California Passes First 'Do Not Track' Disclosure Bill

While Congress remains deadlocked over whether to pass new data privacy and security legislation, some states aren't waiting and are pushing through new laws of their own.  

Last week, California's Senate and Assembly passed a bill that amends California's Online Privacy Protection Act (COPPA) adding stringent new disclosure requirements for companies that collect consumer data in the state. Governor Jerry Brown is expected to sign the bill into law.

Under COPPA, online services that collect personally identifiable information (PII) about California residents must conspicuously post privacy policies on their Websites and make those policies “reasonably accessible” to consumers.

The new bill amends COPPA by adding a requirement that Websites disclose in their privacy policies how they respond to so-called “do not track” (DNT) signals or other mechanisms that enable consumers to disable the tracking of their online activities over time and across third-party Websites or online services. This provision primarily would affect those that are deploying cookies or other tracking devices.

“Just about any consumer-orientated company will have to pay attention to the California bill,” says Theodore Claypoole, a senior partner at law firm Womble Carlyle and leader of the firm's privacy and data management team.

While the law applies only to California residents, it's likely to affect most online businesses. “California is a major jurisdiction, where many online companies are based,” says Jennifer Archie, a partner in the law firm of Latham Watkins. “The chances that any Website operator or online service is collecting information from a California resident, or is itself a California company, are pretty high in the online space.”

Many companies may find complying with the new disclosure provision to be challenging, given that no statutory definition or federal standard exists that defines exactly what DNT means. In addition, absent any federal or state mandate to comply with DNT preferences, implementation remains entirely voluntarily and corporate practices vary widely.

“This is merely a disclosure statute,” explains Archie. The provision doesn't mandate that Website commercial operators or online services honor a DNT standard, only that they disclose how they respond to such tracking signals.

Website operators that do not clearly spell out their disclosure practice in their privacy policies would be given a warning and 30 days to comply before any enforcement action is taken. Failure to comply with COPPA potentially carries with it penalties up to $2,500 per violation.

By forcing commercial Website operators and service providers to publicly disclose whether or not they honor consumer requests to disable online tracking, Claypoole says the statutory provision appears to be “shaming” operators into complying with DNT requests.

“In some ways this is a backdoor way of pressuring the federal government to pass do-not-track legislation.”

—Theodore Claypoole,

Senior Partner,

Womble Carlyle

In a letter to the California Assembly, several online advertising industry representatives aired similar concerns. The Association of National Advertisers, the American Advertising Federation, and the Interactive Advertising Bureau expressed particular concern that the bill's “generic use of the term ‘online tracking' suggests inaccurately that there is some universally-agreed upon definition of tracking.”

“Many Website operators would be faced with uncertainty as to whether or not some basic operational functions would now be required to be ‘disclosed' as not being ‘honored' by the Website operator,” the letter stated. It also expressed concerns over the ambiguity of the term “personally identifiable information,” which “could be construed to cover such fundamental pieces of information as IP addresses.” 

The letter also expressed concerns that the bill places an “undue burden on California Website operators, resulting in new compliance costs and burdens.”

SECTION 22575 AMENDMENTS

The following excerpt from California A.B. 370 details Section 22575 amendments:

(a) An operator of a commercial Website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Website or online service shall conspicuously post its privacy policy on its Website, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577. An operator shall be in violation of this subdivision only if the operator fails to post its policy within 30 days after being notified of non-compliance.

(b) The privacy policy required by subdivision (a) shall do all of the following:

(1) Identify the categories of personally identifiable information that the operator collects through the Website or online service about individual consumers who use or visit its commercial Website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

(2) If the operator maintains a process for an individual consumer who uses or visits its commercial Website or online service to review and request changes to any of his or her personally identifiable information that is collected through the Website or online service, provide a description of that process.

(3) Describe the process by which the operator notifies consumers who use or visit its commercial Website or online service of material changes to the operator's privacy policy for that Website or online service.

(4) Identify its effective date.

(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party Websites or online services, if the operator engages in that collection.

(6) Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service.

(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Source: California A.B. 370.

