- December 4, 2013 | Authors: Chanley T. Howell; Peter I. Sanborn
- Law Firms: Foley & Lardner LLP - Jacksonville Office ; Foley & Lardner LLP - Boston Office
A recently signed California law requires website operators to include a disclosure in their privacy policies regarding how their websites respond to “Do Not Track” mechanisms.
California Governor Jerry Brown recently signed into law a bill that requires operators of websites and online services, including mobile applications, to disclose in their privacy policies how they respond to “Do Not Track” mechanisms in web browsers. The law amends the California Online Privacy Protection Act (“CalOPPA”), and website operators and online service providers have until January 1, 2014 to comply with the new requirements.
Summary of Changes to CalOPPA
Failure to comply with the new requirements could result in fines of $2,500 per violation. With respect to mobile applications, the California Attorney General has indicated that each download of a mobile application that does not comply with the new requirements constitutes a violation and can trigger the fine.
Best Practices for Compliance
As part of updating its privacy policies to comply with the new Do Not Track requirements of CalOPPA, website owners and operators should undertake the following best practices:
Identify the tracking mechanisms in place on its websites and online services, including (a) the specific types of personal information collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and whether the operator will honor the user’s choice. The list should include the tracking mechanisms used by the operator itself, as well as any tracking mechanisms placed by third parties, including advertisers and analytics services.
- Identify any other mechanisms that collect personal information from users, including social media plug ins. While the changes to CalOPPA do not necessarily target these kinds of data collection mechanisms, operators should consider disclosing them to users in their privacy policies.