A recent amendment to California’s Online Privacy Protection Act of 2003, which already requires owners and operators of commercial websites to post conspicuous privacy policies, now requires even more —
As a result of AB 370, which took effect on January 1, 2014, owners and operators of commercial websites that collect “personally identifiable information” about an consumer’s online activities must disclose in their privacy policies how the owner/operator responds to browser “do not track” signals or other mechanisms that provide consumers with choice regarding the collection of such information. As an alternative, AB 370 allows the website owner/operator to provide a hyperlink to a webpage that details the program or protocol the website owner/operator follows.
Importantly, the amendment does not require a website owner/operator to respond to “do not track” signals. It also does not require a website owner/operator to honor a consumer’s choice not to be tracked.
Website owners/operators who receive a non-compliance notice will have 30 days to update their privacy policies. Those who are still non-compliant after 30 days will face penalties of up to $2,500 per violation. Note that the CA Attorney General’s office has said that it considers each download of a non-compliant website or app to be a single violation.