A new online privacy law requires operators of commercial web sites or online services that collect “personally identifiable information” (defined below) of California residents to disclose how they respond to “Do Not Track” signals. Do Not Track is a proposal analogous to the Do Not Call registry that enables users to opt out of tracking by web sites that they do not visit, including analytics services, advertising networks, and social platforms, by signaling their opt out preferences in a message header that is submitted by their web browser.[i] The California Senate and the California Assembly had passed A.B. 370 earlier this year, and Governor Jerry Brown approved it on September 27, 2013. Whether located in California or not, businesses that have web sites or provide online services should evaluate whether they are collecting personally identifiable information (“PII”) of California residents and whether they need to revise their existing privacy policies to comply with the additional disclosure requirements imposed by the legislation, as the law will go into effect on January 1, 2014.
The new law amends Section 22575 of the California Business and Professional Code, which currently requires operators of commercial web sites that collect PII about individual consumers residing in California who use their web sites to conspicuously post their privacy policies on their web sites. Operators of online services are currently required to make their privacy policies available by any reasonably accessible means to consumers of their online service. PII is defined as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.”[ii] PII includes such information as (a) a first and last name; (b) a home or other physical address; (c) an email address; (d) a telephone number; (e) a social security number; (f) any other identifier that permits someone to contact a specific individual by physical or online means; and (g) information about a user that the web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in clauses (a)-(f).[iii] “Conspicuously post” is defined to include posting the privacy policy through (i) a web page on which the actual privacy policy is posted if the web page is the homepage or first significant page after entering the web site (such homepage or first significant page, the “Portal Page”); (ii) an icon that contains (A) the word “privacy” and uses colors (or other means of) contrasting with the background web page and (B) hyperlinks to a web page on which the actual privacy policy is posted, if the icon is located on the Portal Page; (iii) a text link that hyperlinks to a web page on which the actual privacy policy is posted, if the text link is located on the Portal Page, so long as the text link (1) includes the word “privacy,” (2) is written in capital letters equal to or greater in size than the surrounding text, or (3) is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language; (iv) any other functional hyperlink that a reasonable person would notice because of its manner of display; or (v) in the case of an online service, any other reasonably accessible means of making the privacy policy available for its consumers.[iv]
The new law does not prohibit tracking or behavioral targeting; instead, it imposes two additional disclosure requirements upon operators of commercial web sites or online services that collect PII of California residents. First, such operators must now disclose how they respond to “Do Not Track” signals or other mechanisms to give consumers a choice regarding the collection of PII about each consumer’s online activities over time and across different web sites or online services.[v] Operators are not required to make this disclosure directly within their privacy policies. They may alternatively satisfy this disclosure requirement by providing clear and conspicuous hyperlinks in their privacy policies to online locations containing descriptions of any program or protocol that they follow that offer consumers a choice about how their activities are being tracked diachronically and across different web sites and online services.[vi] Second, such operators must disclose whether other parties may collect PII when consumers use their web sites or online services.[vii]
Businesses will likely confront two main issues in complying with the new law. First, they may not know what PII other parties may collect from visitors to their own web sites or services because they either (a) do not know what other companies are providing advertising, analytic, or social networking services on their web sites or services or (b) have not recently reviewed the terms of service of such third parties. Second, because no standard has emerged with respect to how web sites and online services should respond to Do Not Track signals received in the headers from requests from users’ web browsers, operators may not have determined a policy to answer how they will respond to such requests. Nevertheless, businesses should start assessing (i) what PII third parties are obtaining from their web sites and online services, (ii) how such third parties are using their users’ PII, and (iii) how they will respond to Do Not Track signals. Furthermore, businesses should work with legal counsel to revise their privacy policies in advance of the January deadline.
- See Do Not Track: Universal Web Tracking Opt Out, donottrack.us, http://donottrack.us/ (last visited Sept. 28, 2013).
- Cal. Bus. &. Prof. Code § 22575(a).
- Id. § 22575(a)(1)-(6).
- Id. § 22575(b)(1)-(5).
- Cal. Bus. &. Prof. Code § 22575(b)(5).
- Id. § 22575(b)(7). Such descriptions must also include the effects of any programs or protocols that the operators follow offering the consumers choices about how their activities are being tracked over time and across different web sites and online services. Section 22575(b)(7) is essentially a savings clause that allows businesses to satisfy the new disclosure requirement by providing links in their privacy policies to sites, such as that of the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, that give users the option of opting out of online behavioral advertising.
- Id. § 22575(b)(6).