The online versions of legislation provided on this website are not official. Enrolled bills are the final version passed by the Ohio General Assembly and presented to the Governor for signature. The official version of acts signed by the Governor are available from the Secretary of State's Office in the Continental Plaza, 180 East Broad St., Columbus.
|
S. B. No. 354 As IntroducedAs Introduced
127th General Assembly | Regular Session | 2007-2008 |
| |
Cosponsors:
Senators Schuler, Miller, D., Padgett, Mason, Wagoner, Jacobson, Roberts
A BILL
To amend section 1349.99 and to enact section 1349.65
of the Revised Code to regulate online advertising
networks.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1. That section 1349.99 be amended and section
1349.65 of the Revised Code be enacted to read as follows:
Sec. 1349.65. (A) As used in this section:
(1) "Consumer" means a natural person using or
accessing a
web site, web page, or online service that includes
the display
of advertisements.
(2) "Nonpersonally identifiable information" means an
internet protocol address, or other information, that cannot be
used independently to identify, contact, or locate a consumer.
(3) "Personally identifiable information" means a name,
address, telephone number, electronic mail address, or other
information that can be used independently to identify, contact,
or locate a
consumer.
(4) "Online advertising network" means an individual,
company, or other group that engages in advertising delivery and
reporting on
multiple web pages controlled by different
publishers.
(5) "Online preference marketing" means advertising delivery
and reporting by an online advertising network whereby data is
collected over time, to determine or predict the characteristics
or preferences of a consumer, for use in advertising delivery on
the internet.
(6) "Publisher" means a company, individual, or other group
that has a web site, web page, or other internet page.
(7) "Advertising delivery and reporting" means:
(a) Providing an advertisement to an internet web site;
(b) Statistical reporting in connection with the activity on
a web site that receives advertisements;
(c) Tracking the number of advertisements served on a
particular day to a particular web site;
(d) Any activity related to the delivery of advertisements on
a web site that involves the
collection or logging of personally
or nonpersonally identifiable information
about individual visits
to the web site by a consumer or web
browser.
(8) "Material change" means a change in a policy of data
collection and use practices that involves a new or expanded
collection, use, or disclosure of information that a consumer
acting reasonably under the circumstances would not expect to
occur based on the advertising network's prior policy or on the
substance of any consent provided by the consumer.
(B) An online advertising network that is collecting or
logging
personally or nonpersonally identifiable information shall
post a
clear and conspicuous notice on its own web site. The
notice shall describe the advertising network's policy of data
collection and use practices for advertising delivery
and
reporting activities. The notice shall include, without
limitation, clear descriptions of the following:
(1) The types of information that are collected or logged by
the online
advertising network through its advertising delivery
and reporting
activities including any such activities on the
network's own web site or sites;
(2) The types of additional data that may be combined with
data collected or logged through advertising delivery and
reporting;
(3) The ways in which personally and nonpersonally
identifiable information may be used by the online advertising
network including transfer, if any, to a third party in
nonaggregated form;
(4) The approximate length of time that personally and
nonpersonally identifiable information will be retained by the
online advertising network.
(C) An online advertising network that engages in online
preference marketing shall include, in the notice required under
division (B) of this section, clear descriptions of the following:
(1) Profiling activities undertaken by the online advertising
network, including all the types of personally and nonpersonally
identifiable information that may be collected, logged, or used
for online preference
marketing;
(2) Procedures for opting out of the data use, as required by
division (E) of this section, including a
description of
circumstances that would make it necessary for a
consumer to
renew the opt out, such as when a consumer changes
computers,
changes browsers, or deletes relevant blocks of data
also
commonly known as cookies. If the online advertising network
seeks consent from consumers for the use of sensitive personally
identifiable information, as required by division (F) of this
section,
for the purposes of online preference marketing, the
notice also
shall include a clear description of the types of
sensitive personally identifiable
information to be used and the
procedures for revoking
consent. If
the third-party advertising
network seeks consent from
consumers
for the merger of
personally identifiable information
with
nonpersonally
identifiable information, the notice also shall
include a clear
description of the types of nonpersonally
identifiable
information and personally identifiable information
that may be
merged and the procedures for revoking consent for any
further
merger on a prospective basis. If an online advertising
network
materially changes its policy of data collection and use
practices, it
shall post prior notice of that change on its web
site. Any
material change shall apply only to information
collected
following the change in policy. Information collected
prior to the
material change in policy is governed by the policy
in effect at
the time the information was collected, unless the
consumer
receives direct notice of the change and an opportunity
to choose
not to have previously collected information governed
by the new
policy.
(D) An online advertising network, when entering into a
contract with a publisher for advertising delivery and reporting
services, shall require that the publisher post a privacy policy
that clearly and conspicuously discloses the publisher's use of an
online advertising network and the type of information that may be
collected or logged by the online advertising network. If the
online
advertising delivery and reporting services include online
preference marketing, then the notice also shall clearly and
conspicuously disclose that the consumer has the ability to opt
out of online preference marketing and include a link to the opt
out page. The online advertising network shall make every
reasonable effort to ensure that any publisher using its
advertising delivery and reporting services post a privacy policy
on the publisher's web site as required by this section.
(E) An online advertising network that engages in online
preference marketing shall provide a method for consumers to opt
out of online preference marketing by the
network. The network
shall make the method accessible at a
designated opt out page on
the online advertising network's web
site.
