California is increasing its requirements for companies to disclose their information-collection practices in privacy policies. Since 2003, the California Online Privacy Protection Act of 2003 (“CalOPPA”) has required operators of commercial websites and online services (e.g., a mobile application) that collect personally identifiable information from residents of California to conspicuously post their privacy policies and adequately describe their data collection and tracking policies. Because CalOPPA applies to all operators that collect personally identifiable information of California residents, the law is potentially applicable to all operators of commercial websites and online services. Effective January 1, 2014, CalOPPA was amended (AB 370) to provide additional disclosure requirements regarding data collection and “Do Not Track” disclosures and the existence of online tracking by third parties.
CalOPPA – Requirements Prior to 2014 Amendment
CalOPPA does not prevent an operator from tracking or collecting data from visitors to a website or online service, but it requires specified disclosures by operators of their data collection and tracking policies in a clear, conspicuous manner, that is easily understandable by consumers. A policy should disclose the following:
Additional Requirements Added to CalOPPA under AB 370, effective January 1, 2014
The major browser software vendors have introduced browsers that allow users to instruct websites accessed via the browser not to track the user’s activities. This is referred to as a “Do Not Track” signal. However, there is no legal requirement stating how operators of websites or online services must respond to this “Do Not Track” signal, and such signals are commonly ignored.
AG’s Guidance on Privacy Practices
For more information, please contact Frances Floriano Goins at Ulmer & Berne LLP.