By: Scott Hervey

Once again, California leads the nation in passing online privacy consumer protection legislation. On September 30, 2013 Governor Jerry Brown signed into law A.B 370 which adds new provisions to California’s existing Online Privacy Protection Act (Business and Professions Code Section 22575).  These new provisions require the operators of websites, online services and  mobile applications to disclose how they respond to an electronic request not to track an individual consumer’s online activities over time and across different Web sites or online services. According to the bill’s author, Al Muratsuchi, since California passed CalOPPA in 2004, evolving technology and new business practices have raised new privacy concerns, including concerns over online behavioral tracking.

Online behavioral tracking involves the monitoring of an individual across multiple websites, mobile applications and the like to build a profile of behavior and interests.  In 2010, the Federal Trade Commission released a preliminary staff report, Protecting Consumer Privacy in an Era of Rapid Change, that endorsed the concept of a user friendly Do Not Track system in which a consumer would indicate his or her desire not to be tracked through their browser.  Subsequent to the FTC  report, all major browsers incorporated a Do Not Track feature which signals to websites an individual’s choice not to be tracked.  Despite this fact, as of the date of the bill’s drafting, according to the California Attorney General’s Office, only 20 Web sites, most of which are not commonly known with the exception of Twitter, honored Do Not Track signals.  

CalOPPA requires any businesses that operates a websites or other online services – including mobile applications – that collects personally identifiable information through the Internet about California residents to maintain a privacy policy that identifies the categories of personally identifiable information it collects and all 3rd parties with whom it shares the information, and to conspicuously post its privacy policy on its website or online service.  A.B. 370 adds three  new sub-sections to Section 22575.  Now, any website, online services, mobile site or application that collects online information from California residents (which basically means, every website on the Internet) must have a privacy policy which provides the following information:

(1) how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.  The operator may satisfy this requirement o by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.


(2) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.

Operators of websites, online services and mobile applications that are used by California residents must have their privacy policies reviewed and, as applicable. updated in order to comply with this new law.  Those who do not comply with the new CalOPPA provisions risk civil suits, including prosecution from the California Attorney General for unfair business practices.