What Does the CalOPPA Update Mean To You?

Edit, September 27, 2013: Governor Brown has signed AB370 into law. It is now the law in California.

Original post from Sept. 5 follows:

Last week, California’s State Senate unanimously passed AB370, which, if passed by the Assembly, will add new requirements to the California Online Privacy Protection Act. The California Online Privacy Protection Act (CalOPPA) is the law that requires anyone doing business online in California (therefore pretty much every business online) to post a privacy policy conspicuously on their website, and sets out the requirements of what that privacy policy needs to say.

As it currently stands, CalOPPA has only a few basic requirements. A privacy policy has to:

  • Be posted conspicuously on the website, or be easily accessible from a conspicuous link.
  • Identify the categories of personal information that the service collected.
  • Identify the categories of third-parties with whom the service might disclose the collected information.
  • Explain how users could access and modify the collected information, if possible.
  • Explain how the service notified users of material changes to the privacy policy.
  • Post the effective date of the privacy policy.

These requirements may be described in detail or brushed over in a few words, but they have to be in the policy.

New Additions: Do Not Track and Third Party Tracking

If it becomes law, AB370 will add two new requirements to CalOPPA. Both relate to the issue of third party tracking, which I go into in more depth here.

First, the bill requires online service operators to disclose whether or not they honor the user’s “Do Not Track” requests, as well as other mechanisms that allow users to opt out of certain kinds of collection of personal information. In other words, even if a website technically honors “Do Not Track” requests but still finds another way to perform the same tracking function, the website must disclose that in the privacy policy. If, in the future, technology evolves such that “Do Not Track” becomes obsolete, but other tracking methods arise, online services must disclose whether or not they honor users’ requests not to be tracked.

Second, the bill requires online service operators to disclose whether third parties may be tracking the user’s activities on the service.  If a third party, such as an advertising service, is tracking the user over time and across different sites, collecting personal information, those sites must let the user know.

What Does This Mean To You?

Nothing, yet. The California State Senate passed the bill unanimously, but it still needs to go to the California Assembly. However, this one has steam, and it’s coming.

If you’re a website operator, a mobile app developer, if you run a small business with an online presence — these are important changes. You need to check your privacy policy and make sure it addresses both third party tracking and whether or not you respect your users’ requests to opt out. If your site does not permit third party tracking, that’s fine: mention it in the policy. If your site does not respect your users’ Do Not Track requests, that’s fine: put it in the policy.

If you’re a user, this means two things. First, it means privacy policies may get a little longer. They’ve been getting longer over the years anyway as more legal requirements have necessitated adding sections. However, now privacy policies are about to get a little more interesting, and will let you know who’s watching you and whether or not you can opt out. And that’s never a bad thing.