A new law in California is on the verge of becoming enacted that has significant repercussions for nearly every business in the United States that operates a commercial website or online service and collects “personally identifiable information” (which means, under the law, “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.)” The proposed legislation is currently before Governor Jerry Brown. If Governor Brown does not sign the bill, it will become law on October 3, 2013. The legislation could become law even earlier, if Governor Brown signs the law prior to October 3, 2013 (Governor Brown could also veto the legislation, but he is not expected to do so).
The analysis noted the rapid rise in online tracking of users’ web-surfing behavior as well as the California Attorney General’s observation that although “all the major browser companies have offered Do Not Track browser headers” that, if selected, can “signal to websites an individual’s choice not to be tracked, [t]here is, however, no legal requirement for sites to honor the headers.” Thus, because Web sites are free to disregard such Do Not Track selections by consumers, they would not know whether or not their selection is honored unless the Web site provides them with such notice. The new law would mandate providing users with the requisite notice.
In addition to the above “do not track” notice obligations, the law also requires website and online service operators “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
In light of the new obligations, it is imperative that any organization that collects PII concerning California residents (whether or not that organization is based in California) assess its current Web site privacy policies to ensure that they are compliant with California’s new laws requiring additional disclosures.