On September 3, the California legislature passed a bill that would require websites and online services to revise their privacy policies to describe their practices with respect to “do not track” mechanisms and third party data collection through their sites or services.
The bill, AB-370, would amend the California Online Privacy Protection Act (“CalOPPA”), which already requires websites and online services that collect personally identifiable information to post their privacy policies, adding two new obligations.
First, the bill would require an operator to “disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about . . . their online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
While “do not track” was an important component of the White House’s Consumer Privacy Bill of Rights and the Federal Trade Commission’s Report on Protecting Consumer Privacy, the World Wide Web Consortium-led effort to bring stakeholders to consensus on a do not track standard is currently on life-support. Moreover, a number of additional browser-based anti-tracking mechanisms are being considered, which further complicates the do-not-track environment. Thus, if enacted, AB-370 could require covered websites and services to frequently amend their privacy policies as new technologies and standards emerge. Further, while there has been greater consensus in the W3C process that “do not track” signals should be honored in the third-party context than the first-party context, AB 370 places a disclosure obligation on ”websites and online services,” meaning most first parties, but not necessarily all third parties. The statute simply is not clear on this point – an ambiguity that may be cleared up with guidance from the California Attorney General or as part of an enforcement action or challenge to the amendment.