On Sept. 27, 2013, California’s governor signed AB370 into law, amending the California Online Privacy Protection Act of 2003 (“CalOPPA”). Effective Jan. 1, 2014, the law now requires website and mobile application operators to disclose how they respond to “Do Not Track” (“DNT”) signals. See 2013 Cal. Legis. Serv. Ch. 390 (A.B. 370) (West). While it is a California law, the requirement applies to website and mobile application operators everywhere who collect information from California residents.

Why “Do Not Track”?

DNT is a response to the tracking of consumers’ online behavior across websites. Many websites and mobile applications track such consumer data, use it to construct a profile of a consumer’s interests, and then sell that information to third-party advertisers or use it to customize their own advertisements. The data collection is typically done by collecting information from a browser’s “cookies” file, which automatically keeps a record of websites visited by the user. Since it is not obvious that this is happening, such behavior-tracking usually goes unnoticed by the consumer. Enter DNT.

What is “Do Not Track”?

DNT, in a word, is code. All major internet browser providers have now implemented simple DNT systems. These systems allow users to choose to broadcast a DNT signal with an HTTP header to websites indicating that they do not wish to have their online activity tracked. A user can normally access their browser’s DNT option in the browser’s preferences. See, e.g., Use Tracking Protection in Internet Explorer. For more information about “Do Not Track,” including the larger social and policymaking context, visit donottrack.us.

What Does the California Law Require?

The California law requires a website operator simply to disclose how it “responds to Web browser ‘do not track’ signals” if the operator collects user personally identifiable information (“PII”) across other websites besides its own. See Cal. Bus. & Prof. Code § 22575(a)(5). An operator can meet this requirement in one of two ways:

  1. An operator can add a conspicuous section to its privacy policy with a clear header such as “How We Respond to Do Not Track Signals,” describing its response procedure as well as the manner in which it uses the PII collected from users.
  2. An operator can place a clear and conspicuous hyperlink in its privacy policy to a program that offers consumers a choice about online tracking. Id. § 22575(a)(7). The privacy policy should also describe the linked program and indicate that the operator will comply with the program if the user chooses to employ it.

While either method will satisfy the law, the California Attorney General recommends the first option as a best practice.

Additionally, an operator must also disclose the presence of third parties that collect PII from its servers. Id. § 22575(a)(6). The privacy policy should indicate whether the operator can ensure that the third parties will comply with its DNT protocol; if not, the operator should describe how third parties might use the PII gathered on its site. The policy should state whether the operator allows unauthorized third parties to collect PII from its service and, if applicable, should acknowledge the possibility that authorized third parties might bring unauthorized PII collection systems into the operator’s website.