Putting It Into Practice

Operators that choose to honor DNT elections should be careful not to use general language, such as: “‘We always respect do-not-track browsers,' because it's rather complicated how things work in practice,” says Archie. “Companies need to be very precise in describing technically how their site and activity interact with do-not-track browsers.”

Another new provision added to COPPA would require that Website operators disclose whether other parties—such as the ad networks that they use—may collect data about an individual consumer's online activities over time and across different Websites when a consumer uses the operator's Website, app, or online service.

The disclosure language regarding third parties doesn't need to be included in the privacy policy, but may be contained in a separate document, so long as the privacy policy contains a “clear and conspicuous” hyperlink to that document.

The new provisions effectively mean that many Websites, mobile apps, ad networks, and other online services would need to update their privacy policies. “Companies should take this opportunity to conduct a complete audit of their data practices and make sure their privacy policies are complete and accurate,” says Alan Friel, a partner with bill firm Edwards Wildman.

Federal Initiatives

Attention now turns to whether any federal standards will stem from California's efforts. “In some ways this is a backdoor way of pressuring the federal government to pass do-not-track legislation,” says Claypoole. “This particular bill by California is the first statement in favor of ‘do not track' policies and procedures.”

The Federal Trade Commission considered enacting do-not-track regulations for some time, but how that would work in practice and whether that would require underlying legislation from Congress remains to be seen.

In March 2012, the agency released its long-anticipated privacy report, giving companies a framework of acceptable practices concerning the collection of consumer data. It followed the White House's “Consumer Privacy Bill of Rights,” a blueprint for how companies should strengthen consumers' online privacy protections.

In February, Sens. Jay Rockfeller (D-W.Va.) and Richard Blumenthal (D-Conn.) introduced legislation that would give consumers the right to opt out of online tracking. The Do Not Track Online Act would instruct the FTC to issue regulations requiring online companies to honor a user's request to not have information collected about their online activities. The FTC and state attorneys general would have enforcement authority.

Another concern is that other states will begin enacting do-not-track bills of their own, potentially making things worse for companies. Although, that does not seem likely to happen, says Archie. “In terms of legislation, most states have been content to use their general enforcement powers under state unfair and deceptive trade practice statutes to address consumer privacy disclosure requirements for online businesses, rather than enacting a patchwork of state laws,” she says. 

Other states haven't been active in the online privacy space. All or nearly all states attorneys general have declared privacy as a top enforcement priority, says Archie, “but they rely upon their general unfair and deceptive trade practice enforcement authority.”

The difference is that in California, “you have the combination of an active attorney general and an active legislature,” adds Archie. 

Enforcement Efforts

California Attorney General Kamala Harris, which sponsored the new bill, has been aggressively pursuing new privacy laws and enforcement actions since establishing a new Privacy Enforcement and Protection Unit in February 2012. The unit, which sits within the Department of Justice, focuses on protecting consumer and individual privacy through prosecution of state and federal privacy laws. 

During that same month, Harris also brokered an agreement with a handful of mobile app developers, in which they agreed to give consumers an opportunity to review an app's privacy policy before they download the app, rather than after. Those companies included Google, Apple, Amazon, Hewlett-Packard, Microsoft, and Research in Motion; Facebook joined the agreement in June 2012.

In December 2012, Harris filed a lawsuit in San Francisco Superior Court against Delta Air Lines over allegations that the company violated California's online privacy statute. According to the complaint, even though the company's “Fly Delta” mobile app collects personal information—such as the user's name, address, date of birth, credit card number, photographs, and location—it doesn't have a privacy policy.

While Delta has a privacy policy on its Website, the policy is insufficient because it doesn't discuss specific data types collected by the app and is not reasonably accessible to app users from within the “Fly Delta” app itself, the complaint stated. The lawsuit followed formal notification letters to 100 mobile app developers in October, warning them that they had 30 days to bring their apps into compliance with COPPA.

In May, California Superior Court Judge Marla Miller dismissed the lawsuit on grounds that the federal Airline Deregulation Act bars states from imposing regulations on airlines related to price, routes, or services. That lawsuit is now on appeal.

Meanwhile, while California continues to ramp up its privacy enforcement efforts, companies would be wise to take a proactive approach when it comes to privacy policies and mitigate their legal and compliance risks in California and elsewhere.