Updated California Online Privacy Laws Require Disclosure of “Do Not Track” Policies
Recently, California Assembly Bill No. 370 (AB370) was signed into law by Governor Jerry Brown. AB 370 amends California’s Online Privacy Protection Act of 2003 (OPPA) to require that the privacy policy provided by the operator of a website and online service describe how the operator will respond to consumer-initiated mechanisms for controlling the collection of consumer personally identifiable information (PII).
As originally enacted in 2004, OPPA required that the privacy policy of an operator of a commercial website or online service must: 1) identify the categories of PII that are collected from consumers and the categories of third-party persons or entities with whom the PII may be shared, 2) provide a description of the process for consumers to review and request changes to PII if such a process is supported by the operator, 3) describe the process by which the operator notifies consumers of material changes to the privacy policy for the Web site or online service, and 4) identify the effective date of the current privacy policy.
AB 370 amends OPPA to add two further requirements: 5) a disclosure describing how the operator responds to web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites or online services, and 6) a disclosure indicating whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service. In an added element 7), AB370 makes clear that the requirements of element 5) may be satisfied “by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”
Under OPPA’s provisions, an operator will be held to have violated its provisions “only if the operator fails [to comply] within 30 days after being notified of [a] noncompliance.” As OPPA is applicable to “[any] operator of a commercial Web site or online service that collects PII about individual consumers residing in California who use and visit its commercial Web site or online service,” all operators with a national presence are well-advised to examine their online privacy policies in the context of this California law change.
Gibbons will continue to monitor this and other internet law developments of significance.