News & Press: Legal Updates

California Expands Online Privacy Law

Monday, January 13, 2014  
Share |

California Expands Online Privacy Law to Include Do Not Track Disclosures
Alert from CASRO General Counsel

Research organizations that perform online research of California residents, particularly those that deploy tracking cookies and similar technologies on respondents and panelists, should check their privacy policies to ensure that they comply with the revisions to that state’s online privacy protection law, which went into effect on January 1, 2014.

California law will now require website and mobile app operators to disclose additional information in their privacy policies. Because the law applies to operators of websites and online services (including mobile apps) that collect personally identifiable information (e.g., name, address, phone number, etc.) from California residents, it might apply to research organizations even if they are not located in California.

California’s Online Privacy Protection Act (CalOPPA) previously required such website operators to post an online privacy policy that describes the types of information that they collect, how that information is used and how it is shared with others. As of January 1, 2014, there are additional requirements. Any operator of a website or online service that collects personally identifiable information must also disclose the following in its privacy policy:

  • How the operator responds to "do not track” (DNT) signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services
  • Whether third parties may collect personally identifiable information about a consumer’s online activities when a consumer uses the operator’s website or online service

The law does not require operators to honor a user’s DNT preferences — just that they disclose how they respond to such signals. Of course, how a website or online service operator responds to a user’s preferences could affect the user’s decision as to whether to use the website or online service.

As with most regulations concerning tracking, the focus is on tracking over time and over and across third-party sites — what is normally referred to as "third party tracking.” It doesn’t cover "first party tracking” — for example, tracking of customer movements within the operator’s own website.

The issue is complicated by the fact that although the phrase "Do Not Track” seems simple and clear, it really is not clear at all. In practice, DNT commands hardly ever mean, "If you choose this option, you will not be tracked.” Tracking often occurs automatically and a DNT command on a browser, such as the ones set by default on newer versions of Firefox and Internet Explorer, is generally interpreted to mean that an advertising network should not use the tracked information. For that reason, website operators probably need to spell out specifically what they and their advertising partners do with regard to DNT notifications — and they should avoid simplistic assertions that they "track” or "do not track” users.

Whether or not to use tracking information is still an open question for many online operators. For example, because Firefox and Internet Explorer make DNT a default setting, many site operators believe that the automatic DNT signals from those browsers do not really reflect consumer preferences. Thus, they ignore that default command and look to deliberate consumer preferences as set through the Digital Advertising Alliance’s opt-out program.

Disclosure is the key under CalOPPA. An operator that does not honor DNT signals will now need to say so. For good relationships with panelists and respondents, an online research company may want to go on and explain why; for example, that it relies on the DAA program to determine whether users have specifically requested that their information not be tracked.

In order to comply with the amended law, companies should evaluate their current practices with respect to DNT signals, and determine whether their websites allow third parties to collect personally identifiable information. They should then update their privacy policies to clearly and accurately explain their practices.

In the coming weeks, the California Attorney General is expected to release best practice guidelines for compliance with the law. This guidance may or may not include a strict interpretation of these and other compliance issues. Regardless of this forthcoming guidance, operators will be expected to comply as of the January 1 effective date. While businesses can take some comfort in the fact that California provides 30 days to address alleged deficiencies raised by the Attorney General before any fines may be imposed, non-compliance eventually can result in fines of up to $2,500 per violation.

Community Search
Member Log In

Forgot your password?

Not A CASRO Member?

Latest News
Website Underwriters