Sharing is Caring, but Not Always in the Case of Cookies – CA Governor Signs the Country’s First “Do Not Track” Disclosure Bill
by Angelina Bruno-Metzger
On September 27, 2013, bill AB370, now known as the “Do Not Track” disclosure law (“DNT”), was officially signed into law by Governor Jerry Brown. This law will impose new and additional disclosure requirements on commercial websites and online services that collect personally identifiable information (“PII”) on users. “Do Not Track,” is an amendment to the California Online Privacy Protection Act (“CalOPPA”), which originally required that websites, as well as mobile applications, to explicitly and conspicuously post their privacy policies. This posted privacy policy must include what categories of PII are being collected and what third parties will also have access to that information. Under this latest amendment, website operators (or mobile applications) need to: (1) disclose and explain their privacy policies and how they respond to DNT signals, and (2) disclose applicable third-party data collection and use policies.
It should, however, be noted that this law does not explicitly prohibit tracking or affirmatively require a website operator to honor a consumer’s do not track request. It simply mandates that operators disclose their privacy policies. Additionally, the lack of a clear definition of “do not track” could be equally problematic when it comes to enforcement – since this new law does not define what it is regulating. A clear definition will most likely emerge through enforcement and adjudication of the law, as well as policy statements.
This “Do Not Track” law mandates that all companies have a complete technical understanding of their websites, as well as the third parties that are allowed to operate on the site, so that each company can fully disclose its data collection practices. While technically speaking this law would only require companies to make the disclosures to California residents, it will likely have a national, if not international, effect, as most companies usually do not craft different policies for specific states, and cannot know whether a user is a California resident. This new law will go into effect on January 1, 2014, and any operator that fails to provide the required disclosures will be given a warning and 30 days to comply or else be found in violation of the new law. Failure to comply, whether that failure is knowing and willful or negligent and material, could result in a $2,500 fine under California’s Unfair Competition Law.
Recently California has been boldly breaking ground in the nation in the area of online data privacy, and the “Do Not Track” law is no exception; it is the first of its kind in the country. For a more complete understanding of what online tracking is
