Effective January 1, 2014, amendments to the California Online Privacy Protection Act (“CalOPPA”) require all commercial websites and online services that collect personally identifiable information (“PII”) to include additional disclosures in their privacy statements: how the operator responds to browser “Do Not Track” signals or other similar mechanisms; and whether other parties may collect PII about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s site or service.
Like the existing provisions of CalOPPA, the amendments apply to sites and online services collecting PII “about individual consumers residing in California.” Because virtually all websites and online services in the United States extend to California, this change impacts all websites. California Attorney General Kamala Harris, who supported the amendment, has taken the position that mobile apps are “online services” under the Act and therefore must abide by CalOPPA.
Of the two new disclosure requirements, the Do Not Track provision has received far more attention. This is perhaps because the concept of Do Not Track —a mechanism for allowing users to set their web browser to allow or prevent sites to collect their personal information—has been the subject of considerable debate. Numerous questions have been raised about the types of online companies and products that are bound by the Do Not Track disclosure requirement. A few questions which have and still could be asked include:
- Since most first-party websites and online services do not collect PII about users over time and across third-party websites, do those operators need to make any Do Not Track disclosure at all?
- Since Do Not Track instructions are currently sent by web browsers to websites, how does the disclosure requirement apply to mobile apps?
- Are third-parties such as advertising networks considered “online services,” and therefore required to make a DNT disclosure?
- Although operators who do not honor Do Not Track signals can satisfy the disclosure requirements simply by saying so, those operators might worry about how consumers will interpret such a disclosure. Operators might be concerned that declining to honor Do Not Track signals may alienate their customers.
The second part of the amendment – the disclosure as to whether third parties present on the site or online service may collect PII about a user’s activities across multiple sites may affect a larger number of sites, apps and other online services. Many first-party sites and apps permit third-party entities such as ad servers to collect information about users’ browsing habits on their sites and apps, typically by means of cookie identifiers. Operators permitting third party cookie placement will need to disclose any potential third-party data collection to comply with the amendment.
There are many uncertainties regarding these amendments, but instead of focusing on those concerns, which will take time to resolve, website operators should consider the following steps to come into compliance:
- Decide whether or not to honor Do Not Track signals (requesting that sites not collect personal information about a consumer’s activities over time and across different websites, like through advertising networks or analytic services) and disclose this in the privacy policy.
- Determine whether third parties may collect personal information about a visitor’s online activities over time and across different websites when a consumer uses the operator’s website, mobile app, or service; and disclose this practice in the privacy policy.
- Monitor self-regulatory programs such as the Digital Advertising Alliance or Network Advertising Initiative rules for changes that reflect the new legislation.
- Amend company privacy policies to specifically discuss how the company treats Do Not Track selections.
- Add provisions to privacy policies to address third party tracking policies.
Finally, given the relatively small burden that the new disclosure imposes, companies may consider taking a conservative approach and adding a Do Not Track disclosure to their privacy policies.
Jeffer Mangels Butler & Mitchell works with clients to comply with information and data privacy security and requirements, including website terms of use, privacy statements, data breach notification requirements, federal and state investigations and negotiating service and licensing agreements with technology providers. For additional information, contact Robert Braun, rbraun@jmbm.com or 310-785-5331.