As of January 1, 2014, California law requires operators of websites and online services to publicly disclose how they respond to "do not track" (dnt) signals, though the exact requirements vary depending on whether an entity is a first party (e.g., web publisher) or third party (e.g., ad network). The new law will not require companies to honor dnt signals.
Operators of websites and online services should be prepared to update their privacy policies.
Background
On September 27, 2013, Governor Jerry Brown signed into law AB 370, an amendment to the California Online Privacy Protection Act (CALOPPA). CALOPPA requires online operators to post privacy policies stating: (1) the categories of personally identifiable information (PII) collected through their website or online service, (2) the categories of third parties with whom the operator may share PII, (3) the process by which a consumer may review and request changes to PII collected through the site or service if such a process is maintained, (4) a description of how operators notify consumers of material changes to the privacy policy, and (5) the effective date of the privacy policy. AB 370 will not change these requirements or the meaning of PII, but adds additional disclosure obligations described in the next section.
Amended Law – New Disclosure Requirements
Who is covered
Operators of commercial websites and online services are required to make disclosures related to dnt signals and other choice mechanisms in their privacy policy. However, the specific disclosure requirements vary for (1) operators engaged in data collection across sites and over time (i.e., third parties such as ad networks), and (2) operators of websites or online services where PII is collected (i.e., web publishers and other first parties).
Third Party Disclosure Obligations
Operators engaged in the collection of PII about an individual consumer’s online activities over time and across third-party websites or online services are covered by the new law. These entities are known as third parties under the industry self-regulatory program administered by the Digital Advertising Alliance (DAA). Examples of third parties covered by this law are ad networks and analytics providers. AB 370 requires these third parties to disclose in their privacy policy how they respond to web browser dnt signals or other mechanisms that provide consumers the ability to exercise choice regarding collection of the PII about an individual consumer's online activities over time and across third-party sites or online services. A third party covered by this law may satisfy this requirement by providing a clear and conspicuous hyperlink in its privacy policy that leads to an online location containing a description, including the effects of any programs or protocols the operator follows that offers the consumer that choice. Including a link to the Digital Advertising Alliance at www.aboutads.info/choices should satisfy this requirement.
AB 370 appears to require third parties to either disclose: (1) how it responds to web browser dnt signals or (2) other mechanisms that provide consumers the ability to exercise choice regarding PII collection. In cases where the third party links to an "other mechanism," the law does not require third parties to affirmatively state that they do not respond to dnt signals. If that is the case, third parties may still elect to make such disclosures as a defense to potential frivolous assertions that such entities have not disclosed how they respond to dnt signals.
First Party Disclosure Obligations
A first party operator (i.e. , a web publisher that permits third parties to collected data from its site) will be required under the new law to disclose whether other parties (i.e., ad networks, analytics providers etc.) may collect PII about an individual consumer's online activities over time and across different sites when the consumer uses the first party’s website or service. Although it will not be required by this law, it is industry practice and consistent with the DAA Principles for first parties to include a link to www.aboutads.info/choices in their privacy policy.
Next Steps
AB 370 took effect on January 1, 2014. Online operators have 30 days to comply after being notified of noncompliance.
Venable attorneys are available to help evaluate whether your disclosures with respect to your online data practices comply with AB 370.