Now the Do Not Track amendment will bring changes regarding the way you have to disclose the “tracking” fact to the existing Section 22575 of the Business and Professions Code that handles the privacy disclosures at large (or also known as CalOPPA, or even OPPA).
CCPA and CalOPPA
The California Consumer Privacy Act (CCPA) is California’s newest privacy law aimed at enhancing consumer privacy rights for residents of California, United States. The law is set to become effective on January 1st, 2020, and to become fully enforceable on July 1st, 2020.
CalOPPA has not been repealed by the CCPA and still applies. This is something to take note of even if the CCPA definition of “business” does not apply to you, as you may still need to comply with CalOPPA, or both laws may be applicable to you.
Read our CCPA guide to find out when it applies, the consumer’s rights, the consequences of non-compliance and how to comply.
Do Not Track at a glance
Do Not Track is information that is communicated by a browser to a website about the fact that they do not want to be “tracked”.
- You need to act when:
- your (in any way commercial) website or mobile app is operated from California, or
- your users may be consumers residing in California.
Our default solution for this is to assume that you do not react to DNT signals, therefore indicating this fact for you.
The changes that AB 370 brought are these:
- (5) Disclose how the operator responds to Web browser Do Not Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
- (6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
The “do not track” technology explained & the problems connected to it
The Electronic Frontier Foundation is regularly talking about Do Not Track and the surrounding discussions, developments and problems. Here is an overview post of what Do Not Track is. In a nutshell, a browser sends a Do Not Track HTTP header every time your data is requested from the Web. Firefox, to date, is the browser that supports that technology best.
There are various problems associated with the changes that came into effect on 1/1/2014, one of them being an unclear situation and possible loopholes as outlined by Webpolicy:
- Because we’re third parties, consumers don’t “use or visit” our services.
- The information that we collect is not “about” an “individual consumer”, but rather, related to a browser or device.
- Our data isn’t “personally identifiable information”, it’s just browsing activity and web protocol logs.
- To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
- Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained … in an accessible form”.
Clearly, the most important question for you as a website operator or mobile app developer is what you should do.
The next immediate steps are to honor the CalOPPA by disclosing these additional facts:
- disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
- we use an international approach to privacy policies (and 8 languages);