As defined by CalOPPA, the term “personally identifiable information” means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
- A first and last name;
- A home or other physical address, including street name and name of a city or town;
- An e-mail address;
- A telephone number;
- A social security number;
- Any other identifier that permits the physical or online contacting of a specific individual;
- Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.”
On September 27, 2013, California signed into law AB370, an amendment to CalOPPA the “Amendment”). The Amendment takes effect on January 1, 2014 and is a relatively straight forward disclosure law.
Disclosure #1: Operators that collect PII about an individual consumer’s online activities over time and across third party websites and online services, for any reason, must disclose in their privacy policies how they respond to browser Do-Not-Track (“DNT”) signals or other mechanisms that provide consumers with choice regarding the collection of such information.
Arguably, operators that do not engage in such tracking would not have to make any such disclosure. Although it would be prudent to add a simple statement indicating that no PII is collected “over time and across third-party websites,” for any purpose, including without limitation, online behavioral advertising, market research, website analytics, website operations, fraud detection and prevention, or security.
Disclosure #2: The Amendment also requires all operators to disclose whether third parties are permitted to collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the applicable website or service. The categories of third parties with whom PII is shared should also be disclosed.
For example, advertising networks often place “cookies” and other code to compile usage data about consumers as they move from website to website. An operator must know what its marketing firms are doing. For example, if an operator uses Google AdSense ads on a website or uses the service itself to place advertisements on other websites, the operator must make the disclosure.
It is anticipated that the California Attorney General will enforce the Amendment via an expanded definition of PII. Nevertheless, compliance should not be difficult because the new rules simply require disclosure and increased transparency.
The Amendment does not require operators to respond to DNT or to honor a consumer’s choice not to be tracked. It does not prevent advertisers from tracking or targeting ads, or retaining and using PII. There is simply no excuse to wait to be notified of non-compliance.
Lastly, it is critical to realize that the Amendment applies to the collection and tracking of information from California residents. Accordingly, the legislation applies to operators that do business in California and track California residents, even if there is no physical presence in California.
Consult an advertising law attorney and conduct an audit of your online and mobile websites to determine the best practices for compliance. Amend your privacy policies now. Accurately say what you do and then do what you say.
Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information in this article without seeking the advice of an attorney.