California to Require Website and Online Service Operators to Disclose Treatment of Do Not Track Requests

more+
less-

On September 27, 2013 California A.B. 370 was signed into law. It becomes effective January 1, 2014.  This law amends California's online privacy policy law to require that websites and other online services disclose how they respond to consumer "do not track" requests, including any program or application used to provide consumers with a "choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party Web sites or online services, if the operator engages in that collection." The new law applies to any website used by Californians, meaning nearly every website will have to comply.

 

The A.B. 370 "do not track" disclosure may be complied with simply by "providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice." The benefits of A.B. 370 may seem limited as it only requires disclosure and not that a website operator actually honors a "do not track" request.  However, there is not an agreed upon standard for browser do not track functions and there are some website operators that maintain tracking features even if the user's browser is set to a "do not track" status.  Thus, the law is intended to actively inform website and application users of whether the "do not track" functions of their browser will be effective.  A.B. 370 merely requires disclosure, it does not require that website/service operators actually comply with "do not track" features of browsers.   

 

Action Steps:

  • Commercial website or online service operators should evaluate their privacy policies to ensure such policies disclose how the services respond "to Web browser 'do not track' signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party Web sites or online services, if operator engages in that collection."
  • Commercial website or online service operators should also ensure their policies "disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service."