As many of our readers already know, California’s new data privacy law went into effect earlier this month on January 1, 2014.  The law places strict requirements on operators of websites and other online services that collect certain information about California residents.  In addition to addressing other aspects of collecting personally identifiable information (“PII”) from California residents, the new law focuses on the collection and use of “cookies.”  For those that are unaware, “cookies” are small files that are stored on users’ computers to track Internet activity and allow online marketers to deliver targeted advertising to them.

Who Must Comply With California’s Data Privacy Law?

The scope of California’s new Internet data privacy law is broad and is applicable to any entity that operates a commercial website or online service that collects California consumer PII.  The California Attorney General’s Office has made clear that service providers are specifically excluded from the requirements set forth in the data privacy law.

What Does California’s Data Privacy Law Require?

California’s data privacy law requires, among other things, that the Privacy Policies of covered entities:  (1) identify the categories of PII that are collected and the third-parties that the PII may be shared with; (2) provide a description of the process for users to review and change their preferences for the types and amount of PII collected; (3) describe the process by which users are notified of material changes to the Privacy Policy; (4) disclose how the operator responds to users’ “do not track” web browser signals PII; and (5) disclose whether third parties may collect user PII across different websites when consumers uses the operator’s website or service.

Concerns with the Internet Data Privacy Law

How do you know that a person visiting your website is a California State resident? Even if you track the person’s IP address, there is no way of really knowing where the person resides.  For example, a California resident could be vacationing in New York and visit your website from there.  Or, a California resident could work in a neighboring state and access your website from his or her office computer.  The only sure way to protect your company is to apply the new California requirements to your website across the board (for all consumers, regardless of location).