A.B. 370 Amends the California Online Privacy Protection Act (CalOPPA) to Require New Privacy Policy Disclosures Focused on Behavioral Tracking

California Governor Brown is preparing to sign into law a new online privacy bill (A.B. 370) approved unanimously (78-0) by the California Assembly on August 26, 2013, having previously passed the California Senate by a vote of 37-0 (with two non-votes recorded). Governor Brown is expected to sign the bill before the expiration of the signing period on October 13, 2013. The new law amends the California Online Privacy Protection Act (CalOPPA) to require two new privacy policy disclosures for websites and online services regarding behavioral tracking.

Additionally, in light of California Attorney General Kamala Harris’ public position, provided in a Notice of Non-Compliance sent to the providers of leading mobile applications in October 2012, that her office would interpret CalOPPA’s application to “online services” to include mobile applications for compliance and enforcement purposes, the amended CalOPPA language would effectively cover mobile apps as well. Although a court has not yet decided whether the AG’s interpretation of CalOPPA’s applicability to mobile apps is legitimate, the AG’s position and her intention to enforce CalOPPA as if it applies to mobile apps is certain, and must be taken into account by businesses developing or providing mobile apps to smartphone customers.

According to the bill’s sponsor and proponents, California’s new tracking disclosure law is designed as one additional step to existing California requirements for online privacy policies that will bring greater transparency and consumer scrutiny over websites’ practices related to honoring “Do Not Track” (DNT) preferences of Internet and mobile app users. The bill was sponsored by the California AG’s Office and authored by Assemblymember Al Muratsuchi, a member of the State Assembly’s Committee on Judiciary. The stated purpose of the legislation is to provide greater transparency to consumers about how companies’ websites and online services, including mobile apps, respond to a DNT signal from an Internet browser, as explained by the AG’s Office and A.B. 370’s author in the Assembly Bill Analysis. Assemblymember Muratsuchi explains, “[T]his bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. A.B. 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.” The AG’s Office added that “all the major browser companies have offered Do Not Track browser headers that signal to websites an individual’s choice not to be tracked,” but that there was “no legal requirement for sites to honor the headers.” Because the new law will only require disclosures in a business’ privacy policy, the AG’s Office has emphasized that “A.B. 370 is a transparency proposal—not a Do Not Track proposal.”

Amendments to CalOPPA’s Privacy Policy Disclosures

As a result of these developments, businesses that have websites or online services, including mobile apps, used by California residents should review and update their privacy policies applicable to those services in order to ensure compliance with the new law. Specifically, A.B. 370 adds three new provisions to Section 22575(b) of the California Business and Professions Code, as follows:

  • Section 22575(b)(5) is a new requirement to disclose how a business’ website or online service “responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services.” The online practice of collecting data about consumers “over time and across third-party websites and services” is legislative and regulatory language typically used to describe online behavioral tracking for marketing purposes, including the delivery of targeted online ads to consumers based on their web-browsing behavior. However, as worded, the DNT provisions in this section are not limited to serving targeted ads and encompass companies’ policies on responding to DNT signals —even for a companies’ internal product development or research purposes.
  • Section 22575(b)(6) is a new requirement to disclose whether third parties may collect on a business’ website or online service “personally identifiable information about an individual consumer’s online activities over time and across different Web sites.” This provision would require disclosure of whether third parties engaging in online behavioral tracking for a variety of purposes may collect PII through the business’ website or online service.
  • Section 22575(b)(7) is a new savings clause stating that a covered business may satisfy the requirement of new Section (b)(5) by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

Questions Regarding Compliance with Savings Clause The savings clause in Section 22575(b)(7) was inserted to provide businesses with an alternative way to satisfy the new disclosure requirement by including a link in their privacy policy to existing self-regulatory programs in which they participate (such as the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising) that permit users to opt out of online behavioral tracking. Despite the new statutory language, it remains an open enforcement question, however, whether more explanation will be required above and beyond simply providing a link to these programs.

