If they have not already done so, companies that collect information on California residents need to confirm that company websites include appropriate updates to comply with recent amendments (Assembly Bill 370 or “AB 370”) to the California Online Privacy Protection Act (“CalOPPA”) that require “do not track” disclosures.
Recent Amendments to the California Online Privacy Protection Act
CalOPPA previously required an operator of a website that collects personally identifiable information on California residents to conspicuously post an online privacy policy that identifies the types of information collected, disclose whether site users may review and request changes to collected information, describe the process for privacy policy changes and state an effective date for the policy. The AB 370 amendments added further requirements for the website operator to:
(i) disclose how the operator responds to a web browser’s “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and
(ii) disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
While website operators were expected to comply with these updated disclosure obligations as of January 1, 2014, a violation occurs only if an operator fails to post a compliant policy within 30 days after being notified of noncompliance.
Practical Implications
Given the size of California and the reality that many commercial websites will have users who are California residents, these new disclosure requirements have potentially broad geographic reach. At a minimum, companies operating websites that affect California residents should review their online privacy policies to ensure that not only is the privacy policy conspicuously posted and compliant with all of the previous specific requirements of CalOPPA, but also that the policy includes the additional disclosures about “do not track” mechanisms and online data collection practices involving third parties. To implement proper disclosures, many organizations will need to more closely examine their site’s ability to respond to web browser “do not track” signals and maintain tighter oversight of the manner in which third parties may collect information on site users.
Expected Best Practices Guidelines
Continuing its longstanding tradition as one of the more aggressive state regulators of online consumer privacy practices, the California Attorney General’s office announced shortly before the effectiveness of AB 370 that the office plans to issue a set of best practices guidelines for disclosure of online tracking practices. The guidelines, which may be incorporated into existing staff reports on mobile privacy and online information-sharing practices issued by the Attorney General’s Office of Privacy Education and Policy, are expected to recommend online disclosure practices that go further than what is required under existing California law concerning online privacy practices.
While the anticipated best practices guidelines on disclosure will likely exceed the mandatory provisions of CalOPPA, when issued they may provide a good indication of the direction in which California (and possibly other state and federal privacy regulators) will continue to expand consumer privacy protections. We plan to provide an additional update when the best practices guidelines are issued.
* * *
If you would like more information or need assistance with any of the matters addressed above, including compliance with the required “do not track” disclosures, please contact Kate Rowe, Brett Lockwood, or your SGR counsel.