such consent shall also provide a means of revoking consent for further mergers of such data on a prospective basis. Such means shall be accessible at a designated location on the third-party advertising network's web site.
(g) Third-party advertising networks shall make reasonable efforts to protect data they collect as a result of third-party advertising delivery and reporting from loss, misuse, alteration, destruction or improper access. Third-party advertising networks that collect both nonpersonally identifiable information through advertising delivery and reporting activities and personally identifiable information directly from consumers or from third parties shall implement reasonable technical and procedural protections to prevent the merger of personally identifiable information and nonpersonally identifiable information in the absence of the consent of the consumer as required by this section.
(h) Third-party advertising networks shall provide consumers with reasonable access to personally identifiable information and other information that is directly associated with personally identifiable information retained by the third-party advertising network for third-party advertising delivery and reporting uses. The provisions of this subsection shall not require a third-party advertising network to provide an individual with access where: (1) The consumer requesting access cannot reasonably verify his or her identity as the person to whom the personally identifiable information relates; (2) the rights of persons other than the consumer would be violated; (3) the burden or expense of providing access would be disproportionate to the risks of harm to the consumer in the case in question; (4) proprietary or confidential information, technology or business processes would be revealed as a result; (5) revealing the information would likely affect litigation or judicial proceeding in which the third-party advertising network has an interest; or (6) revealing the information would be unlawful, or would likely interfere with the detection or prevention of unlawful activity.
(i) A third-party advertising network may charge a reasonable fee for providing access in accordance with the provisions of this section, which shall not exceed the greater of: (1) The actual cost to the third-party advertising network of responding to the consumer's access request, or (2) the average cost to the third-party advertising network of responding to access requests of a similar type. The obligation to provide access does not, by itself, create an obligation on the organization to retain personally identifiable information.
(j) A violation of subsections (b) to (h), inclusive, of this section shall constitute an unfair trade practice pursuant to subsection (a) of section 42 -110b of the general statutes.
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
October 1, 2008 |
New section |
Statement of Legislative Commissioners:
Changes were made to subsection (a) of section 1 for accuracy and clarity.
GL |
Joint Favorable Subst.-LCO |
The following fiscal impact statement and bill analysis are prepared for the benefit of members of the General Assembly, solely for the purpose of information, summarization, and explanation, and do not represent the intent of the General Assembly or either chamber thereof for any purpose:
OFA Fiscal Note
Agency Affected |
Fund-Effect |
FY 09 $ |
FY 10 $ |
Consumer Protection, Dept. |
GF - Revenue Gain |
Potential Minimal |
Potential Minimal |
Note: GF=General Fund
Explanation
The bill results in a potential minimal revenue gain due to Connecticut Unfair Trade Practices Act (CUTPA) violations of provisions in the bill.
The Out Years
The annualized ongoing fiscal impact identified above would continue into the future subject to inflation.
OLR Bill Analysis
AN ACT CONCERNING ONLINE ADVERTISING AND PRIVACY.
This bill requires online third-party advertising networks to post notices about their data collection and how they use the collected data to (1) provide advertisements to third-party Internet web sites, (2) report statistics about activity on a web site, (3) track the number of advertisements delivered to particular web sites, and (4) collect personally or nonpersonally identifiable information about separate visits to a web site by a consumer or web browser. Personally identifiable data can be used to identify, contact, or locate a person, and a consumer is an individual using an online Internet service to access a web site or web page that includes advertisements.
The bill sets standards for the notices and sets additional standards if the network engages in online preference marketing that is using collected information to determine a consumer's characteristics. Notices of online preference marketing must provide clear descriptions of a network's profiling activities and procedures enabling consumers to opt out. The bill requires networks, when contracting with companies with web sites, to include contract provisions that require the companies to clearly and conspicuously disclose on their sites the facts that they are using a third-party advertising network and the type of information the network may be collecting.
The bill prohibits networks from using information about sensitive medical or financial data or sexual behavior or orientation for online preference marketing without the consumer's agreement.
It also prohibits networks from merging nonpersonally identifiable information with personally identifiable information without the consumer's prior consent.
It requires networks to make reasonable efforts to protect data about consumers and to give consumers reasonable access to personally identifiable information. It authorizes networks to charge a reasonable fee for the access.
The bill makes it an unfair trade practice to violate its provisions, other than the provision allowing networks to charge a reasonable fee when providing consumers with access to personally identifiable information (see BACKGROUND).
EFFECTIVE DATE: October 1, 2008
WEB SITE NOTICE
The bill requires a third-party advertising network to post a clear and conspicuous notice on its own web site about its data collection and use practices related to its third-party advertising delivery and reporting. A “third-party advertising network” is a company, individual, or other group that collects personally or nonpersonally identifiable information for third-party advertising delivery and reporting. “Third-party advertising delivery and reporting” is:
1. providing an advertisement to a third-party Internet web site,
2. statistical reporting in connection with activity on a third-party web site,
3. tracking the number of advertisements served on a particular day to a particular third-party web site, and
4. any other activity related to delivering advertisements on a third-party web site that involves the collection of personally or nonpersonally identifiable information about individual visits to a third-party web site by a consumer or web browser.
“Personally identifiable information” is data that, by itself, can be used to identify, contact, or locate a person, including name, address, telephone number, or e-mail address. “Nonpersonally identifiable information” is information collected by a third-party advertising network that cannot be used, by itself, to contact, identify, or locate a particular person. It is compiled from information obtained as an Internet browser moves among different web sites serviced by a third-party advertising network, but may also include other information the network collects directly or from others.
