As we wrote in October, the California Online Privacy Protection Act (CalOPPA) will  require – effective January 1, 2014 – that websites that collect personal information  about  a  person’s  “online  activities  over  time  and  across  third-party  websites  or  online  services” must disclose (1) how the site responds to browsers’  “do not track” signals or (2) other mechanisms the site gives for consumers to opt out of this collection. Another new requirement is for websites to disclose if others collect personal information about a user “over time and across different websites when a consumer uses the operator’s website or service.” These new disclosures are pursuant to a modification in the law that was passed in October.

Personal information is defined to include not only the “standards” like name and address, but also “any other identifier that permits the physical or online contacting of a specific individual” and “information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.” Given the broad nature of these definitions, and the likelihood that a website will have California users, these new disclosure obligations will likely impact most sites.

Are you already covered with your existing language?

Probably not entirely. Fortunately, many sites already have disclosures that address parts – but not all – of these new requirements. These include the following provisions often found in privacy policies today:

  • We use tracking tools to serve you with interest- based advertising and to better understand your behaviors and browsing activities.
  • We might permit third parties to gather information passively on our websites, including for behavioral advertising  purposes.
  • You can opt out of online behavioral advertising by going to www.aboutads.info/choices.
  • You can control tracking tools. In particular, your browser gives you the ability to delete or reject browser cookies. If you block cookies, certain features on our website may not work.

So what might be missing?

The language above does not discuss “do not track” signals nor is it specific about “other mechanisms” a site might give apart from rejecting browser cookies  or opting out of behavioral advertising. It also does not specifically state that other parties collect “personal information about a user over time and across different websites when a consumer uses the operator’s  website or service.” Here are some suggestions that,  in addition to the language above, could help address the new requirements:

  • We collect personal information about users over time and across different websites when you use this website or service. We also have third parties that collect personal information this way.
  • Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. These features are not yet uniform, so we are not currently set up to respond to those signals.
  • If you block or delete cookies, not all of the tracking that we have described in this policy will stop.

Where should this language go?

Some companies have the discussion about tracking in their privacy policy. Others have it in a stand-alone document to address concerns from the Behavioral Advertising Self-Regulatory program; this document is linked from the privacy policy and placed on the home page of the website.

Putting the required language in either document should address CalOPPA, since these disclosures can be in “a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer [choice].”

What’s next?

Remember, the new disclosures are contingent on whether or not your site collects personal information about a person’s “online activities over time and across third party websites or online services” or if your site lets others collect personal information about a user “over time and across different websites when a consumer uses the operator’s website or service.” If you do, these new disclosures are required under the California amendment to CalOPPA. Although the law is effective January 1, California will be issuing best practices after the effective date to help companies understand how to fulfill their obligations under the revised CalOPPA law. We expect to see those best practices early next year.

TIP: An important part of any privacy disclosure is accuracy, so if you believe that you are subject to the revision to CalOPPA, work with your business and IT teams to make sure that the disclosures are accurate. The suggested language here is intended as a starting point, but should not be a substitute for legal advice, which turns on the specifics of your situation. Feel free to reach out to the Winston team, or your regular legal contact, for additional assistance.