California Governor Brown is preparing to sign into law a new online privacy bill (A.B. 370) approved unanimously (78-0) by the California Assembly on August 26, 2013, having previously passed the California Senate by a vote of 37-0 (with 2 non-votes recorded). The Governor is expected to sign the bill before the expiration of the signing period on October 13, 2013. The new law amends the California Online Privacy Protection Act (CalOPPA) to require two new privacy policy disclosures for websites and online services regarding behavior tracking. 

Additionally, in light of California Attorney General Kamala Harris’ public position, provided in a Notice of Non-Compliance sent to the providers of leading mobile applications in October 2012, that her office would interpret CalOPPA’s application to “online services” to include mobile applications as well for compliance and enforcement purposes, the amended CalOPPA language would effectively cover mobile apps as well. Although a court has not yet decided whether the AG’s interpretation of CalOPPA’s applicability to mobile apps is legitimate, the AG’s position and her intention to enforce CalOPPA as if it applies to mobile apps is certain, and must be taken into account by businesses developing or providing mobile apps to smartphone customers. 

According to the bill’s sponsor and proponents, California’s new tracking disclosure law is designed as one additional step to existing California requirements for online privacy policies that will bring greater transparency and consumer scrutiny over websites’ practices related to honoring “Do Not Track” (DNT) preferences of Internet and mobile app users. The bill was sponsored by the California AG’s Office and authored by Assemblymember Al Muratsuchi, a member of the State Assembly’s Committee on Judiciary. The stated purpose of the legislation is to provide greater transparency to consumers about how companies’ websites and online services, including mobile apps, respond to a DNT signal from an Internet browser, as explained by the AG’s Office and A.B. 370’s author in the Assembly Bill Analysis. Assemblymember Muratsuchi explains, “[T]his bill would increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps. A.B. 370 will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal. This will allow the consumer to make an informed decision about their use of the website or service.” The AG’s Office added that “all the major browser companies have offered Do Not Track browser headers that signal to websites an individual’s choice not to be tracked,” but that there was “no legal requirement for sites to honor the headers.” Because the new law will only require disclosures in a business’ privacy policy, the AG’s Office has emphasized that “A.B. 370 is a transparency proposal—not a Do Not Track proposal.” 

As a result of these developments, businesses that have websites or online services, including mobile apps, used by California residents should review and update their privacy policies applicable to those services in order to ensure compliance with the new law. Specifically, A.B. 370 adds three new provisions to Section 22575(b) of the California Business and Professions Code, as follows:

  • Section 22575(b)(5) is a new requirement to disclose how a business’s website or online service “responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services.” The online practice of collecting data about consumers “over time and across third-party websites and services” is legislative and regulatory language typically used to describe online behavioral tracking for marketing purposes, including the delivery of targeted online ads to consumers based on their web-browsing behavior. 
  • Section 22575(b)(6) is a new requirement to disclose whether third parties may collect on a business’s website or online service “personally identifiable information about an individual consumer’s online activities over time and across different Web sites.” This provision would require disclosure of whether third parties engaging in online behavioral tracking for a variety of purposes may collect PII through the business’s website or online service. 
  • Section 22575(b)(7) is a new savings clause stating that a covered business may satisfy the requirement of new section (b)(5) by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” This savings clause was inserted to provide businesses with an alternative way to satisfy the new disclosure requirement by including a link in their privacy policy to existing self-regulatory programs in which they participate (such as the Digital Advertising Alliance's Self-Regulatory Program for Online Behavioral Advertising [NOTE: make underlined phrase an embedded link to http://www.aboutads.info/ ] that permit users to opt out of online behavioral advertising.

For further information, please see our full-length client advisory entitled California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices, which provides a more in-depth analysis of A.B. 370’s CalOPPA amendments and its potential impact on businesses with websites, mobile apps or online services used by California residents. 

Conclusion 

By being the first state in the country to adopt a DNT disclosure bill requiring explicit reference to DNT in a privacy policy, California has established, for now, a de facto disclosure standard for all businesses in the country operating websites or online services that may have California users. The heightened transparency regarding whether websites are honoring DNT or not may result in more companies finalizing their policies regarding DNT so as to avoid potential litigation activities in light of the increasing activity in the plaintiffs’ bar. Increased corporate actions, in turn, may render the W3C efforts less and less relevant, particularly as those talks remain deadlocked. It may also spur greater debate among policymakers in Washington about the necessity of a nationwide federal standard along the lines of Senator Rockefeller’s proposed legislation to authorize the FTC to establish and enforce a DNT mechanism. 

In the near-term, all businesses operating Internet websites or online services, including mobile apps, that could be accessed or used by Californians should review their privacy policies and tracking practices to ensure accurate privacy disclosures in compliance with the new California law, which will become effective on January 1, 2014.