If they have not already done so, companies that collect information on California residents need to confirm that company websites include appropriate updates to comply with recent amendments (Assembly Bill 370 or “AB 370”) to the California Online Privacy Protection Act (“CalOPPA”) that require “do not track” disclosures.
Recent Amendments to the California Online Privacy Protection Act
(i) disclose how the operator responds to a web browser’s “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and
(ii) disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
While website operators were expected to comply with these updated disclosure obligations as of January 1, 2014, a violation occurs only if an operator fails to post a compliant policy within 30 days after being notified of noncompliance.
Expected Best Practices Guidelines
Continuing its longstanding tradition as one of the more aggressive state regulators of online consumer privacy practices, the California Attorney General’s office announced shortly before the effectiveness of AB 370 that the office plans to issue a set of best practices guidelines for disclosure of online tracking practices. The guidelines, which may be incorporated into existing staff reports on mobile privacy and online information-sharing practices issued by the Attorney General’s Office of Privacy Education and Policy, are expected to recommend online disclosure practices that go further than what is required under existing California law concerning online privacy practices.
While the anticipated best practices guidelines on disclosure will likely exceed the mandatory provisions of CalOPPA, when issued they may provide a good indication of the direction in which California (and possibly other state and federal privacy regulators) will continue to expand consumer privacy protections. We plan to provide an additional update when the best practices guidelines are issued.
* * *
If you would like more information or need assistance with any of the matters addressed above, including compliance with the required “do not track” disclosures, please contact Kate Rowe, Brett Lockwood, or your SGR counsel.