HOUSE DOCKET, NO. 3195 FILED ON: 1/20/2023
HOUSE . . . . . . . . . . . . . . . No. 395
|
The Commonwealth of Massachusetts
_________________
PRESENTED BY:
William M. Straus
_________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act relative to online advertising.
_______________
PETITION OF:
Name: | District/Address: | Date Added: |
William M. Straus | 10th Bristol | 1/20/2023 |
HOUSE DOCKET, NO. 3195 FILED ON: 1/20/2023
HOUSE . . . . . . . . . . . . . . . No. 395
By Representative Straus of Mattapoisett, a petition (accompanied by bill, House, No. 395) of William M. Straus for legislation to further regulate advertising on the Internet. Consumer Protection and Professional Licensure. |
[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE HOUSE, NO. 460 OF 2021-2022.]
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Third General Court
(2023-2024)
_______________
An Act relative to online advertising.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
Section 1. Notwithstanding any general or special law to the contrary, there shall hereby be established the Online Advertising Act.
Section 2. For the purposes of this act, the following terms shall have the following meanings:
(A)The term “consumer” shall mean any natural person using or accessing a website, webpage or online service that includes the display of advertisements.
(B) The term “non-personally identifiable information” means information collected or logged by a third party advertising network that cannot be used, by itself, to contact, identify or locate a particular person. Non-personally identifiable information is typically compiled from click stream information compiled as a browser moves among different websites serviced by a particular third party advertising network, but may also include other information collected directly by the third party advertising network or provided by third parties (so long as that information is not personally identifiable to the third party advertising network).
(C) The term “online preference marketing” means a type of third party ad delivery and reporting whereby data is collected over time and across multiple web pages controlled by different publishers to determine or predict consumer characteristics or preference for use in ad delivery on the web. Online preference marketing may include the use of personally or non-personally identifiable information. Online preference marketing excludes the use of data provided by a publisher directly to a third party advertising network and used by that third party advertising network for Internet advertising solely on behalf of such publisher.
(D) The term “personally identifiable information” means data that, by itself, can be used to identify, contact or locate a person, including name, address, telephone number, or email address.
(E) The term “publisher” means any company, individual or other group that has a website, webpage or other Internet page.
(F) The term “third party ad delivery and reporting” means (1) providing an advertisement to a third party website; (2) statistical reporting in connection with the activity on a third party website; (3) tracking the number of advertisements served on a particular day to a particular third party website; and (4) any other activity related to the delivery of advertisements on a third party website and that involves the collection or logging of personally or non-personally identifiable information about individual visits by a consumer or web browser on the third party website.
(G) The term “third party advertising network” shall mean any company, individual or other group that is collecting personally or non-personally identifiable information for the purposes of third party ad delivery and reporting.
Section 3. Notice
(A) A third party advertising network shall post clear and conspicuous notice on its own website about its data collection and use practices related to its third party ad delivery and reporting activities.
(1) Such notice shall include, without limitation, clear descriptions of the following: (a) what types of information are collected by the third party advertising network through its third party ad delivery and reporting activities; (b) the types of additional data that may be combined with data collected through third party ad delivery and reporting; (c) how personally and non-personally identifiable information will be used by the third party advertising network including transfer, if any, of non-aggregate data to a third party; and (d) the approximate length of time that such information will be retained by the third party advertising network.
(2) If the third party advertising network engages in online preference marketing, such notice shall also include clear descriptions of the following: (a) profiling activities undertaken by the third party advertising network, including all the types of personally and non-personally identifiable information that may be used for online preference marketing; and (b) procedures for opting-out of such data use, as required by Section 4(A) of this Act (including a description of the circumstances that would make it necessary for a consumer to renew the opt-out, such as when a consumer changes computers, changes browsers, or deletes relevant cookies).
(3) If the third party advertising network seeks consent from consumers for the use of sensitive information for the purposes of online preference marketing, as required by Section 4(B) of this Act, such notice shall also include a clear description of (a) the types of sensitive information to be used, and (b) the procedures for revoking such consent.
(4) If the third party advertising network seeks consent from consumers for the merger of personally identifiable information with non-personally identifiable information, as required by Sections 4(C) and 4(D) of this Act, such notice shall also include a clear description of (a) the types of non-personally identifiable information and personally identifiable information that may be merged; and (b) the procedures for revoking such consent for any further merger on a prospective basis.
(5) If a third party advertising network materially changes its data collection and use policy, prior notice shall be posted on its website. Any such material change shall apply only to information collected following the change in policy. Information collected prior to the material change in policy shall continue to be governed by the policy in effect at the time the information was collected, unless the consumer receives direct notice of the change and an opportunity to choose not to have previously collected information governed by the new policy.