For example, legislators have argued that the Digital Advertising Alliance (DAA) program does not permit users to “opt out” of tracking as distinct from behavioral advertising. Assemblymember Muratsuchi, the author of A.B. 370, has highlighted what he believes is the discrepancy between opting out of online behavioral advertising (permitted by the DAA program) and a comprehensive Do-Not-Track proposal (which the DAA program does not employ). The Senate Floor Analysis includes Mr. Muratsuchi’s comment that “The Digital Advertising Alliance, a coalition of media and marketing organizations, has an icon-based program that companies may voluntarily use that gives consumers an opportunity to learn about and opt out of receiving online behavioral advertising. The program does not allow consumers to choose not to be tracked. The World Wide Web Consortium, an Internet standard setting organization, is working on a standard protocol to allow consumers to communicate a decision not to be tracked.” [Emphasis added.]

California’s Actions within the Greater Legal and Policy Landscape of “Do Not Track” (DNT)

In order to understand the significance of California’s new DNT disclosure law and heightened disclosure requirements for privacy policies relating to the same, it is important to understand the legal and policy landscape in which the bill has been enacted.

2013 has been the year of “Big Data.” One hallmark of Big Data has been the ability to gather information regarding website and mobile app users in order to (a) target advertising that might be of most interest to the users, (b) understand consumer demographics and (c) conduct analytics for purposes of product development and otherwise. Behavioral data is gathered by the use of tracking technologies (e.g., cookies, HTML5 code, eTags/cache browsers) to track user behavior across a number of websites and mobile apps to develop specific profiles from which behavior and interest may be predicted so that relevant products and services may be offered to the customer.

The benefits of customized messages to users have been long documented. In 2010, the National Advertising Initiative noted that consumer reaction to targeted messages was 100 percent greater than to generalized banner ads that consumers have come to largely ignore. Many companies work with ad networks or directly use cookies or other tracking technologies to track user activities across their own websites, as well as other websites and mobile apps.

While highly beneficial for research and ad-serving purposes, the use of tracking technologies to document users’ behavior online, or via mobile apps, has garnered the attention of regulators concerned with its implication on consumer privacy. Since December 2010, in its draft report titled Protecting Consumer Privacy in an Era of Rapid Change, the Federal Trade Commission (FTC) has called for industry to develop self-regulatory standards for responding to DNT signals enabled by users in their Internet browsers. In so doing, the FTC has called for industry to develop an easy to use, persistent and effective DNT standard. In March 2012, the FTC finalized its DNT recommendations in the final version of its report, entitled Protecting Consumer Privacy in an Era of Rapid Change. Following this recommendation, every major browser has developed a DNT option that permits users to express a preference to enable or disable tracking. While these browsers allow users to turn  on DNT privacy settings, these signals do not automatically block tracking. Instead, they communicate a DNT request to websites and ad networks. Currently, individual websites are free to respond to the request in any manner they choose, or to ignore it entirely if they so choose. The new California law is designed to address this situation by providing greater transparency about how businesses intend to respond to these DNT signals.

Impasse over DNT Standards at the World Wide Web Consortium (W3C)

In response to the FTC’s call for self-regulatory solutions for DNT, the World Wide Web Consortium (W3C), the international organization that develops policy for the web, formed a Tracking Protection Working Group to develop a unified standard. Despite more than two years of work, to date, the W3C has failed to reach consensus on a uniform standard for responding to browser DNT signals. On the one hand, consumer advocates within the W3C have insisted that companies should stop collecting any behavioral data after a user enables a DNT setting. Advertisers, on the other hand, have argued that when a DNT setting is enabled, companies may decline to serve targeted advertising, but may still collect the tracking data for non-advertising purposes (e.g., analytics or research).

In July 2013, the DAA’s proposal for addressing DNT signals that would continue to permit the collection of behavioral data for research purposes was rejected by the W3C co-chairs. In August 2013, one of the W3C co-chairs resigned from his role to join the President’s effort to address privacy and NSA issues. This leaves the W3C efforts at an impasse with privacy advocates and advertisers making public statements evidencing pessimism that the impasse can be resolved in the immediate future. Last month, the FTC Chairperson stated that the FTC will still await word on the W3C’s progress in developing a DNT standard. Even if no standard emerges, she noted that individual companies have moved forward with initiatives that are expected to address DNT issues.

