California’s New Do-Not-Track Privacy Law
As of January 1, 2014, all commercial websites that collect personally identifiable information about users in California are obligated to follow the terms of AB370, the new “Do-Not-Track” online privacy law. What does this new law mean for website owners and consumers?
The California Online Privacy Protection Act of 2003 (“CalOPPA”) has been in effect since July 1, 2004. CalOPPA applies to all commercial websites that collect personally identifiable information (“PII”) from California residents. Note that neither the website nor the company that owns the website needs to be located in California in order to fall under the scope of this law. All websites to which this law applies must conspicuously post privacy policies that indicate:
- The kind of PII gathered.
- How and whether that information may be shared with third parties, and, if so, how the user can review and make changes to their stored PII.
- The policy’s effective date and any changes since that date.
AB370 amended and expanded the terms of CalOPPA as of 1/1/14. The new law concerns how websites respond to Do-Not-Track (“DNT”) signals sent by web browsers. Many browsers allow users to include DNT signals – sometimes as a default setting, sometimes at the user’s choice. Firefox, my browser of choice, includes this feature – read all about it.
OK, so you have your browser send out a DNT signal; what happens then? AB370 was created to help answer that question.
The most important point is that AB370 does not require websites to respond to or comply with DNT signals. You can instruct your browser to send a DNT signal, that signal can be received by a website – even in California – and simply ignored, and the website operator would not assume any liability under AB370. However, the law does require the website’s privacy policy to include certain information about what they do when they receive a DNT signal. Privacy policies must now answer the following questions:
- When a browser sends a DNT signal, does the website respond? (Again, the answer can simply be “No,” as long as that fact is spelled out.)
- If so, how so?
- Do any third party applications collect users’ PII over time and across different websites?
Note that AB370 doesn’t require websites to identify those third party applications. California Business and Professions Code Section 22575(b)(6) simply requires that the privacy policy “[d]isclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
A somewhat forward-thinking subsection of AB370 states that, in the event that a website follows a common program or protocol regarding DNT (should such a thing emerge), they can comply with #1 and 2 above by posting a clear and conspicuous link to a description of that policy. The idea is that someone could create a central website detailing a model DNT policy, and websites that fall under the jurisdiction of AB370 could simply link to that rather than each website having to draft their own policy.
It remains to be seen how that develops; at the moment, websites that collect PII are advised to review and amend their own privacy policies to ensure that they are in compliance with AB370 and any other applicable laws.