New Disclosure #1: Response to "Do Not Track" Signals
Section 22575(b) now requires disclosure of how an operator responds to DNT signals. "Do not track" refers to a standards initiative by which browser settings can be used to send a signal to advertising networks, that are integrated into sites, indicating that the user of the browser does not wish to have their browsing habits tracked across websites over time.
All the major browser companies have incorporated DNT signal recognition into the latest releases of their browsers. However, there is no consistent deployment of this technology with regard to defaults or use cases. Section 22575(b)(5) also includes "other mechanisms" which can be used to provide consumers the ability to exercise choice regarding behavioral analysis of their browsing habits. Since most persistent technology embedded in a browser (e.g. cookies) can be used to observe browsing habits over time, careful evaluation of what technology a site uses, and how it is used, is necessary to determine if the new section's requirements are triggered.
Since the statute also applies to "online services," mobile app developers and any other business that provides a service accessible via a computer or smart phone are going to be required to provide notice as well.
As §22575 attempts to limit the mandatory disclosure to those operators who engage in collection for purposes of behavioral tracking, a careful review of current policy disclosures, and any technology imbedded into the site will need to occur–primarily because all websites and online services use technology which may be used to track users. Consequently, to ensure compliance with the new section, all privacy policies should include a statement indicating whether or not an operator actually allows the consumer to exercise a choice or not.
New Disclosure #2: Third-Party Behavioral Tracking
Because of the nature of third-party use, it will become increasingly difficult for an operator to provide notice of use of PII by a third party when the operator does not know how - or for what purposes - the third party is using the data. Even in instances where the operator does know the primary use of PII by the third party, such use may change over time. Since such disclosures and privacy policies are enforceable under state and federal deceptive trade practices acts, the new law now imposes an obligation on the operator to provide "guarantees" around how a third party may use data collected from the operator's website or through the operator's online service.