California’s New Law Could Impact Your Site

A new California law went into effect on January 1st that requires additional privacy disclosures from website owners.  The full law can be viewed here: California AB-370, Chapter 390. The law has huge reach because it applies to every business in the United States which operates a commercial website or online service and collects “personally identifiable information” (which to California means, “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”).  This means that every website in the US that can be / might be accessed from California must comply by this law.  The law goes on to require that all such websites must disclose how they “respond to browser ‘do not track’ signals or other mechanisms that provide consumers the ability to ‘exercise choice’ regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services”, if such information is collected. The new law prescribes that operators can comply with this disclosure requirement by “providing a clear and conspicuous hyperlink” contained in the privacy policy that links to a description “of any protocol the operator follows that offers the consumer” the choice to opt-out of internet tracking. (emphasis added by me)

Apparently your site doesn’t have to comply with “do not track” headers, but you have to state how your site responds to them.  An appropriate answer (as far as I can tell) is “we don’t comply with ‘do not track’ headers.”

What’s the punishment for not having these statements?  A $2,500 fine.  Better get your privacy policy in order.