Executive Summary: California will require greater disclosure of privacy practices for all operators of commercial Websites and apps. But the specifics of the new disclosure requirements, which take effect January 1, remain murky

Effective January 1, 2014, California will require new disclosures relative to treatment of s o-called “do not track” instructions and tracking of visitor activities across time and other websites.

These requirements amend the California Online Privacy Protection Act and apply to all operators of commercial websites, including apps, as well as any online service that collects personally identifiable information ("PII") about consumers residing in California who use or visit the website, app or service.

The law is not specific enough to show exactly what language will be required, in fact, it appears more aimed to shame operators into adopting “do not track” mechanisms even though federal regulators have so far declined to impose a national standard. Here is what we know:

“Do Not Track” Wall of Shame. California is trying to shine a light on website, app and online service provider’s  response to a "do not track" election (whatever that may be, as discussed below). This particular requirement applies if you operate a commercial website, app or online service and collect the PII of an individual consumer’s  online activities over time and across third-party websites or online services. Arguably, this could be triggered by something as simple as an identifier associated with a consumer that tracks the immediately preceding and following websites visited. If this information is collected, then you must disclose what you do when a “do not  track” signal is received from the consumer’s web browser or any other technology that allows consumers to choose what PII is collected.

Compliance is complicated by the absence of a statutory definition or universal standard of what “do not track” means. Moreover, absent a federal or state mandate to comply with “do not track” elections, do not track implementation remains entirely voluntarily and arguably spotty. Thus, California seeks to force those who do not comply to publicly state that they do not honor such elections – essentially an attempt to shame them into recognizing the requests. On the other hand, if you honor the elections, then you have to provide details about what you do.

Increased Third Party Disclosures. The new law also requires disclosure of whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses your website, app or online service. This new requirement appears to go beyond the generic disclosure that advertisers on a webpage may track activity. Rather, it may require more specific disclosures of what behavioral information you collect as a result of using your website, app or service and who you provide it to.

Alternative Disclosure Placement. The third party disclosure described above need not be recited in its entirety in the privacy policy, but may be contained in a separate document describing the effects of any program or protocol you follow that offers consumers choice in third party collections, provided that a clear and conspicuous hyperlink to that document is contained in the privacy policy.

Implementation Issues. The statutory provisions appear aimed at forcing operators to consider do not track compliance and effectively shame them into becoming compliant. Thus, unlike previous privacy policy requirements that merely required descriptions of existing privacy protocols, these new requirements effectively require reviewand deliberation of fundamental privacy issues when confronted with a user that does not want his or her PII collected across time and platforms.