Enter to open, tab to navigate, enter to select
California Enacts "Do-Not-Track" Disclosure Law
Practical Law Legal Update 6-543-8465 (Approx. 4 pages)
California Enacts "Do-Not-Track" Disclosure Law
by Practical Law Intellectual Property & Technology
| Published on 01 Oct 2013 • USA (National/Federal) |
On September 27, 2013, California Governor Jerry Brown signed AB 370 into law, amending California’s Online Privacy Protection Act to require website and online service operators to disclose practices relating to "do-not-track" mechanisms and online behavioral tracking.
On September 27, 2013, California Governor Jerry Brown signed AB 370 into law, amending California Business & Professions Code Section 22575 or California’s Online Privacy Protection Act (CalOPPA). Existing California law requires an operator of a commercial website or online service that collects personal information online to conspicuously post its privacy policy on its website or service and to comply with that policy. AB 370 expands this law by adding additional disclosure requirements relating to "do-not-track" mechanisms and online behavioral tracking.
The changes are effective as of January 1, 2014. Because the law applies to any website and online service operator who collects personally identifiable information through the Internet about individual consumers residing in California, it is expected to have a wide impact on setting new website disclosure practices.
AB 370 adds three paragraphs to CalOPPA, subsections 5, 6 and 7 of 22575(b). Specifically the amendments require that the operator:
- Disclose how it responds to "do-not-track" signals or other mechanisms that allow consumers to signal their preferences on the collection of their personal information over time and across third-party web sites or online services, if the operator collects such information.
- Disclose whether "other parties" may collect personally identifiable information about a consumer who uses the operator's website or service when the collection is over time and across different websites or services.
The law specifies the operator can satisfy the first requirement by providing a clear and conspicuous hyperlink in its privacy policy to an online location containing a description, including the effect, of any program or protocol the operator follows that allows the consumer to express its preferences. This provision is intended to allow an operator to include a link in its privacy policy to existing self-regulatory program in which it participates.
It is noteworthy that the law does not:
- Define what qualifies as a "do not track" mechanism and therefore it may be unclear what technologies trigger the disclosure obligation. For example, the World Wide Web Consortium and digital advertising groups have in recent months been unable to define a national do-not-track standard. Furthermore, while the intent of the law is to encourage operators to respect consumers' do-not-track preferences, an operator may comply with the law by disclosing that it will not, in fact, honor these requests.
- Define the scope of "other parties" who trigger the third-party disclosure requirement. "Other parties" may include third-party ad networks or website analytics service providers. However, the scope of an operator's obligations may be unclear when it shares information with entities in its own organization.
- Specify whether it applies to mobile apps, as well as conventional websites. However, the California Attorney General's office has previously stated that CalOPPA applies to mobile applications and can therefore be expected to enforce the law, as amended, accordingly.
In advance of the law's effective date, operators should review their current disclosures and consider amending them as necessary. The existing and amended versions of the law allow an operator who is notified of noncompliance to comply within 30 days of such notice.