California State Sen. Alan Lowenthal (D-27) introduced S.B. 761, which would offer California consumers a way to opt out from having their online data collected, used, or stored by a person or an entity doing business in California. S.B. 761 would amend California’s Consumer Protection Against Computer Spyware Act to require that, "No later than July 1, 2012, the Attorney General (AG), in consultation with the California Office of Privacy Protection, shall adopt regulations that would require a covered entity doing business in California to provide a consumer in this state with a method for the consumer to opt out of the collection or use of any covered information by a covered entity."

These regulations would "(A) Include a requirement for a covered entity to disclose, in a manner that is easily accessible to a consumer, information on the collection, use, and storage of information practices, how the entity uses or discloses that information, and the names of the persons to whom that entity would disclose that information" and "(B) Prohibit the collection or use of covered information by a covered entity for which a consumer has opted out of such collection or use, unless the consumer changes his or her opt-out preference to allow the collection or use of that information."

S.B. 761 would also authorize the AG to promulgate regulations that would: (A) require providing "a consumer with a means to access the covered information of that consumer and the data retention and security policies of the covered entity in a format that is clear and easy to understand"; and (B) require "that some or all of the regulations apply with regard to the collection and use of covered information, regardless of the source." The AG is also authorized to "exempt from some or all of the regulations ... certain commonly accepted commercial" or operation practices. One of the possible categories, which might be applied loosely to marketing research, is "(B) Analyzing data related to use of the product or service for purposes of improving the products, services, or operations."

S.B. 761 defines “covered entity” as "a person or entity doing business in California that collects, uses, or stores online data containing covered information from a consumer in this state". This does not include any local, state or federal government entity "or instrumentality". The definition also excludes "Any person who can demonstrate that he or she does all of the following: (i) Stores covered information from or about fewer than 15,000 individuals. (ii) Collects covered information from or about fewer than 10,000 individuals during any 12-month period. (iii) Does not collect or store sensitive information. (iv) Does not use covered information to study, monitor, or analyze the behavior of individuals as the person's primary business." Most research companies would fit the definition of "covered entity".

The bill defines “covered information” as "with respect to an individual, any of the following that is transmitted online: (i) The online activity of the individual, including, but not limited to, the Internet Web sites and content from Internet Web sites accessed; the date and hour of online access; the computer and geolocation from which online information was accessed; and the means by which online information was accessed, such as, but not limited to, a device, browser, or application. (ii) Any unique or substantially unique identifier, such as a customer number or Internet Protocol address. (iii) Personal information including, but not limited to, a name; a postal address or other location; an e-mail address or other user name; a telephone or fax number; a government-issued identification number, such as a tax identification number, a passport number, or a driver's license number; or a financial account number, or credit card or debit card number, or any required security code, access code, or password that is necessary to permit access to an individual' s financial account." The definition does not include business contact information "or an individual's name when collected, stored, used, or disclosed in connection with that employment status; or any information collected from or about an employee by an employer, prospective employer, or former employer that directly relates to the employee-employer relationship."

S.B. 761 defines "sensitive information" as (i) "Any information that is associated with covered information of an individual and relates directly to that individual's medical history, physical or mental health, or the provision of health care to the individual; race or ethnicity; religious beliefs and affiliation; sexual orientation or sexual behavior; income, assets, liabilities, or financial records, and other financial information associated with a financial account, including balances and other financial information, except when financial account information is provided by the individual and is used only to process an authorized credit or debit to the account; or precise geolocation information and any information about the individual's activities and relationships associated with that geolocation"; (ii) "An individual's unique biometric data, including a fingerprint or retina scan, or social security number"; and anything else the Attorney's General's office determines via the regulatory process.

Private rights of action are allowed under S.B. 761, and willfully failing to comply with the bill's requirements would result in statutory damages.

This legislation appears to be an amalgamation of provisions and concepts from the FTC's Privacy Report and Rep. Bobby Rush's Best Practices Act and as drafted would pose a substantial threat to survey research. MRA will be sharing our concerns with Sen. Lowenthal -- and with the members of the Senate Judiciary Committee, before their scheduled hearing on S.B. 761 on May  3.