In September the Assembly Bill no. 370 brought the “Do Not Track” into California’s online privacy laws. On January 1st of 2014, these changes will be effective for Californian websites. As the introduction to the Bill outlines, commercial websites (mobile apps included) are required to have a privacy policy posted:

Existing law requires an operator of a commercial Internet Web site or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service to conspicuously post its privacy policy on its Web site or online service and to comply with that policy. Existing law, among other things, requires that the privacy policy identify the categories of personally identifiable information that the operator collects about individual consumers who use or visit its Web site or online service and 3rd parties with whom the operator shares the information.

Now the “Do Not Track” amendment will bring changes regarding the way you have to disclose the “tracking” fact to the existing Section 22575 of the Business and Professions Code that handles the privacy disclosures at large (or also known as CalOPPA, or even OPPA).

Do Not Track at a glance

“Do Not Track” is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.

  • If you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy;
  • if you respond to DNT in some way, the privacy policy should disclose how you respond to this signal;
  • You need to act when: your (in any way commercial) website or mobile app is operated from California or your users may be consumers residing in California

Our default solution for this is to assume that you do not react to DNT signals, therefore indicating this fact for you.

If you have an existing privacy policy that you are fairly certain holds up with the prior requirements, consider adding the above facts to it and update it beginning January 1st, 2014.

The changes in CalOPPA and what they mean to you, your company and its privacy policy

The changes that AB 370 is bringing are these:

  • (5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
  • (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
  • (7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

To be clear: this new regulation doesn’t require you to respond to Do Not Track browser signals, it merely makes sure you add a disclosing statement into your privacy policy.

The “do not track” technology explained & the problems connected to it

The Electronic Frontier Foundation is regularly talking about Do Not Track and the surrounding discussions, developments and problems. Here is an overview post of what Do Not Track is. In a nutshell, a browser sends a Do Not Track HTTP header every time your data is requested from the Web. Firefox, to date, is the browser that supports that technology best.

There are various problems associated with the changes coming into effect on 1/1/2014, one of them being an unclear situation and possible loopholes as outlined by Webpolicy:

  • Because we’re third parties, consumers don’t “use or visit” our services.
  • The information that we collect is not “about” an “individual consumer,” but rather, related to a browser or device.
  • Our data isn’t “personally identifiable information,” it’s just browsing activity and web protocol logs.
  • To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
  • Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained . . . in an accessible form.”

Clearly, Do Not Track is only getting started as an institution in privacy laws and the most important question for you as a website operator or mobile app developer is what you should do.

How to honor and include Do Not Track in the privacy policy

As for now and until we have a better understanding of the impact of the amendments, the next immediate steps are to honor the CalOPPA by disclosing these two additional facts:

1)

  • If you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy;
  • if you respond to DNT in some way, the privacy policy should disclose how you respond to this signal;

2)

  • Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service;

Our standard way of handling the situation is to include a sentence like “we do not honor Do Not Track requests” at the appropriate section of our privacy policies. If you are unfamiliar with iubenda and our privacy policy approach you should know that we use a

  • international approach to privacy policies (and 5 languages)
  • we host the privacy policy for you so you can embed it or link to it
  • we update the privacy policy in cases like “Do Not Track” and push it to all existing policies automatically (yours)

Naturally, we’d like to help you creating a privacy policy for your online service. Read more about iubenda here.




Generate a privacy policy with our Do Not Track clause


About Privacy Policies in CaliforniaDo Not Track California Privacy Law Changes Effective TodayPrivacy Policy for 2Checkout.com

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now
RSS FEED

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now