California law will soon require website and mobile app operators to disclose additional information in their privacy policies. Because the law applies to operators of websites and online services (including mobile apps) that collect personally identifiable information (e.g., name, address, phone number, etc.) from California residents, it might apply to your company even if it’s not located in California.
California’s Online Privacy Protection Act (CalOPPA) already requires such website operators to post an online privacy policy that describes the types of information that they collect, how that information is used and how it is shared with others. Beginning on January 1, 2014, there will be additional requirements. Any operator of a website or online service that collects personally identifiable information must also disclose the following in its privacy policy:
- How the operator responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services
- Whether third parties may collect personally identifiable information about a consumer’s online activities when a consumer uses the operator’s website or online service
The law does not require operators to honor a user’s “do not track” preferences — just that they disclose how they respond to such signals. However, how a website or online service operator responds to a user’s preferences could affect its decision as to whether to honor such preferences.
As with most regulations concerning tracking, the focus is on tracking over time and over and across third-party sites — what is normally referred to as “third party tracking.” It doesn’t cover “first party tracking” — for example, tracking of customer movements within your own website.
The issue is complicated by the fact that although the phrase “Do Not Track” seems simple and clear, it really is not clear at all. In practice, “Do Not Track” commands hardly ever mean, “If you choose this option, you will not be tracked.” Tracking often occurs automatically and a DNT command on a browser, such as the ones set by default on newer versions of Firefox and Internet Explorer, is generally interpreted to mean that an advertising network should not use the tracked information. For that reason, website operators probably need to spell out specifically what they and their advertising partners do — and they should avoid simplistic assertions that they “track” or “do not track” users.
Whether or not to use tracking information is still an open question for many online operators. For example, because Firefox and IE make DNT a default setting, many advertisers believe that the automatic DNT signals from those browsers do not really reflect consumer preferences. Thus, they ignore that default command and look to deliberate consumer preferences as set through the Digital Advertising Alliance’s opt-out program.
Disclosure is the key under CalOPPA. An operator that does not honor DNT signals will now need to say so. For good customer relationships, a website operator may want to go on and explain why — for example, that it relies on the DAA program to determine whether users have specifically requested that their information not be tracked.
In order to comply with the amended law, companies should evaluate their current practices with respect to “do not track” signals, and determine whether their websites allow third parties to collect personally identifiable information. They should then update their privacy policies to clearly and accurately explain their practices.
Jennifer Visintine is a partner in Thompson Coburn’s Intellectual Property and Media Law practice groups, and can be reached at jvisintine@thompsoncoburn.com.