Have you ever noticed when, after visiting a website, you suddenly start seeing banner ads for the product you were looking at on every webpage that you open? Well, you are not the only one and the California legislature has taken notice.
On September 27, 2013, AB 370 was signed into law. Now, effective January 1, 2014, website operators will be required to provide its website users with more transparency as to their tracking of users’ online activities. AB 370 amends Section 22575 of the California Business and Professions Code (California’s Online Privacy Protection Act or CalOPPA) that requires certain disclosures in privacy policies. Now under CalOPPA, if an online website operator collects personally identifiable information (“PII”) about an individual’s online activities over time and across third party websites or online services, the operator must disclose how its site (including mobile apps) responds to browser “do not track” signals or “other mechanisms that provide consumers the ability to exercise choice regarding such collection” The law allows the website operator to include a hyperlink in the operator’s privacy policy to another online location that describes any program or protocol that the operator follows that offers the user a choice. Companies also must disclose whether third parties collect PII about individual’s online activities over time and across third party websites or online services when the consumer uses the company’s website or service. The law does not, however, require that the privacy policy identify the name(s) of the third parties that collect this information on the operator’s site. Also note that for the purpose of the required disclosure under AB 370, it is irrelevant if the operator conducts the tracking for its own internal use to improve its products or if the operator uses the tracking information to serve ads to a user on another site (per my example above). These new disclosures must be included in a company’s website privacy policy.
Although CalOPPA is a California law, its reach extends beyond California as the law applies to websites run from anywhere that collect PII from California residents. Additionally, if a privacy policy does not accurately disclose how the associated website responds to do not track signals, the Federal Trade Commission can enforce such violation as an unfair or deceptive trade practice.
CalOPPA does not define what it means to “do not track” a user. The World Wide Web Consortium’s (W3C) efforts to develop an industry standard of what “do not track” means has been stalled and will not be completed before January 1, 2014. Also note that CalOPPA does not actually require a website to actually follow or abide by the do not track signal that it may receive from a browser or other mechanism. AB 370 is not a prohibition on user tracking. Rather, CalOPPA attempts to ensure transparency so users can be better informed as to whether a website’s practices include such tracking.
Operators will be in violation of the law if they do not comply within 30 days of being notified of noncompliance. The California Attorney General historically has found that each download of a non-compliant app is a separate and distinct violation and fines can be up to $2500 per violation.
Operators of websites and mobile applications should work with legal counsel to review their sites and apps to determine: the operator’s tracking methods; how the operator responds to “do not track” signals and; if third parties use tracking methods on their site or apps. Based on the results, operators should review their privacy policy and include the appropriate disclosures in their privacy policy.