California Online Privacy Protection Act—Do Not Track Amendment

On January 1, 2014, the California legislature passed the “Do Not Track Amendment” (the “Amendment”) to the California Online Privacy Protection Act (CalOPPA). The Amendment requires certain companies to include additional information in their privacy notices.

1. A.                 What does CalOPPA (As Amended) Require You to Do?

The CalOPPA states that operators of commercial websites or online services that collect personally identifiable information (PII) through the Internet from individual consumers residing in California who use or visit the commercial website or online service must conspicuously post a privacy notice on their website or online service that contains certain information. The privacy notice must contain the following seven things (the last two items were added by the Amendment):

1.      the categories of personally identifiable information that the entity collects about users;

2.      the categories of third party persons or entities that the entity discloses PII to;

3.      a description of any process by which users may review and request changes to their PII;

4.      a statement about how the operator notifies consumers about material changes to its privacy policy;

5.      an effective date;

6.      a description about how the operator responds to web browser’s Do Not Track signals; and

7.      a disclosure about whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.

1. B.                 Who Needs to Comply With CalOPPA and its Amendment?

Although CalOPPA is a California law, it impacts virtually most companies engaging in e-commerce across the US, because most companies want to do business with individual consumers who reside in California.

1. C.                 How to Comply with the Two New Requirements

Obligation to Disclose How the Operator Responds to Do Not Track Signals

The Amendment does not clearly state whether operators are required to (1) adhere to Do Not Track signals or (2) simply state what their policy is – either they adhere to or do not adhere to Do Not Track signals, and there is no case law on point to date, because the Amendment went into effect so recently.

The legislative intent behind the Amendment was to promote greater transparency so that consumers can make informed choices about whether they want to use the site. For this reason, many are interpreting this requirement to mean that website owners/operators should simply state what their policy is – either they adhere to Do Not Track Signals, or they do not adhere to them.

Obligation to Disclose Whether Third Parties Collect PII Via an App or Site

Companies need to disclose what third parties collect PII via their websites or online services (even if the company itself is not directly supplying that information to the third parties). Therefore, companies need to get in the habit of asking their third party contractors or ad suppliers what information they collect via their site and whether there are any downstream contractors who may also collect PII from their users.

1. D.                 Challenges in Complying with the Amendment

Obligation to Disclose How the Operator Responds to Do Not Track Signals

It is difficult for sites to determine what actually qualifies as a Do Not Track signal or similar mechanism that is covered by CalOPPA, because there is no clear definition of what a Do Not Track signal means. The World Wide Web Consortium, a group of privacy and web experts, have been trying to define what Do Not Track means and create consistent protocols over the past few years, but they have not yet been able to do so.

Furthermore, web browser technology is rapidly changing, so any disclosure about Do Not Track in a privacy notice is likely to become quickly outdated and will need to be periodically updated.

Obligation to Disclose Whether Third Parties Collect PII via a Website or Online Service

Frequently, operators do not know what information their third party service providers are collecting from their website or online service. Third party service companies may also use downstream third parties to provide services to an operator, and these downstream third parties may also collect information from operators’ websites or online services. The Amendment requires operators to disclose what PII these third party vendors and downstream third party vendors are collecting from users of their websites or online services, so operators must obtain this information.

In addition, third party vendors and downstream third party vendors may frequently change their technology/service, and this in turn changes how and what PII they collect from websites or online services. Operators must stay on top of any changes third party vendors and downstream third party vendors may make to their services or products and make sure they update their privacy notice to reflect this.

If you have any questions about this article or intellectual property, privacy and data security issues, please contact Helen Christakos, at helen.christakos@kayescholer.com.