On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking. Operators will be required to disclose whether third parties collect certain information about California residents over time and across different websites when those residents use the operators’ sites and services. The law also requires that operators disclose how they respond to do-not-track signals or other mechanisms designed to provide consumers with choices relating to such activities. Although the law is limited to online services directed to California, it provides a de facto national standard for websites that do not provide separate privacy disclosures based on location.
In the coming weeks, the California Attorney General is expected to release best practice guidelines for compliance with the law. This guidance may or may not include a strict interpretation of these and other compliance issues. Regardless of this forthcoming guidance, operators will be expected to comply as of the January 1 effective date.
As we have written before, ambiguities in the law complicate compliance. For instance, the law does not provide a definition of “do-not-track.” Without a statutory definition of do-not-track, or a commonly accepted definition by industry, businesses should take appropriate caution when describing in their privacy policy how they respond to do-not-track signals. Also, there is confusion as to whether an operator’s provision of a link to widely used industry opt-out mechanisms obviates the need for a do-not-track disclosure. In addition, the law does not make clear whether subsidiaries and affiliates of a website operator or online service constitute “other parties.” If they are, operators will have to disclose whether affiliates and subsidiaries track consumers’ activities on their websites or services.
While businesses can take some comfort in the fact that California provides 30 days to address alleged deficiencies raised by the Attorney General before any fines may be imposed, non-compliance eventually can result in fines of up to $2,500 per violation.