California Governor Jerry Brown recently signed into law A.B. 370,1 which amends the California Online Privacy Protection Act2 (CalOPPA) to require certain operators of websites and other online services to disclose how they respond when a visitor’s web browser sends a “Do Not Track” signal. The bill also requires operators to disclose the data collection practices of certain third parties operating on the website or online service. Because this law affects every person or company that operates a website or online service that collects personally identifiable information from California consumers, it impacts companies beyond California’s borders. The law takes effect on January 1, 2014.

Background 

“Do Not Track” (DNT) was originally proposed to provide an easy mechanism for consumers to opt out of online tracking. The Federal Trade Commission (FTC) initially endorsed the concept of a universal browser-based DNT signal in its 2010 preliminary staff report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers(December 2010).3 In response, several browser vendors developed tools that consumers can use to signal that they do not want to be tracked. The browser signal does not technically prevent the tracking of information; rather, it communicates the DNT signal and the onus is on the operator of a commercial website or online service to respond to that signal, if it so chooses. Because the collection of data is necessary for basic functioning of the Internet, the challenge is interpreting what the signal means (i.e., when an operator sees the DNT signal, what data may it continue to collect and what uses of that data are permitted?). In 2011, the World Wide Web Consortium (W3C), a voluntary, collaborative body that sets technical standards for the Internet, formed a Tracking Protection Working Group to set standards for DNT. The group, which consists of industry members, advocacy groups, and academic experts, has suffered from internal dissention and turnovers in leadership, and as of yet has been unable to reach a consensus on how the DNT signal is to be interpreted.

A.B. 370 imposes disclosure obligations by amending CalOPPA, which currently requires website operators that collect personally identifiable information (PII) to conspicuously post—and comply with—a privacy policy.4 CalOPPA further requires that the privacy policy identify the categories of PII that the operator collects, as well as the third parties with whom the operator shares the information.

The new bill includes two additional requirements. Under the new law, an operator also must:

  1. “disclose how the operator responds to Web browser do not track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection,” and
  2. “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

CalOPPA defines PII as “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form,” including any of the following:

  • Name
  • Physical or email address
  • Telephone or Social Security number
  • Any other identifier that permits the physical or online contacting of a specific individual
  • Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this section

Implications

While A.B. 370 does not impose substantive provisions requiring companies to honor DNT signals or set standards regarding what honoring DNT entails, the bill is the California Legislature’s attempt to provide consumers with transparency, if not choice, regarding DNT. Such transparency may have the effect of encouraging companies to honor DNT signals, as they may feel more pressure now that they have to explain their policies to consumers.

Do I Need to Comply, and How Do I Comply? 

The new amendment requires operators of websites and other online services that collect PII about an individual’s online activities over time and across third-party sites or services to disclose how they honor DNT signals or other mechanisms that provide consumers with choice regarding cross-site tracking.5 This disclosure requirement applies only to operators of online services that themselves collect such PII across sites; it does not affect those that only collect PII on their own sites.

California Attorney General Kamala Harris views CalOPPA’s definition of PII to be sufficiently broad to encompass cross-site data linked to a device via a persistent identifier, even if the data is collected anonymously.6 Moreover, the legislative history of the amendment suggests that this is precisely the type of online tracking that the legislature intended to address.7 If challenged, a court may ultimately disagree with this expansive interpretation of CalOPPA.8 Nevertheless, companies will incur the risk of an enforcement action if they do not follow the statute with regard to the collection of persistent identifiers.

To comply with the law, operators first must determine whether and how they honor DNT browser signals or alternative consumer choice mechanisms, if at all, and then must clearly communicate this to consumers through their privacy policy. While it isn’t clear whether the law requires operators to do more than state whether they honor the DNT signal or other choice mechanism, as a practical matter, companies should specify how they respond to the signal rather than simply assert that they honor it. Because there is no accepted definition of what it means to honor DNT, operators should exercise caution in the representations that they make. If an operator represents that it honors the DNT signal without a sufficient explanation of what that entails (e.g., that it ceases to collect certain information, or continues to collect the same information but ceases to make certain uses of the data), the operator risks violating the statute or being subject to a claim for deception.

The new amendment also requires operators to disclose whether third parties may collect PII about a consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service. This disclosure requirement applies to all websites and online services. Websites and online services that do not currently make such a disclosure will need to revise their privacy policies.

What Happens If I Don’t Comply? 

Those who fail to comply with CalOPPA will be in violation of the statute if they do not post a compliant privacy policy within 30 days of being notified of noncompliance. While CalOPPA does not provide for a private right of action, the California attorney general can bring enforcement actions under the law. Violations of CalOPPA may result in penalties of $2,500 per violation. For apps, Attorney General Harris has asserted that each app download constitutes a violation.

1 http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370.

2 CA Bus. & Prof. Code §22575.

3 http://www.ftc.gov/os/2010/12/101201privacyreport.pdf.

4 http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579.

5 Although the law only refers to websites and other online services, California Attorney General Harris has taken the position that CalOPPA applies to mobile applications as well. See Privacy on the Go: Recommendations for the Mobile Ecosystem (January 10, 2013), available at http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdfSee People v. Delta Air Lines Inc., No. CGC 12-526741 (Cal. Super. Ct. February 11, 2013) (dismissed on other grounds).

6 Privacy on the Go: Recommendations for the Mobile Ecosystem (January 10, 2013), available at http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf (defining personally identifiable data as “any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.”)

7 See, e.g., Senate Judiciary Analysis (June 24, 2013), available at http://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml#.

8 In its defense of an enforcement action filed by Attorney General Kamala Harris’s office for Delta’s alleged failure to comply with CalOPPA, Delta argued that its app did not contact specific individuals and thus did not collect “personally identifiable data” under CalOPPA. Delta argued that “a piece of information collected from a consumer does not become PII simply because the State holds that opinion.” Def. Delta Air Lines, Inc.’s Reply in Support of Demurrer at 9, People v. Delta Air Lines Inc., No. CGC 12-526741 (Cal. Super. Ct. February 11, 2013) (dismissed on other grounds).