On Friday, September 27, 2013, Governor Brown signed California Assembly Bill 370 (AB 370), an amendment aimed at strengthening the state’s Online Privacy Protection Act (CalOPPA), into law. AB 370 requires websites and online services that collect personally identifiable information to disclose how they respond to users’ “do not track” requests. We recommend that our clients revise their privacy policies now, as AB 370 is effective immediately.

Current California Law – Section 22575

Current California law requires that operators of commercial websites and online services conspicuously post a privacy policy. These online privacy policies must outline what personally identifiable information the website collects and identify third parties that may receive this information. California currently defines personally identifiable information as names, contact information, Social Security numbers and any other individually identifiable information that the site collects, including both user-entered data and automatically collected data.

Privacy policies must also indicate whether and how users may review, or request changes to, their personally identifiable information. Information regarding how the website or online service notifies users about changes to the privacy policy must also be included.

Additional Disclosure Provisions

AB 370 does not prohibit commercial websites or online services from tracking and gathering personal information from its users. The bill only requires sites to disclose their “do not track” policies. As such, a site may choose to ignore users’ “do not track” requests and still comply with AB 370 as long as the site discloses this policy.

Under AB 370, the following “do not track” provisions have been added to Section 22575:

  • If a site or online service collects personally identifiable information from users or tracks online activity, the site must disclose how it responds to web browser “do not track” requests and similar signals that users may employ.
  • A site must disclose whether third parties may use the site or service to collect personally identifiable information and information about a user’s online activities over time and across different sites.
  • Sites may include a hyperlink in its online privacy policy that leads to a description of any program or protocol that allows users a “do not track” option.

Although AB 370 is effective immediately, the “do not track” provisions are covered under the Section 22575 safe harbor that gives websites and online services 30 days to cure any defects after receiving notice of noncompliance.

Implications

On its face, AB 370 applies to websites and online services that are visited or used by California residents, not just to those operating in California. Thus, AB 370 will require a change in every online privacy policy that does not already address “do not track” requests, unless California-specific policies are created.