In August 2013, both the California State Assembly and Senate unanimously passed AB 370, which is an amendment to CalOPPA. The bill amends the privacy policy disclosure requirements that companies need to disclose within their privacy policies:
- How they will respond to a Web browser signal such as Do Not Track (DNT) or other mechanism that provides consumers with the ability to exercise choice, or
- Whether third parties collect data through the website or online service.
Who Does California AB 370 Apply To?
AB 370 applies to companies that collect personally identifiable information (PII) about individual California consumers’ online activity over time and across third party websites or online services, or allow other parties to do this.
The bill is currently awaiting the governor’s signature. If the governor does not veto it by October 13, 2013, AB 370 will become law on January 1, 2014. TRUSTe will update its program requirements later this year to reflect the requirements of the updated law.
Companies need to ensure that the disclosure made around how they will respond to a DNT or other preference signal is accurate. Companies will also need to understand their practices from a couple of different angles:
- The role the company plays in relation to the data it collects. Is data being collected as a first party, meaning you have a direct relationship with the consumer, or as a third party? The role that you play will affect what you will need to disclose in your privacy policy.
- The purpose of collecting data or allowing third parties to collect data. The context in which the data is being collected will affect how you will respond to a DNT or other preference signal and what is disclosed in your privacy policy.
When assessing your company’s obligations under AB 370, remember that under CalOPPA, personally identifiable information is a defined term that includes identifiers that permit an individual’s physical or online contact.
In addition, remember that the California AG’s office has previously stated that CalOPPA, and thus the new AB 370, applies to mobile applications as well as traditional web sites.
It is important to understand your company’s role, and the purposes for which you or third parties integrated into your website or online service collect data. This will help you make sure your privacy policy disclosures accurately reflect your practices.
In the coming months TRUSTe will notify clients of the updates to its certification program requirements, and work together with our clients to help them comply.
If you need help preparing to comply, a TRUSTe website scan can help identify the third parties collecting data through your website. Contact your Account Executive to learn more how TRUSTe can help.