Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

California Enacts Law Requiring "Do Not Track" Disclosures

California, which has historically been at the forefront of consumer online privacy, has once again stepped ahead of other states and the federal government, enacting an amendment to the state's current online privacy law, California's Online Privacy Protection Act (CalOPPA), that requires commercial websites and online service providers to disclose how they respond to "do not track" signals from Internet browsers.

The state's Assembly and Senate approved the bill (AB 370) that requires commercial websites and online services to disclose how they respond to an Internet browser's "do not track" signals and whether and how third parties collect personally identifiable information from consumers who visit those sites. The bill was signed into law Sept. 27, 2013 and applies to any operator of commercial websites or online services that collects personally identifiable information about a California resident, whether the operator is physically based in California or not.

CalOPPA currently requires a website operator to conspicuously post its privacy policy and mandates certain information to be included in that policy. The amended law expands the required disclosures in two important ways. First, if an operator engages in the collection of personally identifiable information, its privacy policy must now disclose how the operator responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services. An operator may satisfy this requirement by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location setting forth a description (including the effects) of any program or protocol the operator follows that offers the consumer that choice. Second, the policy must disclose whether any third parties may collect personally identifiable information about the individual consumer's online activities when the consumer uses the operator's website or service.

Given the strong stance California Attorney General Kamala Harris has taken that her office interprets CalOPPA's reference to "online services" to include mobile applications, it is likely that her office's Privacy Enforcement and Protection Unit would consider the amended CalOPPA language to apply to mobile apps for both compliance and enforcement purposes.

This new requirement provides online and mobile businesses with an opportunity to revisit their tracking practices and data optimization strategies; and update their privacy policies to ensure that they are addressing this and other recent developments in this area. 

This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.