Home > Industry News > California’s Do-Not-Track Disclosure Requirements to Take Effect on January 1, 2014

California’s Do-Not-Track Disclosure Requirements to Take Effect on January 1, 2014

The following is a guest post brought to us by Richard B. Newman.  You can visit his site at http://www.hinchnewman.com/

The California Online Privacy Protection Act of 2003 (“CalOPPA”) requires operators of commercial websites and online service providers to conspicuously post a privacy policy that discloses to consumers, among other things, the categories of personally identifiable information (“PII”) collected and with whom it is shared.

As defined by CalOPPA, the term “personally identifiable information” means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

  • A first and last name;
  • A home or other physical address, including street name and name of a city or town;
  • An e-mail address;
  • A telephone number;
  • A social security number;
  • Any other identifier that permits the physical or online contacting of a specific individual;
  • Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.”

On September 27, 2013, California signed into law AB370, an amendment to CalOPPA the “Amendment”).  The Amendment takes effect on January 1, 2014 and is a relatively straight forward disclosure law.

Disclosure #1:  Operators that collect PII about an individual consumer’s online activities over time and across third party websites and online services, for any reason, must disclose in their  privacy policies how they respond to browser Do-Not-Track (“DNT”) signals or other mechanisms that provide consumers with choice regarding the collection of such information.

Alternatively, operators may provide a clear and conspicuous hyperlink to a webpage with a description, including the effects of any protocol that they follow, that offers consumers a choice about online tracking.  The Amendment permits the required hyperlink disclosure to be made in an operator’s privacy policy.

Arguably, operators that do not engage in such tracking would not have to make any such disclosure.  Although it would be prudent to add a simple statement indicating that no PII is collected “over time and across third-party websites,” for any purpose, including without limitation, online behavioral advertising, market research, website analytics, website operations, fraud detection and prevention, or security.

Disclosure #2:  The Amendment also requires all operators to disclose whether third parties are permitted to collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses the applicable website or service.  The categories of third parties with whom PII is shared should also be disclosed.

For example, advertising networks often place “cookies” and other code to compile usage data about consumers as they move from website to website.  An operator must know what its marketing firms are doing.  For example, if an operator uses Google AdSense ads on a website  or uses the service itself to place advertisements on other websites, the operator must make the disclosure.

It is anticipated that the California Attorney General will enforce the Amendment via an expanded definition of PII.  Nevertheless, compliance should not be difficult because the new rules simply require disclosure and increased transparency.

The Amendment does not require operators to respond to DNT or to honor a consumer’s choice not to be tracked.  It does not prevent advertisers from tracking or targeting ads, or retaining and using PII.  There is simply no excuse to wait to be notified of non-compliance.

Lastly, it is critical to realize that the Amendment applies to the collection and tracking of information from California residents.  Accordingly, the legislation applies to operators that do business in California and track California residents, even if there is no physical presence in California.

Consult an advertising law attorney and conduct an audit of your online and mobile websites to determine the best practices for compliance.  Amend your privacy policies now.  Accurately say what you do and then do what you say.

Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information in this article without seeking the advice of an attorney.

4 thoughts on “California’s Do-Not-Track Disclosure Requirements to Take Effect on January 1, 2014

  1. We’re a bunch of volunteers and starting a new scheme in our community.
    Your web site offered us with valuable info to work on.
    You’ve performed an impressive activity and our entire group shall
    be thankful to you.

  2. Hi there it’s me, I am also visiting this site on a regular basis, this web site is truly
    pleasant and the users are actually sharing nice thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *