Jan 22, 2014

How to comply with California’s Do Not Track law?

A new California law went into effect January 1, 2014 that governs how websites deal with online privacy. If I’m not based in California, does my website still have to comply with it?

AB370: California's "Do Not Track" Law

"On September 27, 2013, the California governor signed into law AB370, an amendment to the California Online Privacy Protection Act of 2003 ("CalOPPA")1. CalOPPA requires owners of commercial websites and online service providers ("operators") to conspicuously post a privacy policy. The privacy policy must disclose to consumers, among other things, the categories of personally identifiable information (PII)2 the operator collects and with whom the operator shares such information. Operators affected by CalOPPA include website operators and, as interpreted by the California Office of Attorney General, operators of software and mobile apps that transmit and collect PII online.3

AB 370 requires an operator that collects PII about an individual consumer's online activities over time and across third party websites and online services to disclose in its privacy policy how the operator responds to browser "do not track" signals or other mechanisms that provide consumers with choice regarding the collection of such information. As an alternative, the operator may provide a hyperlink to a webpage with a description, including the effects, of any program or protocol the operator follows that offers consumers a choice about online tracking. The amendment does not require operators to respond to "do not track" signals or to honor a consumer's choice not to be tracked. Further, AB 370 does not define what it means to "do not track" nor does it describe what might constitute a "do not track" signal or other tracking mechanisms."

The way I understand it, if people from California are accessing your website and you collect any information, it could apply to you. It’s not that big of a deal to comply with, it is like the privacy notifications on European websites, except you also have to disclose whether your site honors “Do Not Track” requests. There is a potential $2500 penalty for non-compliance. I don’t have a problem with the law, it seems pretty fair to me. Some lawyers wrote an article about it, if you want to read more.

Answer this