California has long been the national leader in addressing online and mobile privacy issues. Influenced by the inclusion of the right of privacy as an inalienable right of its citizens guaranteed by the State Constitution,[1] California enacted the California Online Privacy Protection Act (CalOPPA) in 2004, becoming the first state to require websites and online services to conspicuously post privacy policies detailing the personal information they collect and the categories of third parties with whom they share that information. More recently, the California Attorney General’s office formed a Privacy Enforcement and Protection Unit, clarified that mobile applications are subject to CalOPPA (and pursued app developers who did not provide privacy policies with their apps) and published a best practices guide for the mobile app “ecosystem.”[2]

California continues such leadership with the recent passage of an amendment to CalOPPA requiring website operators to describe their policies relating to online tracking of consumers. Under the amendment,[3] which is effective January 1, 2014, CalOPPA now requires privacy policies to:

  • Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and
  • Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.

With this amendment, California has “dipped its toe” into the sensitive issues of online tracking of individuals for purposes of online behavioral advertising and the delivery of targeted advertisements, i.e., ads delivered based on profiles garnered from an individual’s use of the Internet. However, it is important to note that the amendment does not prohibit online tracking. Rather, all it requires is transparency, i.e., disclosure of the website operator’s policies regarding online tracking. The fundamental adage when it comes to privacy policies—“Say What You Do and Do What You Say”—remains firmly in place.

The first disclosure requirement is focused on operators who engage in the collection of  a consumer’s online activities “over time and across third-party websites.” These operators would typically be ad networks and those with large consumer-oriented websites who want to sell or provide targeted ads. Arguably, an operator who does not engage in such tracking would not have to make any such disclosure, although adding a simple statement indicating that the operator does not engage in the collection of personally identifiable information “over time and across third-party websites” would seem to be prudent. The amendment further allows that the required disclosure can be made “by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

The second requirement, however, will be applicable to all website operators. The law requires disclosure of whether the operator allows others to use the site as part of such third parties’ efforts to track consumers’ use of different websites. For example, ad networks often place “cookies” and other code with such tracking capability on a site to help with advertising and analytics.

Because the new rules simply require disclosure, compliance should not be difficult. However, it needs to be done. While the requirement to post a privacy policy is only violated if an operator fails to post its policy within 30 days after being notified of noncompliance, a separate section of CalOPPA finds liability if the operator fails to comply with either the posting requirement or the disclosure requirement of CalOPPA “knowingly and willfully” or “negligently and materially.” Accordingly, website operators should not wait to get a letter demanding the disclosure of their online tracking policy.

Although CalOPPA is directed toward protecting California citizens, given the size of California in both population and economic activity, most websites and online businesses cannot ignore California law. Moreover, as a leader in privacy law, California’s actions are likely to be mirrored by other states, the federal government (either through legislation or the actions of federal regulators, especially the Federal Trade Commission) and/or industry groups. Bolstered by increased public attention to, and expectation of the disclosure of, privacy practices of websites and online businesses, the movement toward more transparency in data collection and privacy practices is only going to accelerate in the years to come.

Many companies have not updated their privacy disclosures in years. Certainly those websites and the data collection technology they use have changed. With the California amendment effective at the beginning of the new year, now is the time for website operators and mobile app developers to review and update their privacy disclosures.

[1] Article 1, Section of the Constitution of the State of California reads: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”

[2] “Privacy on the Go: Recommendations for the Mobile Ecosystem” is available here.

[3] Assembly Bill No. 370.