Commercial website operators should be reviewing their online privacy policies to ensure they are in compliance with California’s new “do not track” law.  On September 27, 2013, California Governor Jerry Brown signed into law AB 370 which amends the California Online Privacy Protection Act of 2003 (CalOPPA). AB370, introduced by Asm. Al Muratsuchi, amends Section 22575 of the California Business and Professions Code to require commercial website operators to openly disclose how they will respond to a “do not track” signal from an internet browser.

A “do not track” signal is a mechanism by which an Internet user can click an option within their browser that will automatically tell every website (they) visit that the internet browser used does not wish to have their activity tracked. Despite much attention and effort devoted to the topic, the term “track” still does not have a widely accepted definition.  (However, it is most frequently assumed to mean that the user does not wish to have their personal internet browsing seen by third party websites). 

The W3C’s Tracking Protection Working Group (TPWG) was tasked with defining the term and establishing a self-regulatory system with rules dictating how a website should respond to a “do not track” signal from an Internet user’s browser. The TPWG was created more than two years ago and has made little to no progress on their goals. Due to the lack of progress, the Digital Advertising Alliance (DDA), a “consortium of the leading national advertising and marketing trade groups,” withdrew from the TPWG with DAA CEO stating, “the TPWG had yet to reach agreement on the most elementary and material issues facing the group.” The TPWG continues to function despite the departure of the DAA; however, some have lost faith in the group’s ability to effectively dictate policy.

With the passage of AB 370, California is giving the advertising industry a gentle prod because the bill does not attempt to define or regulate “do not track”, but does increase the transparency of which information is collected and how it is used. What the new lawdoes regulate is commercial websites’ privacy policies, thereby requiring that the commercial website operator explicitly state whether they will honor a “do not track” signal from a user’s browser. Although this is a California law, any commercial website that collects personal information from California residents should be aware of this new law and determine whether their privacy policies need to be updated.

AB 370 went into effect on January 1, 2014, so privacy policies should be updated already; however, a cursory review of several well-known commercial websites shows that many organizations have not yet updated their privacy policies. Website operators covered by CalOPPA have 30 days to comply with the new amendments after being notified or noncompliance or they can face fines of up to $2,500 per violation of CalOPPA.

“Happy New Year, Happy Updated Privacy Policy” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.