A recent amendment to California’s Online Privacy Protection Act of 2003, which already requires owners and operators of commercial websites to post conspicuous privacy policies, now requires even more —
As a result of AB 370, which took effect on January 1, 2014, owners and operators of commercial websites that collect “personally identifiable information” about an consumer’s online activities must disclose in their privacy policies how the owner/operator responds to browser “do not track” signals or other mechanisms that provide consumers with choice regarding the collection of such information. As an alternative, AB 370 allows the website owner/operator to provide a hyperlink to a webpage that details the program or protocol the website owner/operator follows.
Importantly, the amendment does not require a website owner/operator to respond to “do not track” signals. It also does not require a website owner/operator to honor a consumer’s choice not to be tracked.
Website owners/operators who receive a non-compliance notice will have 30 days to update their privacy policies. Those who are still non-compliant after 30 days will face penalties of up to $2,500 per violation. Note that the CA Attorney General’s office has said that it considers each download of a non-compliant website or app to be a single violation.
Bottom line: if you own or operate a commercial website that collects “personally identifiable information” from visitors, you should review your website’s posted privacy policy to ensure that it includes a full and proper discussion of how you respond to “do not track” signals.
You can find the text of the AB 370 amendment here. For the full text of California’s Online Privacy Protection Act, which is codified at Cal. Bus. & Professions Code §§22575-22579, click here.