Notice of Data Collection and Dissemination
The bill requires the advertising network's data collection notice to include clear descriptions of:
1. the types of information that it collects through its third-party advertising delivery and reporting activities;
2. the types of additional data that may be combined with the collected data;
3. how it will use the personally and nonpersonally identifiable information, including the transfer, if any, of nonaggregated data to another; and
4. the approximate length of time that it will keep the information.
Notice of Online Preference Marketing
If the third-party advertising network engages in online preference marketing, the bill requires the notice also to include clear descriptions of:
1. the network's profiling activities, including all types of personally and nonpersonally identifiable information that may be used for online preference marketing; and
2. how a consumer can opt out of such data use, including a description of circumstances that would require a consumer to renew the opt out, such as when a consumer changes computers or browsers or deletes relevant cookies.
“Online preference marketing” is third-party advertising delivery and reporting in which data is collected over time and across multiple web pages controlled by different companies to determine or predict consumer characteristics or preferences to deliver advertisements on the Internet. It may include using personally or nonpersonally identifiable information. The bill provides that this marketing does not include a network's use of data provided by a company directly to it and used for Internet advertising solely on behalf of the company.
If a third-party advertising network seeks consumers' consent to use sensitive information for online preference marketing, the bill requires the notice to include a clear description of the types of sensitive information being used and the procedures for revoking consent. (The bill does not define “sensitive information.”)
If a network seeks consent from consumers to merge personally with nonpersonally identifiable information, the bill requires the notice to include a clear description of the types of information that may be merged and the procedures for revoking consent.
The bill requires a network to post a notice on its web site before materially changing its data collection and use policy on its web site. It makes any such material change apply only to information collected following the policy change. It provides that information collected before the policy change is governed by the policy in effect when the information was collected, unless the consumer receives direct notice of the change and an opportunity to choose not to have it governed by the new policy.
CONTRACTS BETWEEN THIRD-PARTY ADVERTISING NETWORKS AND PUBLISHERS
The bill requires a network, when contracting with a publisher (a company, individual, or group with a web site) for third-party advertising delivery and reporting services, to require the publisher to post a privacy policy that clearly and conspicuously discloses (1) the fact that the publisher is using a third-party advertising network and (2) the type of information that the network may be collecting. If the network is to provide online preference marketing, the bill requires the notice to (1) clearly and conspicuously disclose that the consumer has the ability to opt out and (2) include a link to the opt-out page. The bill requires the network to make every reasonable effort to ensure that a publisher using its services posts a privacy policy on its web site.
OPT OUT REQUIREMENT
The bill requires a third-party advertising network that engages in online preference marketing to provide a method for consumers to opt out of the network's online preference marketing. The method must be accessible at a designated opt-out page on the network's web site.
RESTRICTED INFORMATION
The bill prohibits third-party advertising networks from using information about sensitive medical or financial data, sexual behavior, or sexual orientation for online preference marketing without the consumer's affirmative consent. The bill requires a network that seeks consent to provide a way to revoke it that must be accessible at a designated location on the network's web site.
MERGING DATA
The bill prohibits networks from merging nonpersonally identifiable information it collects through its third-party advertising delivery and reporting activities with personally identifiable information without the consumer's prior consent.
The bill requires a network to post a prominent notice and an opportunity for a consumer to opt out of mergers of nonpersonally identifiable information to be collected in the future. It requires that the way to opt out remain available at a designated location on its web site. If a consumer opts out after information has been merged, the bill makes the opt-out apply only prospectively.
The bill requires a consumer to opt in if the merger involves previously collected nonpersonally identifiable information. It requires a network that seeks such consent to provide a means of revoking consent for future mergers accessible in a designated location on its web site.
REASONABLE EFFORTS TO PROTECT DATA
The bill requires third-party advertising networks to make reasonable efforts to protect the data they collect through their third-party advertising delivery and reporting services from loss, misuse, alteration, destruction, or improper access. It requires networks that collect (1) nonpersonally identifiable information through advertising delivery and reporting activities and (2) personally identifiable information directly from consumers or third parties to implement reasonable technical and procedural protections to prevent information merger without the requisite consumer's consent.
CONSUMER ACCESS TO PERSONALLY IDENTIFIABLE INFORMATION
The bill requires third-party advertising networks to provide consumers with reasonable access to personally identifiable information and other directly associated information they keep for third-party advertising delivery and reporting uses.
But the bill provides that this does not require a network to provide an individual with access if:
1. the consumer requesting access cannot reasonably verify his or her identity as the person to whom the information relates;
2. the rights of others would be violated;
3. the burden or expense of providing access would be disproportionate to the risks to the particular consumer;
4. proprietary or confidential information, technology, or business processes would be revealed;
5. revealing the information would likely affect litigation or judicial proceeding in which the network has an interest; or
6. revealing the information would be unlawful or would likely interfere with the detection or prevention of unlawful activity.
REASONABLE FEES
The bill states that the duty to provide access does not, by itself, create a duty to keep personally identifiable information.
The bill allows a network to charge a reasonable fee for providing access under the bill's provisions. The fee cannot be more than the greater of:
1. the actual cost of responding to the consumer's request, or
2. the average cost of responding to similar requests.
BACKGROUND
Connecticut Unfair Trade Practices Act (CUTPA)
The law prohibits businesses from engaging in unfair and deceptive acts or practices. CUTPA allows the consumer protection commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. The act also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.
COMMITTEE ACTION
General Law Committee
Joint Favorable
Yea |
19 |
Nay |
0 |
(03/06/2008) |