California Online Tracking Disclosure Bill Heads to Governor for Signature

Many companies operating commercial websites and online services will likely need to update their privacy policies soon to comply with new requirements in California. After passing the Assembly and the Senate in a series of unanimous votes, A.B. 370 is now before the Governor for signature, which is expected soon.

If signed, A.B. 370 will amend the California Online Privacy Protection Act to require companies to include information about how they respond to “do not track” signals, as well as other new information about their collection and use of personally identifiable information. Companies who collect personally identifiable information online will need to review and revise their privacy policies to ensure information is included about:

  • What categories of personally identifiable information are collected;
  • The third parties with whom that information may be shared;
  • Whether there is a process and, if so, what the process is to review and request changes to personally identifiable information that is collected;
  • How consumers are notified of a material change to the privacy policy;
  • The effective date of the privacy policy;
  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and
  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

As the bill is likely to be enacted shortly and given the breadth of new information required to be included in covered privacy policies, companies who do collect personally identifiable information should begin reviewing their data collection practices and their privacy policies so they are prepared to make the changes when required by the bill. Companies are, however, given thirty days after notice of noncompliance to post their privacy policy before they will be in violation of the law.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:


Sheppard Mullin Richter & Hampton LLP on:

Popular Topics
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.