• Do You Have a Web Site? If Yes, Be Sure You Are in Compliance with California’s New Privacy Disclosure Requirements
  • January 23, 2014 | Author: Andrea J. Mealey
  • Law Firm: Hinckley, Allen & Snyder LLP - Boston Office
  • A new California law took effect on January 1, 2014 that affects privacy policies and mobile application policies related to any web site or services accessible by consumers who are California residents. The new law is AB370, an amendment to the California Online Privacy Protection Act of 2003, and it puts two new obligations on website operators and service providers in regard to what they must include in their policies.

    First, AB370 requires operators' policies to include a description of how the operator responds to do-not-track settings in consumers' browsers. AB370 describes these do-not-track settings as, "signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party web sites or online services." An operator can satisfy the requirements of AB370 in one of two ways. An operator can disclose in its privacy policy how it responds to browser do-not-track signals or other mechanisms that provide consumers with choices regarding the collection of personal information. Alternatively, an operator may provide in its privacy policy a clear and conspicuous hyperlink to a webpage that provides a description of any program or protocol the company uses in order to respond to consumers' do-not-track settings.

    Second, AB370 requires operators to disclose in their privacy policies whether third parties engaging in online behavioral tracking for a variety of purposes may collect personally identifiable information related to consumers' online activities "over time and across different web sites" through the operator's website or online service. However, operators are not required to disclose which third parties are collecting such information or to disclose any details regarding the information so collected.

    Given that consumers from California can access web sites and applications regardless of where the operator is located, if you collect any personally identifiable information on your site or through a mobile app, the recommended course is to review your privacy policy and tracking practices to confirm that they are compliant with California's new law.