In 2003 the California legislature enacted §22575 of the business and professions code into law.  It was the first State law that required a website to post a privacy policy. However, the Internet ecosystem has changed since 2003. Facebook has come into existence, and the “behavioral advertising” industry has developed into a multi-billion dollar-a-year exercise. As a result, two new disclosure requirements have been added to §22575. Consequently, all commercial entities that collect PII from consumers in California will need to re-evaluate their underlying technology and privacy policies for compliance.

Prior Requirements

This lack of transparency regarding the  use of PII led the California legislature to update §22575. Now all privacy policies have to disclose: 1) how a site responds to “Do Not Track” (“DNT”) browser signals, and 2) if third parties can do behavioral tracking via the website.

New Disclosure #1:  Response to “Do Not Track” Signals

“Do not track” refers to a standards initiative by which browser settings can be used to send a signal to advertising networks, that are integrated into sites, indicating that the user of the browser does not wish to have their browsing habits tracked across websites over time.

All the major browser companies have incorporated DNT signal recognition into the latest releases of their browsers. However, there is no consistent deployment of this technology with regard to defaults or use cases. Since most persistent technology embedded in a browser (e.g. cookies) can be used to observe browsing habits over time, careful evaluation of what technology a site uses, and how it is used, is necessary to determine if the new section’s requirements are triggered.

Since the statute also applies to “online services,” mobile app developers and any other business that provides a service accessible via a computer or smart phone are going to be required to provide notice as well. A careful review of current policy disclosures, and any technology imbedded into the site will need to occur–primarily because all websites and online services use technology which may be used to track users. Consequently, to ensure compliance with the new section, all privacy policies should include a statement indicating whether or not an operator actually allows the consumer to exercise choice or not.

New Disclosure #2:  Third-Party Behavioral Tracking

Along with the new DNT requirement, the privacy policy also must disclose whether or not third parties can collect PII for purposes of behavioral targeting when a consumer uses a website or online service. This is an inherently intrinsic activity for many websites and online services, especially those supported by advertising.

Because of the nature of third-party use, it will become increasingly difficult for an operator to provide notice of use of PII by a third party when the operator does not know how – or for what purposes – the third party is using the data. Additionally, such use may change over time.

Given the variability of business and technology models underlying most website and online services, Website owners need competent counsel to help them navigate through a careful drafting process and to ensure adequate disclosures are included in their privacy policy.