Once again California has taken the lead in enacting new laws requiring specific disclosures in online privacy policies. While the laws technically apply only in California, the practical reality is that any nationwide online service will need to comply. Compliance will require many website operators to review and update their existing policies and practices in two areas as described below.
1. Do Not Track (Effective January 1, 2014)
A website operator will be required to disclose two things in its privacy policy: (1) how the operator will respond to “do not track” instructions from web browsers or other sources, and (2) whether third parties – such as ad servers or data brokers – “may collect personally identifiable information about an individual consumer’s online activities over time and across different web sites when a consumer uses the operator’s web site or service.” The first requirement may be met by providing a link to another site that describes the process to be followed when a consumer elects a “do not track” option. Cal. Bus. & Prof. Code § 22575(5)-(7).
The law does not specify how (or whether) a site operator must respond to or respect “do not track” instructions. Nor does it prohibit third party advertising services from gathering information about site users. The law only has a disclosure requirement. Also, it does not provide for a private cause of action for violation. Only the California Attorney General has enforcement authority. Penalties up to $2,500 per violation can be assessed under the California Unfair Competition Law.
Interestingly, the law will take effect at a time when industry consensus on how to deal with “do not track” requests from consumers (or even how to define what “tracking” means) is starting to fray. The Digital Advertising Alliance, a coalition of major advertising trade associations, recently withdrew from a “do not track” task force organized by the World Wide Web Consortium. It remains to be seen whether the advertising industry will develop a sufficient self-regulatory system to keep Congress, the FTC, and other states from adding substantive restrictions on behavioral advertising tracking.
2. “Online Eraser” for Minors (Effective January 1, 2015)
With limited exceptions, websites will be required, starting in 2015, to allow any California resident under age 18 to remove (or request removal) of any information he/she has posted him/herself on the operator’s website, app or online service. In addition, the operator will be required to provide notice regarding the removal option and instructions how to use it. These requirements go beyond existing laws in the United States and will require many site operators to update their functionality as well as their privacy policies. The new law has no specific provision for private causes of action, so, presumably, it will only be enforceable by the California Attorney General, with the same maximum $2,500 per-violation penalty as the do-not-track law discussed above. Cal. Bus. & Prof. Code § 22580, et seq.