New California Do Not Track Law Affects Online Marketers

Avatar Act-On

California’s Governor Jerry Brown has approved “Cal AB 370,” the world’s first legislation to directly address the “do not track” (DNT) issue.

The first thing for marketers to know is that this is a disclosure law, not a law creating new consumer rights or imposing substantive requirements on companies.

But AB 370 does amend California’s existing Online Privacy Protection Act (“CalOPPA”) by requiring website operators to explain how they respond to DNT signals or “other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.” There have been discussions about federal DNT legislation, but with this legislation California is setting a new nationwide disclosure standard, to take effect in January.

Disclaimer: This information is provided as a discussion of how Cal AB 370 may affect marketers, and is not to be considered or perceived as legal advice. Every organization may be affected differently; we encourage you to seek legal counsel before taking action.

Who is affected?

Virtually all online marketers are affected, unless they do not gather information from visitors themselves or allow anyone else to access their site for that purpose – or don’t gather it from visitors residing in California. CalOPPA applies to any website, online service or (according to the California Attorney General) mobile application that collects personally identifiable information from “consumers residing in California” (each, a “Site”), and therefore this amendment affects all website and online services, including mobile.

Cal AB 370What does it mean in plain English?

It means you will need to adhere to new, higher standards when you collect “personally identifiable information” (PII) from people on your website or online service, regardless of what kind of device they use to access it. You need to add language to your privacy policy that addresses two key issues:

Disclose whether you respond to DNT signals. You will need to explain in your privacy policy whether your company responds to DNT signals (or any other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII)

  • Note that the law requires only a disclosure. If your site engages in activities triggering the required disclosure, do you do anything in response to the DNT:1 header? If not, say so.
  • If, on the other hand, you do something in response to receipt of a DNT:1 disclosure, say exactly what you do (e.g., do you continue to collect data, but stop the creation of profiles for online behavioral advertising purposes?).
  • This disclosure could be a link to information located someplace else

Disclose whether third parties have access to PII on your site.

  • The bill requires you to disclose whether third parties may collect personally identifiable information when a consumer uses your web site or service. Examples of such third parties could include (but are not limited to) your business channel partners, marketing/advertising agencies working on your behalf, government agencies, or a research group you hire to analyze your data.

Things to consider

Yes, you could try to identify California visitors and treat them differently, but that’s not foolproof. You’re better off to implement the changes for all visitors.

The new law adds requirements affecting how companies respond to Do Not Track mechanisms – but there is not yet an industry-accepted definition of Do Not Track. For now, the recommendation is to be as factual as possible, and avoid promising something you cannot honor (if only because it is not finally defined).