In September 2013 the Assembly Bill no. 370 brought the Do Not Track into California’s online privacy laws. On January 1st of 2014, these changes came into force for Californian websites. As the introduction to the Bill outlines, commercial websites (mobile apps included) are required to have a privacy policy posted:
Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.
Now the Do Not Track amendment will bring changes regarding the way you have to disclose the “tracking” fact to the existing Section 22575 of the Business and Professions Code that handles the privacy disclosures at large (or also known as CalOPPA, or even OPPA).
CCPA and CalOPPA
The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law is set to become effective on January 1st, 2020, and to become fully enforceable on July 1st, 2020.
CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the CCPA definition of “business” does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you.
Read our CCPA guide to find out when it applies, the consumer’s rights, the consequences of non-compliance and how to comply.
Do Not Track at a glance
Do Not Track is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.
- If you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy.
- If you respond to DNT in some way, the privacy policy should disclose how you respond to this signal.
- You need to act when:
- your (in any way commercial) website or mobile app is operated from California, or
- your users may be consumers residing in California.
Our Privacy and Cookie Policy Generator offers you a standard clause that you can use to declare you do not support “Do Not Track” requests. You can find it by typing “Do Not Track” in the service search bar.
If instead you support “Do Not Track” requests, and you want to declare it inside your privacy and cookie policy, please create a new custom clause where you explain how “Do Not Track” requests are handled.
The changes in CalOPPA and what they mean to you, your company and its privacy policy
The changes that AB 370 brought are these:
- (5) Disclose how the operator responds to Web browser Do Not Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
- (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
- (7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.
To be clear: this regulation doesn’t require you to respond to Do Not Track browser signals, it merely makes sure you add a disclosing statement into your privacy policy.
The interesting part in CalOPPA’s privacy policy implementation is the enforcement part. It’s enforced via California’s unfair competition law that prohibits unfair business practices with penalties up to $2,500 per violation (for apps this may well be measured in app downloads, mind you, as showcased in the Delta app case).
The “do not track” technology explained & the problems connected to it
The Electronic Frontier Foundation is regularly talking about Do Not Track and the surrounding discussions, developments and problems. Here is an overview post of what Do Not Track is. In a nutshell, a browser sends a Do Not Track HTTP header every time your data is requested from the Web. Firefox, to date, is the browser that supports that technology best.
There are various problems associated with the changes that came into effect on 1/1/2014, one of them being an unclear situation and possible loopholes as outlined by Webpolicy:
- Because we’re third parties, consumers don’t “use or visit” our services.
- The information that we collect is not “about” an “individual consumer”, but rather, related to a browser or device.
- Our data isn’t “personally identifiable information”, it’s just browsing activity and web protocol logs.
- To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
- Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained … in an accessible form”.
Clearly, the most important question for you as a website operator or mobile app developer is what you should do.
How to honor and include Do Not Track in the privacy policy
The next immediate steps are to honor the CalOPPA by disclosing these additional facts:
- if you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy;
- if you respond to DNT in some way, the privacy policy should disclose how you respond to this signal;
- disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
Our Privacy and Cookie Policy Generator offers you a standard clause that you can use to declare you do not support “Do Not Track” requests. You can find it by typing “Do Not Track” in the service search bar.
If instead you support “Do Not Track” requests, and you want to declare it inside your privacy and cookie policy, please create a new custom clause where you explain how “Do Not Track” requests are handled.
If you are unfamiliar with iubenda and our privacy policy approach you should know that:
- we use an international approach to privacy policies (and 8 languages);
- we host the privacy policy for you so you can embed it or link to it;
- we monitor all the major regulations and automatically update our solutions to meet changing requirements so that you don’t have to.
Naturally, we’d like to help you creating a privacy policy for your online service (you can read more about the features and benefits of our compliance solutions here).
