In the absence of a national legal standard for data privacy and security, the state of California has once again stepped in with legislation to fill the void.  On September 27, 2013, Governor Jerry Brown signed amendments to the California Online Privacy Protection Act (CalOPPA), requiring online businesses to disclose how they respond to consumers' Do-Not-Track (DNT) directives.  CalOPPA requires any commercial Website that collects personally identifiable information (PII) from consumers to post a privacy policy on its Website.   The amendments expand existing disclosure requirements; they do not establish new consumer rights or Website operator obligations.  All commercial Websites, online services, and mobile apps are now required to include in their privacy policies an explanation of how they respond to DNT signals, and to disclose whether third parties collect PII on their Websites or apps. The enactment of this law was the latest development in the push by privacy advocates to regulate the increase in tracking consumer online activity, and the proliferation of targeted behavioral advertising. Earlier this year, browser makers implemented a number of do-not-track options.  The latest versions of Internet Explorer, Safari, and Google Chrome all feature do-not-track settings.

CalOPPA has national applicability since it applies to any Website, online service, or mobile application that collects personally identifiable information (PII) from "consumers who reside in California."  Thus, any online business will need to address its requirements since it likely collects PII from California residents.

The DNT Disclosure.  The privacy policy of a Website operator must now include a disclosure as to how the Website operator responds to DNT signals or other mechanisms.  These signals are triggered when consumers exercise their choice regarding the collection by the Website of PII based upon the consumer's online activities if the operator engages in such collection activities.  Many operators have struggled with discerning what a DNT signal means. Additionally, some browsers have been set to transmit a DNT preference by default, raising the question of what the consumer's preference actually is. 

Third Party Collection of PII. The more challenging of the disclosure requirements concerns whether third parties are permitted to collect PII about a consumer's online activities over time and across different Websites.  The "third parties" referenced in the law are third-party ad networks or analytics providers who have been given access to the operator's website, the online service or an app.  Operators are already required to disclose the categories of third parties with whom a consumer's PII may be shared, and this provision enhances the requirement, so that they must now disclose whether the third parties may actually collect the data.  However, operators may not know whether or which third parties are collecting user data.  Websites that integrate third party content or who engage third party providers who share information with affiliates or sub-contractors may inadvertently permit the collection of such information.  The law does permit the use of a "clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice".  There are several website available that fit this description, which may be a good option for operators that are unclear about how to handle such a signal.

The CalOPPA amendments have the tacit support of the Federal Trade Commission.  The FTC has been vocal in its support for a do-not-track mechanism on commercial Websites.  In 2012, it issued a report to Congress backing the enactment of legislation that encouraged Web site developers to build in privacy protections, include simplified mechanisms like "Do Not Track" protections, and include greater transparency about the use of consumer data.  The advertising industry has opposed all such initiatives, but privacy groups and the White House have continued to advocate for such protections. 

The law becomes effective January 14, 2014.  It does not authorize a private cause of action.  The California Attorney General has enforcement authority. Penalties of $2500 per violation would be assessable under the California Unfair Competition Law.