A recently signed California law requires website operators that collect tracking information from California residents to include a disclosure in their privacy policies regarding how their websites respond to "Do Not Track" mechanisms.

California Governor Jerry Brown recently signed into law a bill that requires operators of websites, including mobile applications, to disclose in their privacy policies how they respond to "Do Not Track" mechanisms in web browsers. The law, which applies to companies located both in and outside of California that track California consumers, amends the California Online Privacy Protection Act ("CalOPPA"), and website owners have until January 1, 2014 to comply with the new requirements.

Summary of Changes to CalOPPA

Under CalOPPA, website operators were already required, among other things, to conspicuously post a privacy policy that describes the categories of personally identifiable information the website or mobile application operator collects, and with whom the information is shared. As amended by Assembly Bill 370, website and mobile application operators are now required to disclose to users how the site responds to so-called "Do Not Track" mechanisms, which are typically small pieces of code – similar to cookies – that signal to websites or mobile applications that the user does not want the website operator to track his or her visit to the site, including through analytics tools, advertising networks and other types of data collection and tracking practices. The law applies to all companies that collect tracking information from California residents, and accordingly applies to companies that do business in California and track California residents, even if the company does have a physical presence in California.

Notably, California has not mandated that website and mobile application operators honor a user's use of "Do Not Track" mechanisms – only that the user be provided with a disclosure about how the website will respond to such mechanism. Specifically, a website operator can satisfy the new requirement by providing "a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers consumers that choice [not to be tracked]." The Digital Advertising Alliance's Self-Regulatory Program for Online Behavioral Advertising is a commonly used self-regulatory program to assist companies in allowing consumers to opt-out of targeted advertising based on web activity tracking.

Additionally, the amendment to California's privacy policy requirements also requires website operators to disclose to users whether third parties may collect personally identifiable information about the user's online activities over time and across different websites. This change appears to be aimed at advertising networks that use cookies and other methods to compile usage data about users as they move from site to site.

Failure to comply with the new requirements could result in fines of $2,500 per violation. With respect to mobile applications, the California Attorney General has indicated that each download of a mobile application that does not comply with the new requirements constitutes a violation and can trigger the fine.

Best Practices for Compliance

As part of updating its privacy policies to comply with the new Do Not Track requirements of CalOPPA, website owners and operators should undertake the following best practices:

  1. Identify the tracking mechanisms in place on its websites and online services, including (a) the specific types of personal information collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and whether the operator will honor the user's choice. The list should include the tracking mechanisms used by the operator itself, as well as any tracking mechanisms placed by third parties, including advertisers and analytics services.
  2. In the case of tracking mechanisms employed by third parties, the operator should determine whether the mechanism collects personal information about users. Even if the mechanisms do not collect personal information, the operator may want to identify the mechanisms in its privacy policy in case the third party operator combines the tracking data with personal information about users it has collected from another source.
  3. Identify any other mechanisms that collect personal information from users, including social media plug ins. While the changes to CalOPPA do not necessarily target these kinds of data collection mechanisms, operators should consider disclosing them to users in their privacy policies.
  4. Incorporate the information identified above into the disclosures of the website's privacy policy, including the information collected from users in the context of tracking website activity, and how the user can opt-out of the collection of that information and/or receiving targeted advertising based on the tracking information.

A full copy of Assembly Bill 370 is available here: http://bit.ly/11kxb4o.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.