The California Senate and Assembly recently passed an amendment (AB370) to the California Online Privacy Protection Act (the "Act"). The amendment will require operators of commercial websites or online services ("website operators") to update their privacy policies to disclose how they respond to Do Not Track signals from web browsers and whether they allow third parties to engage in online tracking. The amendment is expected to be signed by Governor Jerry Brown, who has until Monday, September 16, 2013 to veto or sign the bill before it automatically becomes law. And if it becomes law, it will have impact beyond California - the Act purports to apply to any website that collects information from California residents.
- A disclosure on "how the operator responds to Web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites, if the operator engages in that collection;" and
- A disclosure on "whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website."
This amendment, stated plainly, requires website operators to 1) say if it allows others to track; 2) say if it does its own tracking, and if it does, then how it tracks; and 3) how it responds to Do Not Track signals. It requires disclosure only, and does not prohibit tracking.
A much as California has some of the strictest privacy laws in the country, this amendment appears to be a middle-ground between the online advertising industry and the privacy advocates. It does not prohibit tracking or provide any Do Not Track standards or practices, which would have satisfied many of the privacy advocates. But, it does tighten the reins on how website operators deal with, and respond to, Do Not Track browser signals.