California Internet Privacy Bill Signed by Governor, Effective Jan. 1

On Friday, September 27, 2013, California Governor Edmund G. Brown signed Assembly Bill 370, a bill that amends the Business & Professions Code § 22575 to require an operator of a commercial Internet website or online service that collects personally identifiable information about consumers residing in California who use or visit its website or service to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of PII about the consumer’s online activities, and to disclose whether others may collect PII when a consumer uses the operator’s website or online service.

Existing California law requires any person or entity that owns a commercial website or online service that collects personally identifiable information (“PII”)1 through the Internet about individual consumers residing in California who use or visit its commercial website or online service (an “operator”)2 to conspicuously post its privacy policy on its website, or in the case of an operator of an online service to make the privacy policy available to consumers of the online service by any other reasonably accessible means. Under the new law signed by Governor Brown, operators will be required to comply with additional privacy policy disclosures regarding visitor tracking practices commencing on January 1, 2014.

California Attorney General Kamala Harris has taken steps over the past two years to enforce Section 22575. This has included reaching agreements with platforms offering mobile apps to require compliant privacy policies for the mobile apps they offer to consumers on their platforms. With the heightened attention being given this statute, it should be expected that the new do not track disclosures will be enforced with similar vigor.

Since 2003, Section 22575(a) has required that an operator’s privacy policy do all of the following: (1) identify the categories of PII that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with whom the operator may share that PII; (2) if the operator maintains a process for an individual consumer to review and request changes to any of his or her PII that is collected through the website or online service, provide a description of that process; (3) describe the process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator’s privacy policy for that website or online service; and (4) identify its effective date.

The new law will require an operator’s privacy policy to include additional disclosures. First, the policy will have to disclose how the operator responds to web-browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection. Bus. & Prof. Code § 22575(b)(5). Second, an operator’s privacy policy will have to disclose whether other parties may collect PII about a consumer’s online activities over time and across different websites when he or she uses the operator’s website or service. Bus. & Prof. Code § 22575(b)(6).

An operator may satisfy Section 22575(b)(5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice. Bus. & Prof. Code § 22575(b)(7). The term “conspicuously post” includes posting the privacy policy through any of the following: (1) a webpage on which the privacy policy is posted if the webpage is the homepage or first significant page after entering the website; (2) an icon that hyperlinks to a webpage on which the privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the website, and if the icon contains the word "privacy, " and the icon is to be in a color that contrasts with the background color of the webpage or is otherwise distinguishable; (3) a text link that hyperlinks to a webpage on which the privacy policy is posted, if the text link is located on the homepage or first significant page after entering the website, and if the text link does one of the following: (A) includes the word “privacy;” (B) is written in capital letters equal to or greater in size than the surrounding text; or (C) is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language; (4) any other functional hyperlink that is so displayed that a reasonable person would notice it; and (5) in the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service. Bus. & Prof. Code § 22577(b).

Click here to read a copy of the California Assembly Bill 370.


  1. PII is individually identifiable information about a consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including: (1) a first and last name; (2) a home or other physical address, including street name and name of a city or town; (3) an e-mail address; (4) a telephone number; (5) a social security number; (6) any other identifier that permits the physical or online contacting of a specific individual; or (7) information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in Section 22577(a). Bus. & Prof. Code § 22577(a).
  2. [1] The term “operator” does not include any third party that operates, hosts, or manages, but does not own, a website or online service on the owner's behalf or by processing information on behalf of the owner. Bus. & Prof. Code § 22577(c).

Topics:  Data Collection, Disclosure Requirements, Do Not Track, Personally Identifiable Information, Privacy Policy

Published In: General Business Updates, Communications & Media Updates, Consumer Protection Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »