Skip to main content

Publications

Oct 2013
17
October 17, 2013

Make Sure Your Company’s Website Complies with California’s New Do Not Track Legislation


If your company has a website that collects personally identifiable information about users, you should know that California recently enacted new legislation that may require you to revise your privacy policy.  If there’s a possibility that you may collect information about California residents, the new law requires you to include the following information in your privacy policy:
 
  • Whether and how your website responds to a web browser’s “do not track” signal or other mechanisms that signal a request that your site not track the consumer’s online activities over time and across websites
  • Whether you allow other parties to collect personally identifiable information about visitors over time and across different web sites.

The new rules take effect on January 1, 2014.  Violators can be assessed penalties of up to $2500, though you will first be given a 30-day opportunity to bring your policy into compliance.

California’s legislature recently enacted Assembly Bill No. 370 (“AB 370”) which amends the California Online Privacy Protection Act of 2003 (“calOPPA”).  Since 2003, calOPPA has required a commercial website operator to post a privacy policy describing the personally identifiable information that the website collects and with whom it shares the data.  AB 370 amends calOPPA to also require the privacy policy to “disclose how the operator responds to ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities.”

The term “do not track” commonly refers to an HTTP header used by Internet web browsers to request a web application disable its tracking or cross-site user tracking.  When do not track is enabled, a user’s web browser adds a header to content requests indicating that the user does not want to be tracked.  However, the do not track request is simply a signal;  the web browser cannot enforce the request. Whether the signaled request is honored depends upon how the web application responds to do not track headers.

AB 370 simply requires disclosure—it does not mandate that covered web site operators actually honor do not track requests.  Accordingly, how and what a web site operator must disclose to its users about its do not track policy depends entirely upon how the operator’s site responds to do not track signals.  The disclosure may come in the form of a “clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

AB 370 also requires operators of commercial web sites that collect personally identifiable information about individual consumers residing in California to “[d]isclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.”  For example, if a website operator allows a third party to place advertisements on its site and the advertiser places “cookies” on the user’s browser to allow the advertiser to track that user’s movements across domains, the website operator would likely need to disclose that fact to its users in its privacy policy.

If your website can or does collect information about California residents, you should revise your privacy policy by January 1, 2014 to inform consumers how your site responds to do not track requests and whether third parties may track visitors to your website over time and across different websites.

If you need help updating your privacy policy, or have other questions about consumer privacy laws, please contact Ken Coleman (at kcoleman@wnj.com or 616.752.2708) or Norbert F. Kugele (at nkugele@wnj.com or 616.752.2186).

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL

Text

+ -

Reset