California has long been the national leader in addressing online and mobile privacy issues. Influenced by the inclusion of the right of privacy as an inalienable right of its citizens guaranteed by the State Constitution, California enacted the California Online Privacy Protection Act (CalOPPA) in 2004, becoming the first state to require websites and online services to conspicuously post privacy policies detailing the personal information they collect and the categories of third parties with whom they share that information. More recently, the California Attorney General’s office formed a Privacy Enforcement and Protection Unit, clarified that mobile applications are subject to CalOPPA (and pursued app developers who did not provide privacy policies with their apps) and published a best practices guide for the mobile app “ecosystem.”
California continues such leadership with the recent passage of an amendment to CalOPPA requiring website operators to describe their policies relating to online tracking of consumers. Under the amendment, which is effective January 1, 2014, CalOPPA now requires privacy policies to:
- Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services, if the operator engages in that collection; and
- Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s website or service.
With this amendment, California has “dipped its toe” into the sensitive issues of online tracking of individuals for purposes of online behavioral advertising and the delivery of targeted advertisements, i.e., ads delivered based on profiles garnered from an individual’s use of the Internet. However, it is important to note that the amendment does not prohibit online tracking. Rather, all it requires is transparency, i.e., disclosure of the website operator’s policies regarding online tracking. The fundamental adage when it comes to privacy policies—“Say What You Do and Do What You Say”—remains firmly in place.
The second requirement, however, will be applicable to all website operators. The law requires disclosure of whether the operator allows others to use the site as part of such third parties’ efforts to track consumers’ use of different websites. For example, ad networks often place “cookies” and other code with such tracking capability on a site to help with advertising and analytics.
Although CalOPPA is directed toward protecting California citizens, given the size of California in both population and economic activity, most websites and online businesses cannot ignore California law. Moreover, as a leader in privacy law, California’s actions are likely to be mirrored by other states, the federal government (either through legislation or the actions of federal regulators, especially the Federal Trade Commission) and/or industry groups. Bolstered by increased public attention to, and expectation of the disclosure of, privacy practices of websites and online businesses, the movement toward more transparency in data collection and privacy practices is only going to accelerate in the years to come.
Many companies have not updated their privacy disclosures in years. Certainly those websites and the data collection technology they use have changed. With the California amendment effective at the beginning of the new year, now is the time for website operators and mobile app developers to review and update their privacy disclosures.
 Article 1, Section of the Constitution of the State of California reads: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.”
 “Privacy on the Go: Recommendations for the Mobile Ecosystem” is available here.
 Assembly Bill No. 370.