It is time to prepare for the latest privacy requirements out of California. In 2002, California was the first state to require websites to post a privacy policy. The state is now dictating that most website operators disclose more information about how they track their users' online activities.

The law takes effect January 1, 2014, and requires that most website operators disclose

  1. how they respond to a web browser’s “do not track” (DNT) signal, and
  2. whether third parties can collect a user's personal information across a network of sites.

Though this is a California law, it impacts most U.S. based operators of commercial websites or online services. Compliance is required for any website that collects personal information about users from California.

The Law in More Detail: More specifically, the new law provides that:

  • An operator must now disclose how it responds to DNT signals or other mechanisms that purport to provide consumers with a choice regarding the collection of personally identifiable information (PII) about their online activities over time and across different websites or online services. Operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer such a choice regarding its PII.
  • The operator must also disclose whether third-parties may collect PII when a consumer uses the operator's website or online service.

Although the new law will take effect on January 1, 2014, if an operator is notified of non-compliance, the operator may post a compliant disclosure/policy within 30 days to avoid a violation.

Keep in mind that even with this new law, the current stringent requirements of the existing California law remain in place. Namely, an operator of a commercial website or online service that collects PII of California residents must conspicuously post its privacy policy on its website or online service. Among other things the policy must identify the categories of PII that the operator collects regarding individual consumers who use or visit its website or online service. Additionally, the operator must identify any third-parties with whom information is shared.

What does this mean for you?

If you collect personal information about users from California through any of your existing websites, it is time to review and update your privacy policy in order to ensure compliance with this new law as well as revisit your policy for compliance with the existing requirements. Inquire of your online marketing and technology teams to determine how your website responds to a web browser's "do not track" signals, and determine if and how your company tracks information across any network of websites. Appropriate disclosures describing your practices in sufficient detail on these two issues will be required for compliance.