The passage of AB 370 marks the first law addressing Do Not Track (“DNT”) signals sent from web browsers, even if it does not require advertisers or website operators to honor those signals. Instead, the law requires that operators of websites and online services, including mobile applications, notify users about how they handle DNT signals.

AB 370 does not create a standalone law, but amends the California Online Privacy Protection Act (CalOPPA), Cal. Bus. And Prof. Code Sections 22575-22579, and must be interpreted within that statute’s requirements. CalOPPA requires operators of a website or online service to post a privacy policy if they collect “personally identifiable information” from consumers in California. CalOPPA defines personally identifiable information as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:” (1) first and last name; (2) home or other physical address, including street name and name of a city or town; (3) email address; (4) telephone number; (5) social security number; (6) any other identifier that permits the physical or online contacting of a specific individual; or (7) information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

CalOPPA requires operators to make specific disclosures in their privacy policies regarding their collection and sharing of personally identifiable information. Effective January 1, 2014, AB 370 will also require operators to disclose in their privacy policies:

  • how the operator responds to “do not track” signals sent by a consumer’s browser or other mechanism that provides consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third party websites and online service; and
  • whether other parties (e.g., advertisers) may collect personally identifiable information about a consumer’s online activities when that consumer visits the operator’s website or online service.

AB 370 focuses on transparency, but is also limited to the collection of “personally identifiable information” as defined by CalOPPA. Due to this limitation, it is not clear whether the new disclosure obligations would apply to an operator or an authorized third party that collects log data, browser activity, or web protocol logs (through mechanisms that would otherwise respond to “do not track” signals) separately from and not in connection with any personally identifiable information.

Affected businesses will need to update their privacy policies by January 1, 2014, when the new law goes into effect. Businesses should consider starting discussions about company privacy practices, policies and how those will be communicated to users of its websites, online services and mobile applications well in advance of the effective date, as these discussions may take some time.