Complying with the patchwork of U.S. federal and state privacy laws requires familiarity with overlapping laws covering the same general activities. On August 28, 2013, California provided the most recent example when its Senate and Assembly passed an amendment (AB-370) to the California Online Privacy Protection Act (CalOPPA) requiring “commercial” websites and online services that collect personal data from California residents to disclose how they respond to “do not track” (DNT) signals from browsers used by web users. AB-370 is expected to be signed into law by Governor Jerry Brown.
The scope of the law is not limited to just those website operators that are themselves located within California. Rather, CalOPPA’s requirements apply to any operator that collects personally identifiable information about a California resident, whether that operator is based in California or not. If signed into law, the requirements of AB-370 would do the same.
- How the website or online service responds to DNT signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about the consumer’s online activities over time and across different websites or online services.
- Whether other parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when the consumer uses the operator’s website or service.
Operators of websites or online services that collect or may collect personally identifiable information about California residents should consider now how their online privacy policies should be amended to address the new DNT disclosure requirements. In addition, once AB-370 is signed into law, operators immediately should update their online privacy policies to address the new disclosure requirements and make sure they are following those practices.