On September 3, the California legislature passed a bill that would require websites and online services to revise their privacy policies to describe their practices with respect to “do not track” mechanisms and third party data collection through their sites or services.
The bill, AB-370, would amend the California Online Privacy Protection Act (“CalOPPA”), which already requires websites and online services that collect personally identifiable information to post their privacy policies, adding two new obligations.
First, the bill would require an operator to “disclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about . . . their online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”
While “do not track” was an important component of the White House’s Consumer Privacy Bill of Rights and the Federal Trade Commission’s Report on Protecting Consumer Privacy, the World Wide Web Consortium-led effort to bring stakeholders to consensus on a do not track standard is currently on life-support. Moreover, a number of additional browser-based anti-tracking mechanisms are being considered, which further complicates the do-not-track environment. Thus, if enacted, AB-370 could require covered websites and services to frequently amend their privacy policies as new technologies and standards emerge. Further, while there has been greater consensus in the W3C process that “do not track” signals should be honored in the third-party context than the first-party context, AB 370 places a disclosure obligation on ”websites and online services,” meaning most first parties, but not necessarily all third parties. The statute simply is not clear on this point – an ambiguity that may be cleared up with guidance from the California Attorney General or as part of an enforcement action or challenge to the amendment.
Second, the bill would require an operator to “disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.” This disclosure obligation creates the potential for first parties to be held liable for the practices of third parties. A particular concern for websites and online services will be the absence of safe harbors, such as where the operator has a good faith belief that there is no third-party data collection or relies on a third party’s assurance or contractual promise with respect to its practices. In addition, there is no exception for collection of persistent identifiers for “support for internal operations,” as there is under the FTC’s COPPA Rule. As such, any first party employing third party advertising, plugins, or other tools will likely need to revise its privacy policy to disclose that PII may be collected.