New Law Requires Certain Vendors to Expand Their Privacy Policies


A recent amendment to the California Online Privacy Protection Act of 2003 (“CalOPPA”) will require certain owners and operators of commercial websites and online service providers to change their posted privacy policies to include additional information.  CalOPPA requires certain owners and operators to conspicuously post their privacy policies related to the collection of personally identifiable information (“PII”) on their websites.  AB 370, signed into law on September 27, 2013 and effective January 1, 2014, now requires these owners and operators to include a discussion of their “do not track” signals in their privacy policies.  “Do not track” signals are mechanisms that provide consumers a choice regarding the collection of PII related to consumers’ online activities over time and across different websites or online services.

The amendment requires that relevant owners or operators who track a consumer’s PII in connection with consumer’s online activities disclose in their privacy policies how they respond to browser “do not track” signals.  It also requires these owners and operators to disclose whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses their website or service.  The bill suggests that one way owners and operators can satisfy the new “do not track” requirement is to provide consumers with a hyperlink to a webpage with a description, including the effects, of any program or protocol the operator follows that offers consumers a choice about online tracking.

Operators and owners who receive notice that they are not in compliance with the new law will have 30 days to update their policies.  Those who are still non-compliant after 30 days will face civil penalties of up to $2,500 per violation.  If you own or operate a commercial website, we suggest you review your posted privacy policy to ensure that it includes a discussion how you manage “do not track” signals.

An “operator” under the statute is any person or entity that owns a website located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the website or online service if the website or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owner.  Cal. Bus. & Prof. Code § 22577(c).

Likewise, PII means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.”  It includes (1) first and last names; (2) home or physical addresses; (3) e-mail addresses; (4) telephone numbers; (5) social security numbers; (6) any other identifier that permits the physical or online contacting of a specific individual; and (7) information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with any other identifier described above.  Cal. Bus. & Prof. Code § 22577.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hirschfeld Kraemer LLP | Attorney Advertising

Written by:


Hirschfeld Kraemer LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.