The passage of AB 370 marks the first law addressing Do Not Track (“DNT”) signals sent from web browsers, even if it does not require advertisers or website operators to honor those signals. Instead, the law requires that operators of websites and online services, including mobile applications, notify users about how they handle DNT signals.
CalOPPA requires operators to make specific disclosures in their privacy policies regarding their collection and sharing of personally identifiable information. Effective January 1, 2014, AB 370 will also require operators to disclose in their privacy policies:
- how the operator responds to “do not track” signals sent by a consumer’s browser or other mechanism that provides consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third party websites and online service; and
- whether other parties (e.g., advertisers) may collect personally identifiable information about a consumer’s online activities when that consumer visits the operator’s website or online service.
AB 370 focuses on transparency, but is also limited to the collection of “personally identifiable information” as defined by CalOPPA. Due to this limitation, it is not clear whether the new disclosure obligations would apply to an operator or an authorized third party that collects log data, browser activity, or web protocol logs (through mechanisms that would otherwise respond to “do not track” signals) separately from and not in connection with any personally identifiable information.
Affected businesses will need to update their privacy policies by January 1, 2014, when the new law goes into effect. Businesses should consider starting discussions about company privacy practices, policies and how those will be communicated to users of its websites, online services and mobile applications well in advance of the effective date, as these discussions may take some time.