The California Senate and Assembly recently passed an amendment (AB370) to the California Online Privacy Protection Act (the "Act"). The amendment will require operators of commercial websites or online services ("website operators") to update their privacy policies to disclose how they respond to Do Not Track signals from web browsers and whether they allow third parties to engage in online tracking. The amendment is expected to be signed by Governor Jerry Brown, who has until Monday, September 16, 2013 to veto or sign the bill before it automatically becomes law. And if it becomes law, it will have impact beyond California - the Act purports to apply to any website that collects information from California residents.

Under the Act, operators of covered websites already must conspicuously post a privacy policy disclosing the categories of personally identifiable information the operator collects about website users and the third parties with whom the operator shares this information. The amendment requires that a website operator add the following to its privacy policy:

  1. A disclosure on "how the operator responds to Web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites, if the operator engages in that collection;" and
  2. A disclosure on "whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website."

The operator also may satisfy the disclosure related to how the operator responds to Do Not Track signals by "providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice."

This amendment, stated plainly, requires website operators to 1) say if it allows others to track; 2) say if it does its own tracking, and if it does, then how it tracks; and 3) how it responds to Do Not Track signals. It requires disclosure only, and does not prohibit tracking.

An operator is in violation only if it fails to add these provisions to its privacy policy. Operators that do not clearly explain these practices will receive a warning and will be given 30 days to comply with the requirements. Violations of this amendment, along with any other requirements of the Act, can be brought by the Attorney General or potentially class action litigants.

A much as California has some of the strictest privacy laws in the country, this amendment appears to be a middle-ground between the online advertising industry and the privacy advocates. It does not prohibit tracking or provide any Do Not Track standards or practices, which would have satisfied many of the privacy advocates. But, it does tighten the reins on how website operators deal with, and respond to, Do Not Track browser signals.