Over the last several months, California has passed several new privacy and data protection laws that impact operators of websites, online services and mobile applications around the country, including a law establishing an “Internet Eraser” for minors, and changes to the state’s data breach notification requirements. The latest bill, which amends the California Online Privacy Protection Act (“CalOPPA”), gives website operators until January 1, 2014 to update their privacy policies to disclose how they respond to “Do Not Track” mechanisms in web browsers. Are you ready for these new “Do Not Track” requirements?
What does the new law require?
Under CalOPPA, website operators were already required, among other things, to conspicuously post a privacy policy that describes the categories of personally identifiable information the website or mobile application operator collects, and with whom the information is shared. As amended by Assembly Bill 370, website and mobile application operators are now required to disclose to users how the site responds to so-called “Do Not Track” mechanisms, which are typically small pieces of code – similar to cookies – that signal to websites or mobile applications that the user does not want the website operator to track his or her visit to the site, including through analytics tools, advertising networks and other types of data collection and tracking practices.
Do the requirements apply to me?
The law applies to all companies that collect tracking information from California residents, and accordingly applies to companies that do business in California and track California residents, even if the company does have a physical presence in California.
Do I need to honor a user’s Do Not Track preferences?
Notably, California has not mandated that website and mobile application operators honor a user’s use of “Do Not Track” mechanisms – only that the user be provided with a disclosure about how the website will respond to such mechanism.
How can I comply?
A website operator can satisfy the new requirement by providing “a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers consumers that choice [not to be tracked].” The Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising is a commonly used self-regulatory program to assist companies in allowing consumers to opt out of targeted advertising based on web activity tracking.
Note: The deadline for compliance is January 1, 2014.
Are there penalties if I don’t update my privacy policy?
Failure to comply with the new requirements could result in fines of $2,500 per violation. With respect to mobile applications, the California Attorney General has indicated that each download of a mobile application that does not comply with the new requirements constitutes a violation and can trigger the fine.
Best Practices for Compliance
As part of updating its privacy policies to comply with the new Do Not Track requirements of CalOPPA, website owners and operators should undertake the following best practices:
A full copy of Assembly Bill 370 is available here.