Now the “Do Not Track” amendment will bring changes regarding the way you have to disclose the “tracking” fact to the existing Section 22575 of the Business and Professions Code that handles the privacy disclosures at large (or also known as CalOPPA, or even OPPA).
Do Not Track at a glance
“Do Not Track” is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.
- You need to act when: your (in any way commercial) website or mobile app is operated from California or your users may be consumers residing in California
Our default solution for this is to assume that you do not react to DNT signals, therefore indicating this fact for you.
The changes that AB 370 is bringing are these:
- (5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
- (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
The “do not track” technology explained & the problems connected to it
The Electronic Frontier Foundation is regularly talking about Do Not Track and the surrounding discussions, developments and problems. Here is an overview post of what Do Not Track is. In a nutshell, a browser sends a Do Not Track HTTP header every time your data is requested from the Web. Firefox, to date, is the browser that supports that technology best.
There are various problems associated with the changes coming into effect on 1/1/2014, one of them being an unclear situation and possible loopholes as outlined by Webpolicy:
- Because we’re third parties, consumers don’t “use or visit” our services.
- The information that we collect is not “about” an “individual consumer,” but rather, related to a browser or device.
- Our data isn’t “personally identifiable information,” it’s just browsing activity and web protocol logs.
- To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
- Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained . . . in an accessible form.”
Clearly, Do Not Track is only getting started as an institution in privacy laws and the most important question for you as a website operator or mobile app developer is what you should do.
As for now and until we have a better understanding of the impact of the amendments, the next immediate steps are to honor the CalOPPA by disclosing these two additional facts:
- Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service;
- international approach to privacy policies (and 5 languages)