California Governor Signs 'Do Not Track' Disclosure Requirement; Commercial Website and Mobile App Operators Required To Disclose Whether They Honor DNT Requests

This post was written by Lisa B. Kim, Joshua B. Marker and Katrina M. Kershner.

We previously noted that the California legislature had recently passed and sent to the governor’s desk a number of different data privacy bills this term. This past Friday, California Governor Jerry Brown signed into law one of those bills, AB 370 – legislation that imposes new disclosure requirements on commercial websites and online services that collect personally identifiable information (PII) on users. The legislation, the “Do Not Track” disclosure law, is the first law of its kind in the United States.

The California Online Privacy Protection Act (CalOPPA) had already required any website operator who collects personally identifiable information (PII), to conspicuously post its privacy policy, which must identify the categories of PII collected and the third parties with whom the operator shares the information. The California attorney general has made CalOPPA an enforcement priority. With the passage of AB370, CalOPPA now requires that these commercial websites and online services also disclose in their privacy policies (1) how the site responds to a “Do Not Track” (or similar) signal from a browser, and (2) whether any third party may collect PII over time and across websites when a consumer visits the operator’s site.

As explained in our previous blog, all the major browsers offer “Do Not Track” options, which signal to sites that the individuals do not want their behavior tracked. Honoring the “Do Not Track” signal by refraining from collecting information on the individual is voluntary. The new law does not change this, but it does now require disclosure of whether and to what extent the site honors the “Do Not Track” signal.

The impact of this legislation is significant and will require all companies operating websites or mobile apps that are used by California residents to reevaluate their privacy policies. The DNT bill, in particular, requires every company to have a thorough understanding of technical aspects of its websites, and the third parties it allows to operate on its site, so that it can properly disclose its data collection practices. Further, by forcing companies to affirmatively disclose additional specifics about their information practices, the risk of litigation for noncompliance with the privacy policy is like to increase.

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://www.globalregulatoryenforcementlawblog.com/admin/trackback/306354
Comments (0) Read through and enter the discussion with the form at the end
Post A Comment / Question Use this form to add a comment to this entry.







Remember personal info?