A new online privacy law requires operators of commercial web sites or online services that collect “personally identifiable information” (defined below) of California residents to disclose how they respond to “Do Not Track” signals. Do Not Track is a proposal analogous to the Do Not Call registry that enables users to opt out of tracking by web sites that they do not visit, including analytics services, advertising networks, and social platforms, by signaling their opt out preferences in a message header that is submitted by their web browser.[i] The California Senate and the California Assembly had passed A.B. 370 earlier this year, and Governor Jerry Brown approved it on September 27, 2013. Whether located in California or not, businesses that have web sites or provide online services should evaluate whether they are collecting personally identifiable information (“PII”) of California residents and whether they need to revise their existing privacy policies to comply with the additional disclosure requirements imposed by the legislation, as the law will go into effect on January 1, 2014.
The new law does not prohibit tracking or behavioral targeting; instead, it imposes two additional disclosure requirements upon operators of commercial web sites or online services that collect PII of California residents. First, such operators must now disclose how they respond to “Do Not Track” signals or other mechanisms to give consumers a choice regarding the collection of PII about each consumer’s online activities over time and across different web sites or online services.[v] Operators are not required to make this disclosure directly within their privacy policies. They may alternatively satisfy this disclosure requirement by providing clear and conspicuous hyperlinks in their privacy policies to online locations containing descriptions of any program or protocol that they follow that offer consumers a choice about how their activities are being tracked diachronically and across different web sites and online services.[vi] Second, such operators must disclose whether other parties may collect PII when consumers use their web sites or online services.[vii]
Businesses will likely confront two main issues in complying with the new law. First, they may not know what PII other parties may collect from visitors to their own web sites or services because they either (a) do not know what other companies are providing advertising, analytic, or social networking services on their web sites or services or (b) have not recently reviewed the terms of service of such third parties. Second, because no standard has emerged with respect to how web sites and online services should respond to Do Not Track signals received in the headers from requests from users’ web browsers, operators may not have determined a policy to answer how they will respond to such requests. Nevertheless, businesses should start assessing (i) what PII third parties are obtaining from their web sites and online services, (ii) how such third parties are using their users’ PII, and (iii) how they will respond to Do Not Track signals. Furthermore, businesses should work with legal counsel to revise their privacy policies in advance of the January deadline.
- See Do Not Track: Universal Web Tracking Opt Out, donottrack.us, http://donottrack.us/ (last visited Sept. 28, 2013).
- Cal. Bus. &. Prof. Code § 22575(a).
- Id. § 22575(a)(1)-(6).
- Id. § 22575(b)(1)-(5).
- Cal. Bus. &. Prof. Code § 22575(b)(5).
- Id. § 22575(b)(7). Such descriptions must also include the effects of any programs or protocols that the operators follow offering the consumers choices about how their activities are being tracked over time and across different web sites and online services. Section 22575(b)(7) is essentially a savings clause that allows businesses to satisfy the new disclosure requirement by providing links in their privacy policies to sites, such as that of the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, that give users the option of opting out of online behavioral advertising.
- Id. § 22575(b)(6).