(B) A third party advertising network, when entering into a contract with a publisher for third party ad delivery and reporting services, shall require that the publisher post a privacy policy that clearly and conspicuously discloses the publisher’s use of a third party advertising network and the type(s) of information that may be collected by the third party advertising network.
(1) If the third party ad delivery and reporting services include online preference marketing, then the notice shall also clearly and conspicuously (a) disclose that the consumer has the ability to opt-out of online preference marketing and (b) include a link to the opt-out page.
(2) The third party advertising network shall make every reasonable effort to ensure that any publisher using its third party ad delivery and reporting services post a privacy policy on the publisher’s website as required by this section.
Section 4. Consumer Choice
(A) A third party advertising network that engages in online preference marketing must provide a means for consumers to opt-out of online preference marketing by that third party advertising network. Such means shall be accessible at a designated opt-out page on the third party advertising network’s website.
(B) Third party advertising networks shall not use information about sensitive medical or financial data, sexual behavior or sexual orientation for the purposes of online preference marketing without the affirmative consent of the consumer. A third party advertising network that seeks such consent must also provide a means of revoking such consent on a prospective basis. Such means shall be accessible at a designated location on the third party advertising network’s website.
(C) Third party advertising networks shall not merge non-personally identifiable information collected through third party ad delivery and reporting activities with personally identifiable information without the consumer’s prior consent to such merger.
(1) If the merger involves non-personally identifiable information collected on a prospective basis only, prominent notice and an opportunity to opt-out is required. The means of opting-out must remain available at a designated location on the third party advertising network’s website. When a consumer exercises the opt out at a later time, after information has been merged, the effect of that choice will be to revoke consent for further mergers of such information on a prospective basis only.
(2) If the merger involves previously collected non-personally identifiable information, affirmative (opt-in) consent is required. A third party advertising network that seeks such consent must also provide a means of revoking consent for further mergers of such data on a prospective basis. Such means shall be accessible at a designated location on the third party advertising network’s website.
Section 5. Security
(A) Third party advertising networks shall make reasonable efforts to protect the data they collect or log as a result of third party ad delivery and reporting from loss, misuse, alteration, destruction or improper access.
(B) Third party advertising networks that collect both non-personally identifiable information through ad delivery and reporting activities and personally identifiable information directly from consumers or from third parties, shall implement reasonable technical and procedural protections to prevent the merger of personally identifiable information and non-personally identifiable information in the absence of (a) the consent of the consumer as required by Section 4(C) of this Act, or (b) a requirement of law.
Section 6. Consumer Access
(A) Third party advertising networks shall provide consumers with reasonable access to personally identifiable information and other information that is directly associated with personally identifiable information retained by the third party advertising network for third party ad delivery and reporting uses.
(B) EXCEPTIONS- This section shall not require a third party advertising network to provide an individual with access where:
(1) The consumer requesting access cannot reasonably verify his or her identity as the person to whom the personally identifiable information relates;
(2) The rights of persons other than the consumer would be violated;
(3) The burden or expense of providing access would be disproportionate to the risks of harm to the consumer in the case in question;
(4) Proprietary or confidential information, technology or business processes would be revealed as a result;
(5) revealing the information would likely affect litigation or judicial proceeding in which the third party advertising network has an interest; or
(6) Revealing the information would be unlawful, or would likely interfere with the detection or prevention of unlawful activity.
(C) FEES- A third party advertising network may charge a reasonable fee for providing access in accordance with paragraph (A), which shall not exceed the greater of:
(1) The actual cost to the third party advertising network of responding to the consumer’s access request, or
(2) The average cost to the third party advertising network of responding to access requests of a similar type.
(D) NO RETENTION OBLIGATION.–– The obligation to provide access does not, by itself, create any obligation on the organization to retain personally identifiable information.
Section 7. Duration
Third party advertising networks shall keep and use non-personally identifiable information collected through third party ad delivery and reporting activities for duration of a maximum of twenty-four months from the time of collection, after which the non-personally identifiable information has to be deleted from the third party advertising networks data storage.
Section 8. Enforcement
(A) The Attorney General may bring an action against a third party advertising network that violates the provisions of this section.
(B) Any third party advertising network that violates this section shall be subject to a statutory penalty of not more than one thousand dollars for each instance that this section is violated.
(C) A court may increase the statutory penalty up to three times allowed by paragraph (B) of this section where the third party advertising network has been found to have engaged in a pattern and practice of violating the provisions of this section.
(D) Nothing in this section shall in any way limit rights or remedies which are otherwise available under law to the Attorney General.