(F) An online advertising network shall not use personally
identifiable information
about a consumer's medical history or
condition, financial
situation, sexual behavior, or sexual
orientation, for the purpose
of online preference marketing
without the affirmative consent of
the consumer. An online
advertising network that seeks consent
also shall provide a means
of revoking consent in the future. The
network shall make the
means accessible at a designated location
on the online
advertising network's web site.
(G) An online advertising network shall not merge
nonpersonally identifiable information collected through
advertising delivery and reporting activities with personally
identifiable information without the consumer's prior consent,
unless the merger is required by law. If
the merger involves
nonpersonally identifiable information that
may be collected in
the future, the network shall give both
prominent notice and an
opportunity to opt out to the consumer.
The means of opting out
shall remain available at a designated
location on the online
advertising network's web site. When a
consumer exercises the opt
out at a later time, after information
has been merged, the
effect of that choice is to revoke consent
for further mergers of
the information. If the merger involves
previously collected
nonpersonally identifiable information, the
network shall obtain
affirmative opt in consent. An online
advertising network that
seeks consent also shall provide a means
of revoking consent for
further mergers of the data. The network
shall make the means
accessible at a designated location on the
online advertising
network's web site.
(H) An online advertising network shall make reasonable
efforts to protect data collected as a result of advertising
delivery and reporting from loss, misuse, alteration, destruction,
or improper access. An online advertising network that collects
both nonpersonally identifiable information through advertising
delivery and reporting activities and personally identifiable
information directly from consumers or from third parties shall
implement reasonable technical and procedural protections to
prevent the unlawful merger of personally identifiable information
and
nonpersonally identifiable information.
(I) An online advertising network shall provide consumers
with reasonable access to personally identifiable information and
other information that is directly associated with personally
identifiable information retained by the online advertising
network for advertising delivery and reporting. This division does
not require an online advertising network to provide an individual
with access where:
(1) The consumer requesting access cannot reasonably verify
his or her identity as the person to whom the personally
identifiable information relates.
(2) The rights of persons other than the consumer would be
violated.
(3) The burden or expense of providing access would be
disproportionate to the risks of harm to the consumer in the case
in question.
(4) Proprietary or confidential information, technology, or
business processes would be revealed as a result.
(5) Revealing the information likely would affect litigation
or judicial proceedings in which the advertising network has an
interest.
(6) Revealing the information would be unlawful, or likely
would interfere with the detection or prevention of unlawful
activity.
(J) An online advertising network may charge a reasonable fee
for providing access in accordance with this section, which shall
not exceed the greater of the actual cost to the online
advertising network of responding to the consumer's access request
or the average cost to the online advertising network of
responding to access requests of a similar type. The obligation to
provide access does not, by itself, create an obligation on the
organization to retain personally identifiable information.
(K)(1) If by the attorney general's own inquiries, or as a
result of complaints received, the attorney general has reasonable
cause to believe that an online advertising network or a publisher
has engaged in, is engaging, or is threatening to engage in an act
or practice that violates this section, the attorney general may
investigate. For this purpose, the attorney general may administer
oaths, subpoena witnesses, adduce evidence, and require the
production of relevant materials. If materials that the attorney
general requires to be produced are located outside the state, the
attorney general may designate representatives, including
officials of the state in which the materials are located, to
inspect the materials on behalf of the attorney general, and the
attorney general may respond to similar requests from officials of
other states. The attorney general shall make reasonable efforts
to coordinate an investigation of an online advertising network or
publisher with officials in other states who the attorney general
has reason to believe are undertaking a similar investigation to
avoid imposing unreasonable discovery burdens on the online
advertising network or publisher that is the subject of the
attorney general's investigation.
(2) The attorney general may bring an action to enjoin a
violation of this section.
(L) The attorney general may approve a self-regulatory
program that is established, implemented, and monitored by a
private industry organization, which imposes requirements on
participants that are equivalent to the requirements of this
section, or that provide greater privacy protections to consumers.
An advertising network or publisher that participates in any
approved private industry self-regulatory program shall be deemed
to be in compliance with this section.
Sec. 1349.99. (A) Whoever violates section 1349.06 or 1349.17
of the Revised Code
is guilty of a minor misdemeanor.
(B)(1) Whoever violates section 1349.45 of the Revised Code
is guilty of a misdemeanor of the first degree.
(2) Notwithstanding division (B)(1) of this section, the only
remedies that are available for a violation of section 1349.45 of
the Revised Code by a registrant or licensee under sections
1322.01 to 1322.12 of the Revised Code are those set forth in
section 1322.10 of the Revised Code or otherwise provided by
statute or common law.
(3) The provisions of division (B) of this section are not
intended to be exclusive remedies and do not preclude the use of
any other remedy provided by law.
(C) Whoever violates section 1349.65 of the Revised Code
shall be fined not more than one thousand dollars for each
violation. Whoever is found to have engaged in a pattern or
practice of violating section 1349.65 of the Revised Code shall be
fined not more than three thousand dollars for each violation. The
amount of any fine imposed pursuant to this division shall not
exceed five hundred thousand dollars.
Section 2. That existing section 1349.99 of the Revised Code
is hereby repealed.
|
|