California has signed into law AB 370 which is commonly known as the website Do Not Track Law. There are a number of misconceptions about the law, partly due to this moniker. So let us review a few issues and what the law does and does not do.

Change to the law. AB 370 modifies California Business and Professions Code Section 22575.

Who the law applies to. There are four requirements for the law to apply.

  • First, you have a commercial website or online service.
  • Second, you collect personally identifiable information through the Internet.
  • Third, the information you collect is from individual consumers.
  • Fourth, the consumers reside in California.

As we break down these requirements it comes apparent who the law does not apply to.  A noncommercial website does not need to follow the law.  If you do not collect personally identifiable information the law does not apply.  At this point an IP address, which almost all web hosts collect, should not be considered personally identifiable information.  But this may change in the future due to advances in technological tracking or because devices and IP numbers become static and associated with a person.  If you collect information but it is not about personal consumers the law does not apply.  A business to business service may be excluded.

What the law requires.  California law has long required that you have a privacy policy.  The new law adds additional disclosures that must be made in your privacy policy.

First, how do you respond to “do not track” requests in a person’s web browser.  Note: the law does not require that you adhere to any do not track request.  You can track all you want.  You just need to disclose your policy.

This is probably the biggest misperception about the “Do Not Track” law since it does not prohibit any tracking at all.  What it does do is require a disclosure informing consumers you are going to ignore any do not track requests in a web browser and track them anyway.

You also need to disclose if you allow third parties to collect personally identifiable information over time and across different websites.  Essentially, tracking cookies where if a person visited your site about sports cards and then later visits a sports blog, your ad may appear since it is known the person had an interest in your site.

This may be the most difficult aspect of the law to follow since you are expected to know the policies of third party companies.  Those third party advertisers and marketers may not fully, or not accurately (!) disclose their policies to you.  As a result, if there is an ambiguity and place where responsible website owners could still find themselves the subject of government action this is it.

 

Filed under: Internet Law

Like this post? Subscribe to my RSS feed and get loads more!