Who: Governor of California
When: 27 September 2013
Where: California
Law stated as at: 14 Jan 2014
What happened:
As readers of marketinglaw.co.uk may be aware, OBA and ‘Do Not Track’ initiatives remain a hot topic. In California, this debate has now progressed even further, with obligations around ‘Do Not Track’ disclosures now being enshrined into law.
The California Online Privacy Protection Act of 2003 (CalOPPA) already requires commercial websites and online service providers to conspicuously post a privacy policy. The policy must disclose, amongst other things, the categories of personally identifiable information the operator collects and who the operator shares this information with. Regulated operators also include, as held by the California Office of Attorney General, operators of software and mobile apps that transmit and collect personal information online.
Governor Brown of California has now passed ‘AB 370′ which amends CalOPPA. The amendment requires those regulated website and online service providers to disclose in that privacy policy how they respond to browser “do not track” signals. Alternatively, the operator can link to webpage with a description of any program or protocol the operator follows that offers consumers a choice about online tracking.
The amendment also requires those operators to disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different sites sites when a consumer uses that website or service (but not to disclose who those other parties are).
What the amendment doesn’t do however is require operators to actually respond to “do not track” signals, or to honor a consumer’s choice not to be tracked. Equally, the amendment doesn’t define “do not track”, or describe what might constitute a “do not track” signal or other tracking mechanisms. It is billed as ‘a transparency proposal— not a Do Not Track proposal’. Operators who must comply with CalOPPA and these amendments have 30 days to comply after being notified of any non-compliance, and can face fines of up to $2,500 per breach.
Why this matters:
With debate around and development of ‘Do Not Track’ initiatives ever evolving, this will be welcomed by its supporters. For any advertisers and marketers that fall under the remit of CalOPPA, privacy policies must also be reviewed and updated if they haven’t already.
Should UK website publishers be worried?
Another issue is whether UK website publishers should be concerned. The answer is that perhaps they should, particularly if there is any realistic prospect that residents of California will be accessing their site and having tracking cookies dropped on their devices as a result.
This is because neither the website publisher nor the online service provider has to be located in California for CalOPPA to be engaged.
The critical issue is whether residents of California are able to visit the site or use the online server and their online behaviour is capable of being tracked by cookies the site or service drops.
Website publishers’ directors, particularly if they have subsidiaries or associated companies in California, may want to look at updating their privacy policies to avoid detention at LA airport next time they fly to the Sunshine State.