AB370: California's "Do Not Track" Law

10/08/2013

AB370: California's "Do Not Track" Law

On September 27, 2013, the California governor signed into law AB370, an amendment to the California Online Privacy Protection Act of 2003 ("CalOPPA")1. CalOPPA requires owners of commercial websites and online service providers ("operators") to conspicuously post a privacy policy. The privacy policy must disclose to consumers, among other things, the categories of personally identifiable information (PII)2 the operator collects and with whom the operator shares such information. Operators affected by CalOPPA include website operators and, as interpreted by the California Office of Attorney General, operators of software and mobile apps that transmit and collect PII online.3

AB 370 requires an operator that collects PII about an individual consumer's online activities over time and across third party websites and online services to disclose in its privacy policy how the operator responds to browser "do not track" signals or other mechanisms that provide consumers with choice regarding the collection of such information. As an alternative, the operator may provide a hyperlink to a webpage with a description, including the effects, of any program or protocol the operator follows that offers consumers a choice about online tracking. The amendment does not require operators to respond to "do not track" signals or to honor a consumer's choice not to be tracked. Further, AB 370 does not define what it means to "do not track" nor does it describe what might constitute a "do not track" signal or other tracking mechanisms.

The amendment also requires operators to disclose whether other parties may collect PII about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service. AB 370 does not state that operators must identify those other parties.

AB370 takes effect on January 1, 2014. Operators who must comply with CalOPPA and these amendments have 30 days to comply after being notified of noncompliance. Companies can face fines of up to $2,500 per violation of CalOPPA.4 The California Attorney General has maintained that each download of a non-compliant mobile app constitutes a single violation.

Practice tips

  • Conduct an audit of your online service to determine: (a) the tracking methods your service uses and how your service responds to "do not track" settings; and (b) whether third parties conduct tracking activities on your online service.
  • Update your privacy policy as necessary to ensure that you have made the required disclosures about your online tracking activities and those of third parties and to ensure such disclosures are accurate.

Notes

  1. Cal. Bus. & Prof. Code §§ 22575-22579
  2. The term "personally identifiable information" as defined by CalOPPA means "individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
  3. (1) A first and last name.
  4. (2) A home or other physical address, including street name and name of a city or town.
  5. (3) An e-mail address.
  6. (4) A telephone number.
  7. (5) A social security number.
  8. (6) Any other identifier that permits the physical or online contacting of a specific individual.
  9. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision."
  10. See November 5, 2012, Cooley Client Alert: Attorney General of California Targets Mobile Apps that Fail to Post Privacy Policies
  11. Cal. Bus. & Prof. Code § 17206(a)