Mandatory disclosure of “Do Not Track” policies applies to ALL online operators collecting personal data from California residents

In an  effort to bring some  “transparency” to the murky practice of data collection on the Internet, California has expanded its Online Privacy Protection law (CalOPPA) to include two new disclosure requirements.

Before you click away because, what the heck, you don’t live in California so this expansion couldn’t possibly affect you, think again.

CalOPPA applies to ANY commercial website or online service that collects personally identifiable information (PII) about “individual consumers residing in California who use or visit its commercial Web site or online service”. So if your website collects PII (trust us, most websites do), and any visitors to your site happen to live in California (even if they’re not physically there when they happen to visit your site), CalOPPA appears to apply to you.

The new law, which takes effect on January 1, 2014, requires affected Internet operators to disclose in their online privacy statements (a) how their online operations “respond” to “Do Not Track” technology and (b) whether other parties may collect PII about visitors to the operator’s site. (The specific language is included in new subsections (b)(5)-(7) to Section 22575 of California’s Business and Professions Code.)

What is “Do Not Track” technology?

It’s a response to the ubiquitous collection of data, for commercial and other purposes, from Internet users. That data collection, occasionally referred to as “tracking” and often achieved through the insertion of “cookies” onto a visitor’s computer, makes the collected data available to website operators and other parties who can slice and dice the gathered information and then use it for targeted online commercial purposes. Tracking routinely occurs in the background while users browse away, blissfully unaware that their PII is being recorded, analyzed and incorporated in advertising plans. Often, the first hints the user might get that she’s been tracked are the targeted ads that arrive on her screen.

So far, such data collection is completely legal. To provide users with a way to counter tracking, virtually all of the major browser developers have in recent years included “Do No Track” options in their software settings. Those options generally permit a user to set her/his browser so that it sends a “do not track” message to all websites visited.

But the websites visited are under no obligation to comply with the user’s wish (as expressed through his/her browser settings) not to be tracked. So invoking one’s “Do Not Track” options is kind of like pinning a large sign reading “Don’t Take My Picture” to one’s back while walking through an area bristling with surveillance cameras. It’s theoretically possible that somebody on the other end of one or another of those cameras might be willing and able to turn the camera off as you walk by, but it’s pretty unlikely.

Some companies have committed to honoring “Do Not Track” requests, but many have not.   And while a number of organizations, including the World Wide Web Consortium, have worked to come up with a standardized approach to the issue, those efforts have thus far been fruitless.

“Do Not Track” technology is reminiscent of the “Do Not Call” registry instituted several years ago to prevent unwanted telephone solicitations – both are intended to provide consumers with the opportunity to avoid commercial intrusions. But there are important differences. A telephone solicitor who violates the Do Not Call prohibition is subject to sanctions by the government; an online operator who ignores a “Do Not Track” signal currently is not.

And when a telephone solicitor does violate the Do Not Call prohibition, the consumer knows it because the consumer receives the prohibited solicitation. But a user often has no way of knowing when an online operator does not or cannot respond to a user’s “Do Not Track” signal.

That’s where California’s new law enters the picture.

CalOPPA already required website operators that collect PII about California residents to “conspicuously post” their privacy policies and to comply with those policies. Under the recent expansion, those privacy policies must now also disclose:

  1. how the Operator “responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection”; and
  2. “whether other parties may collect [PII] about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

So if you’ve got a website that might be visited by California residents, what do you do?

First, it’s important to remember that the new law does not require you to respond to Do Not Track messages; it requires only that you disclose how you do or don’t respond.   In other words, you can ignore Do Not Track messages and collect PII despite them, but if you do that you will need to say so in your privacy policy. Of course, that may not go over well with your site’s visitors, whom you would presumably prefer not to alienate.  But that’s a problem between you and your visitors, not you and the State of California.

If you do respond to Do Not Track messages, you will need to disclose how you respond. The new provisions of CalOPPA don’t specify exactly how detailed your disclosure must be, but presumably it should accurately reflect your response.

If you don’t know how your website is set up to deal with Do Not Track messages, now would be a good time to investigate that question. In order to be sure that you’re in compliance with a wide variety of Internet-related requirements, you should in any event be familiar with the intricacies of your site. That includes not only your own business’s data collection and processing practices, but also those of any third parties to whom you have given access to your site.

The new CalOPPA rules permit you to satisfy the disclosure requirement by providing a hyperlink “to an online location containing a description … of any program or protocol the operator follows that offers the consumer [choices on tracking].”   Also, for enforcement purposes, operators should be aware that, before they can be penalized for failing to make the necessary disclosures, they will be notified of the problem and given 30 days to remedy it.

Of course, another solution is simply not to collect PII. Remember – CalOPPA applies only to operators who collect PII. If you’re not collecting, you have no obligations under the statute. However, that may not be consistent with your business purposes, or with the efficient operation of your web site because under CalOPPA, “persistent identifiers” necessary for the smooth interaction of consumers with web applications may fall under the definition of PII. (Theoretically, you could avoid liability under CalOPPA by somehow screening out California residents from access to your site – but even if you were inclined to try such an approach, it’s not clear how effective it would be.)

The new CalOPPA requirements provide an excellent impetus to all website operators to review their PII practices and update their privacy policies as may be necessary. And while you’re at it, why not also undertake a broader review of data collection operations and privacy policies as well?