Home > Legal Library > Article




Join Matindale-Hubbell Connected


California's Do Not Track Disclosure Bill




by:
Deborah A. Feinblum
Venable LLP - Los Angeles Office

Brett A. Garner
Venable LLP - San Francisco Office

Stuart P. Ingis
Venable LLP - Washington Office

Gregory J. Sater
Venable LLP - Los Angeles Office

Michael A. Signorelli
Venable LLP - Washington Office

 
January 17, 2014

Previously published on January 2014

As of January 1, 2014, California law requires operators of websites and online services to publicly disclose how they respond to "do not track" (dnt) signals, though the exact requirements vary depending on whether an entity is a first party (e.g., web publisher) or third party (e.g., ad network). The new law will not require companies to honor dnt signals.

Operators of websites and online services should be prepared to update their privacy policies.

Background

On September 27, 2013, Governor Jerry Brown signed into law AB 370, an amendment to the California Online Privacy Protection Act (CALOPPA). CALOPPA requires online operators to post privacy policies stating: (1) the categories of personally identifiable information (PII) collected through their website or online service, (2) the categories of third parties with whom the operator may share PII, (3) the process by which a consumer may review and request changes to PII collected through the site or service if such a process is maintained, (4) a description of how operators notify consumers of material changes to the privacy policy, and (5) the effective date of the privacy policy. AB 370 will not change these requirements or the meaning of PII, but adds additional disclosure obligations described in the next section.

Amended Law - New Disclosure Requirements

Who is covered

Operators of commercial websites and online services are required to make disclosures related to dnt signals and other choice mechanisms in their privacy policy. However, the specific disclosure requirements vary for (1) operators engaged in data collection across sites and over time (i.e., third parties such as ad networks), and (2) operators of websites or online services where PII is collected (i.e., web publishers and other first parties).

Third Party Disclosure Obligations

Operators engaged in the collection of PII about an individual consumer’s online activities over time and across third-party websites or online services are covered by the new law. These entities are known as third parties under the industry self-regulatory program administered by the Digital Advertising Alliance (DAA). Examples of third parties covered by this law are ad networks and analytics providers. AB 370 requires these third parties to disclose in their privacy policy how they respond to web browser dnt signals or other mechanisms that provide consumers the ability to exercise choice regarding collection of the PII about an individual consumer's online activities over time and across third-party sites or online services. A third party covered by this law may satisfy this requirement by providing a clear and conspicuous hyperlink in its privacy policy that leads to an online location containing a description, including the effects of any programs or protocols the operator follows that offers the consumer that choice. Including a link to the Digital Advertising Alliance at www.aboutads.info/choices should satisfy this requirement.

AB 370 appears to require third parties to either disclose: (1) how it responds to web browser dnt signals or (2) other mechanisms that provide consumers the ability to exercise choice regarding PII collection. In cases where the third party links to an "other mechanism," the law does not require third parties to affirmatively state that they do not respond to dnt signals. If that is the case, third parties may still elect to make such disclosures as a defense to potential frivolous assertions that such entities have not disclosed how they respond to dnt signals.

First Party Disclosure Obligations

A first party operator (i.e. , a web publisher that permits third parties to collected data from its site) will be required under the new law to disclose whether other parties (i.e., ad networks, analytics providers etc.) may collect PII about an individual consumer's online activities over time and across different sites when the consumer uses the first party’s website or service. Although it will not be required by this law, it is industry practice and consistent with the DAA Principles for first parties to include a link to www.aboutads.info/choices in their privacy policy.

Next Steps

AB 370 took effect on January 1, 2014. Online operators have 30 days to comply after being notified of noncompliance.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Author
 
Deborah A. Feinblum
Brett A. Garner
Stuart P. Ingis
Gregory J. Sater
Michael A. Signorelli
Practice Area
 
Internet Law
 
Venable LLP Overview


 

Practice Area Resource Centers
Visit our Practice Area Resource Centers to view practice area specific content compiled from a variety of legal sources. Find related articles, podcasts, industry leader insights and much more. We currently offer the following Practice Areas:Litigation;Intellectual Property;Real Estate;Corporate Law;Criminal Law;Bankruptcy;Immigration;Business Law;Insurance;Taxation;Labor & Employment;Commercial Law;Medical Malpractice;Trusts & Estates;Securities;International Law ;Health Care;Environmental Law;Construction Law;Workers' Compensation