Complying with the patchwork of U.S. federal and state privacy laws requires familiarity with overlapping laws covering the same general activities. On August 28, 2013, California provided the most recent example when its Senate and Assembly passed an amendment (AB-370) to the California Online Privacy Protection Act (CalOPPA) requiring “commercial” websites and online services that collect personal data from California residents to disclose how they respond to “do not track” (DNT) signals from browsers used by web users. AB-370 is expected to be signed into law by Governor Jerry Brown.

CalOPPA Background

CalOPPA currently requires an operator of a commercial website or online service that collects personally identifiable information about California residents to post a conspicuous privacy policy on the website or service that discloses the operator’s privacy practices. Those disclosures must address practices such as the categories of personally identifiable information collected, the third parties with whom the operator may share the information, any process by which consumers can review and change the collected personally identifiable information and the process by which the operator notifies consumers of changes to the privacy policy.

The scope of the law is not limited to just those website operators that are themselves located within California. Rather, CalOPPA’s requirements apply to any operator that collects personally identifiable information about a California resident, whether that operator is based in California or not. If signed into law, the requirements of AB-370 would do the same.

AB-370

AB-370 would amend CalOPPA to further provide that the required online privacy policy must disclose:

  • How the website or online service responds to DNT signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about the consumer’s online activities over time and across different websites or online services.
  • Whether other parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when the consumer uses the operator’s website or service.

AB-370 also provides that an operator can satisfy the first new disclosure requirement by providing in the privacy policy a clear and conspicuous hyperlink to an online location containing a description of any program or protocol the operator follows that offers the consumer that choice.

AB-370 would not prohibit tracking or require an operator to honor any DNT signal. Instead, the bill would impose a disclosure requirement, meaning an operator would only be in violation by failing to make the required disclosures regarding its practices in its privacy policy.

Action Items

Operators of websites or online services that collect or may collect personally identifiable information about California residents should consider now how their online privacy policies should be amended to address the new DNT disclosure requirements. In addition, once AB-370 is signed into law, operators immediately should update their online privacy policies to address the new disclosure requirements and make sure they are following those practices.