Federal Legislative Proposal: Senator Rockefeller’s Do-Not-Track Online Act of 2013

Members of Congress are expressing impatience with the negotiation process within the W3C and are offering federal legislative solutions that would go well beyond the new California law if those negotiations should ultimately fail to produce a DNT standard.

Senator Rockefeller (D-WV), Chairman of the Senate Commerce Committee, re-introduced in February 2013 his Do-Not-Track Online Act, which he originally introduced in 2011. Chairman Rockefeller’s bill, S. 418, is cosponsored by Senator Richard Blumenthal (D-CT) and would:

  • authorize the FTC to conduct a rulemaking to establish standards for the implementation of a DNT mechanism;
  • require businesses to anonymize or delete any information about a consumer who chooses not to be tracked (via the DNT mechanism) once the website or online service no longer needs the information to provide the service requested by the individual, unless an individual receives notice and opts in to the continued collection and use; and
  • permit the FTC, State Attorneys General and other officers of a State to bring civil enforcement actions against companies that do not honor DNT requests and/or violate the other provisions of the bill.

These and other members of Congress have also made public statements reflecting their lack of confidence in the W3C process. On April 24, 2013, the Senate Commerce Committee held a full committee hearing entitled, “A Status Update on the Development of Voluntary Do-Not-Track Standards.” During the hearing, questions were raised regarding the efficacy of the Ad Choices program administered by DAA on the grounds that when a user opts out of DAA ad choices, data continues to be collected about the individual even though targeted ads are no longer served. The statements of Chairman Rockefeller, Ranking Member Thune (R-SD) and the hearing witnesses, including representatives of DAA, Mozilla, Center for Democracy and Technology, and GMU’s Mercatus Center, may be found at the Committee’s hearing webpage.

Businesses Face Surging Class Action Litigation and Regulatory Enforcement over Behavioral Tracking

While policymakers and leading businesses, consumer advocacy groups and academics have debated the DNT policy issues in the variety of legislative and public policy arenas discussed above, the plaintiffs’ class action bar has seized upon the tracking issue in court. Over the past 18 months, more than 183 behavioral tracking class actions have been filed around the country. Marking a milestone in class action litigation, on June 11, 2013, the Seventh Circuit affirmed a 10 million user class in a behavioral tracking case, titled comScore, Inc. v. Jeff Dunstan, et al, Case No. 13-8007, with alleged statutory damages of $10,000 per violation for alleged violations of the Electronic Communications Privacy Act—representing a $1 billion exposure and the largest privacy class action to be certified to date.

Regulatory enforcement regarding behavioral tracking has also increased. Last year, for example, in the United States of America (For the Federal Trade Commission), v. Google Inc., the FTC issued the largest fine in its history ($22.5 million) for tracking in contravention of privacy settings set by users using Safari.

Conclusion

By being the first state in the country to adopt a DNT disclosure bill requiring explicit reference to DNT in a privacy policy, California has established, for now, a de facto disclosure standard for all businesses in the country operating websites or online services that may have California users. The heightened transparency regarding whether websites are honoring DNT or not may result in more companies finalizing their policies regarding DNT so as to avoid potential litigation activities in light of the increasing activity in the plaintiffs’ bar. Increased corporate actions, in turn, may render the W3C efforts less and less relevant, particularly as those talks remain deadlocked. It may also spur greater debate among policymakers in Washington about the necessity of a nationwide federal standard along the lines of Senator Rockefeller’s proposed legislation to authorize the FTC to establish and enforce a DNT mechanism.

In the near-term, all businesses operating Internet websites or online services, including mobile apps, that could be accessed or used by Californians should review their privacy policies and tracking practices to ensure accurate privacy disclosures in compliance with the new California law, which will become effective on January 1, 2014.