Effective January 1, 2014, amendments to the California Online Privacy Protection Act (“CalOPPA”) require all commercial websites and online services that collect personally identifiable information (“PII”) to include additional disclosures in their privacy statements: how the operator responds to browser “Do Not Track” signals or other similar mechanisms; and whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s site or service.
Like the existing provisions of CalOPPA, the amendments apply to sites and online services collecting PII “about individual consumers residing in California.” Because virtually all websites and online services in the United States extend to California, this change impacts all websites. California Attorney General Kamala Harris, who supported the amendment, has taken the position that mobile apps are “online services” under the Act and therefore must abide by CalOPPA.
Of the two new disclosure requirements, the Do Not Track provision has received far more attention. This is perhaps because the concept of Do Not Track —a mechanism for allowing users to set their web browser to allow or prevent sites to collect their personal information—has been the subject of considerable debate. Numerous questions have been raised about the types of online companies and products that are bound by the Do Not Track disclosure requirement. A few questions which have and still could be asked include:
- Since most first-party websites and online services do not collect PII about users over time and across third-party websites, do those operators need to make any Do Not Track disclosure at all?
- Since Do Not Track instructions are currently sent by web browsers to websites, how does the disclosure requirement apply to mobile apps?
- Are third-parties such as advertising networks considered “online services,” and therefore required to make a DNT disclosure?
- Although operators who do not honor Do Not Track signals can satisfy the disclosure requirements simply by saying so, those operators might worry about how consumers will interpret such a disclosure. Operators might be concerned that declining to honor Do Not Track signals may alienate their customers.
The second part of the amendment – the disclosure as to whether third parties present on the site or online service may collect PII about a user’s activities across multiple sites may affect a larger number of sites, apps and other online services. Many first-party sites and apps permit third-party entities such as ad servers to collect information about users’ browsing habits on their sites and apps, typically by means of cookie identifiers. Operators permitting third party cookie placement will need to disclose any potential third-party data collection to comply with the amendment.
There are many uncertainties regarding these amendments, but instead of focusing on those concerns, which will take time to resolve, website operators should consider the following steps to come into compliance:
- Monitor self-regulatory programs such as the Digital Advertising Alliance or Network Advertising Initiative rules for changes that reflect the new legislation.
- Amend company privacy policies to specifically discuss how the company treats Do Not Track selections.
- Add provisions to privacy policies to address third party tracking policies.
Finally, given the relatively small burden that the new disclosure imposes, companies may consider taking a conservative approach and adding a Do Not Track disclosure to their privacy policies.
Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.