California’s New Do-Not-Track Privacy Law
As of January 1, 2014, all commercial websites that collect personally identifiable information about users in California are obligated to follow the terms of AB370, the new “Do-Not-Track” online privacy law. What does this new law mean for website owners and consumers?
The California Online Privacy Protection Act of 2003 (“CalOPPA”) has been in effect since July 1, 2004. CalOPPA applies to all commercial websites that collect personally identifiable information (“PII”) from California residents. Note that neither the website nor the company that owns the website needs to be located in California in order to fall under the scope of this law. All websites to which this law applies must conspicuously post privacy policies that indicate:
- The kind of PII gathered.
- How and whether that information may be shared with third parties, and, if so, how the user can review and make changes to their stored PII.
- The policy’s effective date and any changes since that date.
AB370 amended and expanded the terms of CalOPPA as of 1/1/14. The new law concerns how websites respond to Do-Not-Track (“DNT”) signals sent by web browsers. Many browsers allow users to include DNT signals – sometimes as a default setting, sometimes at the user’s choice. Firefox, my browser of choice, includes this feature – read all about it.
OK, so you have your browser send out a DNT signal; what happens then? AB370 was created to help answer that question.
- When a browser sends a DNT signal, does the website respond? (Again, the answer can simply be “No,” as long as that fact is spelled out.)
- If so, how so?
- Do any third party applications collect users’ PII over time and across different websites?
A somewhat forward-thinking subsection of AB370 states that, in the event that a website follows a common program or protocol regarding DNT (should such a thing emerge), they can comply with #1 and 2 above by posting a clear and conspicuous link to a description of that policy. The idea is that someone could create a central website detailing a model DNT policy, and websites that fall under the jurisdiction of AB370 could simply link to that rather than each website having to draft their own policy.
It remains to be seen how that develops; at the moment, websites that collect PII are advised to review and amend their own privacy policies to ensure that they are in compliance with AB370 and any other applicable laws.