On August 26, the California legislature passed AB 370, which would require commercial websites and other online services such as mobile apps to include language in their privacy policies disclosing whether the service uses third-party vendors to track users across a network of other websites or online services, and how the users can opt out of such tracking using a centralized “do not track” (DNT) signal or other mechanism. If signed by the governor, as expected, this bill would apply de facto to most websites and mobile apps by virtue of their accessibility in California, and would require revision of many privacy policies as a result.
- the categories of personally identifiable information collected and the categories of third parties with whom the information is shared;
- a description of the process for users to review and request changes to their personally identifiable information that has been collected, if such a process exists;
- the effective date of the policy.
AB 370 would amend CalOPPA to require covered operators to also:
- “Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service”; and
- “Disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
These additional requirements both apply when websites and online services work with third parties to “collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites.” This language is intended to reference participation in online behavioral advertising networks, which partner with multiple websites to collect information about individuals’ web browsing habits in order to serve them with more relevant advertisements. The language also would appear to cover websites’ use of analytics providers that track user behavior across the services, and social networking platforms that collect information across multiple websites with which they are affiliated.
The first requirement is relatively straightforward, requiring a disclosure when a website or online service partners with a third-party tracking network. Many websites who participate in these networks typically disclose their participation, but the new law would require such disclosures. One interesting implication is whether corporations who collect and analyze data across the websites of subsidiaries or affiliates (such as for cross-marketing purposes) would now be required to disclose such collection, given the requirement to disclose whether “other parties” may collect information.
The second, DNT requirement is what has been generating most of the recent headlines. The FTC kicked off the DNT debate with its 2010 preliminary privacy report (finalized in 2012) expressing, among other things, support for a DNT mechanism that would require websites to comply with a consumer’s centralized opt-out from online behavioral advertising. Not long after that report, the World Wide Web Consortium convened a multi-stakeholder group consisting of industry representatives and privacy advocates that has been working for the past couple of years on developing a global, enforceable DNT standard. That group’s efforts are far from complete, with the stakeholders still, after almost two years, unable to establish the meaning of DNT and negotiating over what types of tracking should be included and what should not. In the meanwhile, major web browsers have stepped in by adding the functionality of a DNT header, which transmits to all websites an indication when the user has activated a feature indicating that they do not want to be tracked by the website.
With AB 370, California has stepped into this debate by requiring through CalOPPA that websites disclose whether or not they “respond to Web browser ‘do not track’ signals,” requiring websites to disclose how they respond when they receive a DNT header value indicating the user does not want to be tracked. With the ambiguity and debate over what DNT means, many websites and online services have waited for a consensus from the World Wide Web Consortium before implementing DNT, and therefore have not yet developed a strategy on how to respond to the DNT header. Therefore, most websites who participate in online behavioral advertising networks or use multi-site analytics providers may have to comply with AB 370 (when signed by the governor) by amending their privacy policies to state that they do not currently respond to DNT signals but may do so in the future.
Another area of ambiguity in the bill is that it requires not only disclosures of DNT signals, but also “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about [their] online activities over time and across third-party Web sites or online services.” Therefore, where websites participate in advertising or other tracking networks that offer network-wide opt-outs – as do websites who utilize networks that are members of the Network Advertising Initiative, which allows users to download an opt-out cookie to enable a network-wide opt-out – that information should be disclosed as well.
The California Attorney General recently has taken an aggressive posture toward compliance with CalOPPA, filing a lawsuit late last year against Delta for the airline allegedly failing to adopt disclosures for a mobile application that complied with the law. Although a court ruled in May that the law’s application to Delta was preempted by federal airline consumer regulations, the California Attorney General likely is pursuing a next test case. One mitigating factor for businesses, however, is the feature in the law that gives websites and online services thirty days to correct any deficiency communicated by the Attorney General before the AG can take any action. Still, commercial websites and online applications can take the opportunity before the bill’s signing to reevaluate their privacy policies to determine what they need to amend to comply with AB 370.