Below is a summary of a recent California privacy law amendment. This will go into effect on January 1, 2014. These changes will require businesses to make additional privacy policy disclosures.

On September 27, AB 370 was signed into law by Governor Jerry Brown. The new law amends the California Online Privacy Protection Act (CaIOPPA) Cal. Bus. & Prof. Code Section 22575 requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanism, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding PII collection over time across third party websites. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

The new law requires an operator to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different Web sites or online services. The law would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service. Business that operate a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available.

Businesses shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of noncompliance.

Businesses are required to do three new things as part of their privacy policy disclosures:

  1. Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
  2. Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
  3. Businesses may satisfy these requirements by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Here are some things business should be doing to prepare for the new law: 

  1. Understand how the business currently uses tracking technologies in the form of cookies, web beacons, advertising cookies and analytics cookies by engaging the marketing and IT departments for discussion and full examination of current in use tracking technologies.
  2. Develop a comprehensive consumer data strategy so all data use is understood and optimized internally and can be communicated outside the organization to consumers.
  3. Be prepared to comprehensively explain what third party tracking technologies are in use and explain these technologies to consumers and how consumer data is collected, retained and used.
  4. If applicable and technologically feasible, provide an explanation to consumers about how they may choose to control or refuse to accept tracking technologies utilized by the business.
  5. Draft a separate notification regarding tracking technologies to conspicuously post along with the current privacy policy or as a separate hyper link embedded in the current privacy notification.