Assembly Bill 370 Amends CalOPPA
Additionally, in light of California Attorney General Kamala Harris’ public position, which was sent to the providers of leading mobile applications in October 2012 by way of a Notice of Non-Compliance, that her office would interpret CalOPPA’s application to “online services” to include mobile applications for compliance and enforcement purposes, the newly amended CalOPPA language would effectively also cover mobile apps. The AG’s position and intention to fully enforce CalOPPA as applying to mobile apps is certain, and must be taken into account by businesses developing or providing mobile apps to smartphone customers.
According to the bill’s sponsor and proponents, California’s new tracking disclosure law is designed as one additional step to existing California requirements for online privacy policies that will bring greater transparency and consumer scrutiny over websites’ practices related to honoring “Do Not Track” (DNT) preferences of Internet and mobile app users. The bill was sponsored by the California AG’s Office and authored by Assembly Member Al Muratsuchi, a member of the State Assembly’s Committee on Judiciary.
What will AB 370 do to privacy policies?
With the Governor signing AB 370 into law, operators of websites or online services, including mobile apps, used by California residents will need to update their privacy policies. Specifically, A.B. 370 adds three new provisions to Section 22575(b) of the California Business and Professions Code, as follows:
- Section 22575(b)(5) is a new requirement to disclose how a business’ website or online service “responds to web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party websites or online services.” The online practice of collecting data about consumers “over time and across third-party websites and services” is legislative and regulatory language typically used to describe online behavioral tracking for marketing purposes, including the delivery of targeted online ads to consumers based on their web-browsing behavior. However, as worded, the DNT provisions in this section are not limited to serving targeted ads and encompass companies’ policies on responding to DNT signals —even for a companies’ internal product development or research purposes.
- Section 22575(b)(6) is a new requirement to disclose whether third parties may collect on a business’ website or online service “personally identifiable information about an individual consumer’s online activities over time and across different websites.” This provision would require disclosure of whether third parties engaging in online behavioral tracking for a variety of purposes may collect PII through the business’ website or online service.