California Amendment Requires “Do Not Track” Disclosure

By Jennifer Daniels

California has passed a bill that amends the existing California Online Privacy Protection Act (“CalOPPA”) to require that websites collecting personally identifiable information (“PII”) about California residents be transparent in how they respond to web browser “do not track” (“DNT”) signals.

CalOPPA has long required that a website operator that collects PII about California residents post a privacy policy.  The existing CalOPPA says that a website must explain in its privacy policy:

  1. the categories of PII collected by the site,
  2. the categories of third parties with whom such information is shared,
  3. the process (if any) that the site operator uses for an individual to request changes to any PII collected through the site,
  4. the effective date of the policy, and
  5. how users are notified about changes to the policy.

On September 27, the California governor signed an amendment to CalOPPA that requires a website operator to disclose in its online privacy policy how it responds to DNT signals or other mechanisms that provide consumers a choice regarding the collection of PII about an individual consumer’s online activities over time and across different websites. The amendment also requires the operator to disclose whether other parties may collect PII when a consumer uses the operator’s website.

The major web browsers offer DNT browser headers that give consumers the choice to elect not to be tracked across websites for purposes such as online behavioral advertising.  The amendment to CalOPPA does not require that websites comply with the web browser DNT signals.  Rather, websites are free to ignore such signals so long as they are transparent about it to their users in their online privacy policies.   

The new law says that operators can comply with this disclosure requirement by “providing a clear and conspicuous hyperlink” in their privacy policy that links to a description “of any protocol the operator follows that offers the consumer” the choice to opt-out of Internet tracking.

Given that no law requires that website operators adhere to the DNT signals, California is trying to at least keep consumers informed about which websites are ignoring them.  It will be interesting to see if the Federal Trade Commission (“FTC”) makes any statements or brings any actions based on websites’ broad disregard for consumer choices through browser DNT signals.  The FTC has clearly taken on website operators who make affirmative statements in their privacy policies and then act contrary to those statements (see, for example, Upromise, Myspace, Google, etc.).  But will the FTC take issue when a website operator is silent in its privacy policy about its disregard for consumer choices to not be tracked on the Internet?  To be safe, website operators might consider updating their online privacy policies to disclose how they respond to DNT signals regardless of whether they collect PII about California residents or not, and before the California amendment goes into effect in 2015.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s