California Online Privacy Protection Act of 2003
Privacy Concerns With "Do Not Track" Settings
While 2003’s CalOPPA addressed the issue of what types of PII are collected and with whom PII is shared, it did not address how websites treat web browsers’ "do not track" ("DNT") setting, which varies among websites. DNT settings purport to provide consumers with the ability to exercise control regarding PII collection over time and across third-party websites. Most web browsers, including Mozilla’s Firefox, Apple’s Safari, and Google Chrome, allow users to select a DNT option that, in theory, blocks third party tracking across a network of websites. However, not every website honors other browser’s DNT signals or blocks third party tracking. The inconsistencies in DNT practices may affect consumer’s expectations regarding the collection and use of their online activities, particularly if they have opted out of such online tracking. The new 2013 amendment to CalOPPA aims to address this inconsistency.
The 2013 "Do Not Track" Law
As noted above, AB 370 specifically applies to the use of PII to track users across time and over multiple websites. It requires that operators disclose whether third parties may collect PII about an individual consumer’s online habits as he or she moves from one website to another. For example, a website operator may know that an individual customer is a 38-year-old male who lives on 555 Park Boulevard in San Diego, purchased a camera and booked a hotel online last week and has also visited numerous travel websites within the past two weeks. The collection of user’s PII and online behavior can be a valuable tool in that it allows website operators to better identify and understand their customers, which may lead to more targeted (i.e. relevant) online advertising to those same customers as they move from one website to another. However, many internet users prefer not to be tracked online and utilize web browsers’ DNT setting to prevent tracking.
The amendments to CalOPPA take effect on January 1, 2014, and affected operators have 30 days to comply after being notified of noncompliance to update their privacy policies. Failure to do so may subject operators and developers to fines of up to $2,500 per violation.
Operators and developers of commercial websites, software and mobile apps that collect and transmit PII should review how their online service responds to web browsers "do not track" signal and whether they allow for the use of PII to track users across time and over multiple websites, and operators should timely update their privacy policies to disclose such tracking activities and should update their policies over time as their practices change.