Beginning January 1, 2014, websites and online service operators that collect consumers’ personally identifiable information will likely be forced to update their privacy policies to comply with a new law in California. Existing California law requires website and online service operators that collect personally identifiable information such as names, addresses, or social security numbers, to post privacy policies on their websites. Recently signed into law by the Governor of California, AB 370, “An Act to Amend Section 22575 of the Business and Professions Code, Relating to Consumers” will require website operators to add a section to privacy policies disclosing how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information.
The new law reflects concerns over the growth in online tracking and data auctions. In the analysis accompanying the law, the California legislature expressed concern over the sale of consumer profiles created from the tracking of data as well as the general lack of consumer awareness of online tracking. Notably, the law does not prohibit tracking; it merely requires companies to make it clear how they respond to consumer requests not to track.  Therefore, privacy policies will need to be updated to provide this information.
The law is one more step that the California legislature has taken in its leading effort to require privacy disclosures on websites that collect information from its residents. California previously enacted the “California Online Privacy Protection Act,” which requires website operators to post privacy policies that disclose (i) the type of personal information the website collects, (ii) the categories of third parties or entities with which personal information may be shared, (iii) the process by which consumers may review and request changes to any personal information the site collects, (iv) the process for notifying consumers who use the website of material changes to website privacy policies, and (v)  the effective date of the privacy policy. Additionally, California’s “Shine the Light” law requires businesses that collect personal information from California residents for marketing purposes to provide consumers, upon request, with a list of the categories of personal information disclosed to third parties and a list of all third parties that have received personal information from the business during the preceding calendar year.
Website operators that interact with California residents should be aware of this new law. Although updating the privacy policy may only take a few moments, it is better done sooner than later.  Operators will be in violation of the new law if they fail to post a complying privacy policy within 30 days after being notified of noncompliance. Failure to comply may result in penalties of up to $2,500 per violation.
We are continuing to monitor developments related to the requirements for website operators. Please contact the listed attorneys with questions.

Dan Jasnow