An important amendment to the California Online Privacy Protection Act of 2003 (CalOPPA) took effect at the beginning of this year, a change that requires commercial website owners that collect personally identifiable information from California residents to disclose in their online privacy policies additional information regarding the websites’ user tracking practices. CalOPPA requires commercial website operators and online services to “conspicuously post” a privacy policy and abide by its terms. Among other requirements, the policy must disclose the type of personal information collected and identify any third parties with whom the operator may share the information.

Since CalOPPA was enacted in 2003, technology has evolved to permit website operators to engage in sophisticated “behavioral tracking,” which involves collecting data about a user’s activities across multiple websites over time to build a profile of the user’s behavior and interests. The profiles have tremendous value and enable advertisers to tailor communications to a consumer’s real interests and help avoid inundating him or her with unwanted ads. Nevertheless, in response to privacy concerns surrounding the increased use of behavioral tracking, the Federal Trade Commission in 2010 recommended that the digital advertising community “create and implement a mechanism to allow consumers to control the collection and use of their online browsing data, often referred to as ‘Do Not Track.’” By 2013 several major Internet browsers had implemented a Do Not Track mechanism that allows users to request that websites do not track their online activities. To date, however, there is no legal requirement that website operators respect Do Not Track requests.

On September 27, 2013 the California legislature enacted an amendment to CalOPPA to provide consumers with increased transparency regarding websites’ behavioral tracking policies. Specifically, the amendment requires an operator to divulge whether it respects a user’s Do Not Track request and disclose the possible presence of third-party tracking. The amendment does not require an operator to respect a Do Not Track request so long as users are notified of the online tracking policies and can make an informed decision whether to continue using an online website or service that does not respect a Do Not Track request.

If your business collects personally identifiable information from California residents online and is subject to CalOPPA, consider conducting an audit of your online services to determine whether they respect Do Not Track requests and whether any third parties conduct online tracking on your website. If your privacy policy does not accurately describe your practices, the amendment requires that you update your policy to include the requisite disclosures.

Operators receiving notification of noncompliance have 30 days to comply with the amendment. Noncompliance penalties can include fines of up to $2,500 per violation.