California Beefs Up Online Privacy Laws

Posted October 10, 2013 in Internet Law by

Man with binoculars at computer

Wavebreak Media/Thinkstock

California passed amendments recently to strengthen its Online Privacy Protection Act, a move that will have implications for Internet sites hosted across the globe.

The updates to the law pertain to what commercial websites and online services are required to disclose in their privacy policies. Specifically, sites must detail how they respond to “Do Not Track” settings in web browsers, and they must specify whether third parties can access any personal information they collect.

Because the law applies to all residents of California and is enforceable even outside state borders, it effectively compels all commercial sites no matter where they are located to update their policies to provide the proper disclosures.

The original privacy act passed in 2003 and mandated that privacy policies disclose what information a website collects and how it is shared, among other stipulations. In order to be covered by the law, a site must collect personal identifying information, which includes name, address, email address, telephone number, social security number or any other data that could allow someone to be contacted.

The updated legislation claims that it aims to “increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps [and] will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal [which] will allow the consumer to make an informed decision about their use of the website or service.”

Companies have until Jan. 1 to update their privacy policies, or risk action by the attorney general.

The state also passed several other privacy-related laws, including requiring that sites give full disclosure as to how to remove personal content, and restricting alcohol, firearm and tobacco advertising to minors. The governor also signed a bill that expands the scope of personal information covered by the breach notification law, under which companies must alert consumers if their data has been compromised.


Do Not Track? Do Not Bother

The updated law highlights a fact that many Internet users may not be aware of: The “Do Not Track” settings on browsers are nonbinding and websites are under no obligation whatsoever to honor them. In order to truly avoid the tireless eye of web advertising it is necessary to use a third party program to actively block cookies, supercookies, fingerprints and all the other nefarious ways that companies tail people’s every cybermove.

The updated law in California does nothing to force advertisers to honor do no track requests — but at least it makes them tell you if they honor them or not.

Catherine D. Meyer

Catherine D. Meyer

“It doesn’t require that you do anything, it just requires disclosure,” says Catherine D. Meyer, senior counsel at Pillsbury Law. “You could collect every single piece of information about an individual and publish it in the New York Times, and as long as you disclose it in the privacy policy you’re okay.”

The upshot is that websites and apps will need to add a couple lines to their policies if they plan on selling to or tracking people who live in California — which effectively means nearly every commercial site in the world.

“California views that as enforceable nationwide and internationally,” Meyer says. “There are a significant number of cases that address when there is a privacy or health and safety concern and the statute is aimed at protecting the residents of a state, those kinds of laws can be enforced outside the state.”

Tagged as: , ,