New Law Requires Certain Vendors to Expand Their Privacy Policies
A recent amendment to the California Online Privacy Protection Act of 2003 (“CalOPPA”) will require certain owners and operators of commercial websites and online service providers to change their posted privacy policies to include additional information. CalOPPA requires certain owners and operators to conspicuously post their privacy policies related to the collection of personally identifiable information (“PII”) on their websites. AB 370, signed into law on September 27, 2013 and effective January 1, 2014, now requires these owners and operators to include a discussion of their “do not track” signals in their privacy policies. “Do not track” signals are mechanisms that provide consumers a choice regarding the collection of PII related to consumers’ online activities over time and across different websites or online services.
The amendment requires that relevant owners or operators who track a consumer’s PII in connection with consumer’s online activities disclose in their privacy policies how they respond to browser “do not track” signals. It also requires these owners and operators to disclose whether other parties may collect PII about an individual consumer’s online activities over time and across different websites when a consumer uses their website or service. The bill suggests that one way owners and operators can satisfy the new “do not track” requirement is to provide consumers with a hyperlink to a webpage with a description, including the effects, of any program or protocol the operator follows that offers consumers a choice about online tracking.
Operators and owners who receive notice that they are not in compliance with the new law will have 30 days to update their policies. Those who are still non-compliant after 30 days will face civil penalties of up to $2,500 per violation. If you own or operate a commercial website, we suggest you review your posted privacy policy to ensure that it includes a discussion how you manage “do not track” signals.
An “operator” under the statute is any person or entity that owns a website located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the website or online service if the website or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owner. Cal. Bus. & Prof. Code § 22577(c).
Likewise, PII means “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.” It includes (1) first and last names; (2) home or physical addresses; (3) e-mail addresses; (4) telephone numbers; (5) social security numbers; (6) any other identifier that permits the physical or online contacting of a specific individual; and (7) information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with any other identifier described above. Cal. Bus. & Prof. Code § 22577.