By: Paul Fraidenburgh, Esq.

Web browsers, social networks, and other online services track consumer data to fine-tune the user experience and to facilitate targeted advertising. Those who have searched for an item online, only to find that item mysteriously displayed on other websites they later visit, have knowingly or unknowingly participated in the online tracking phenomenon.

In response to these virtually ubiquitous tracking practices, a number of web browsers and other online services have given consumers the option of activating a Do Not Track (“DNT”) mechanism as they navigate various web applications. The DNT mechanism sends a signal, typically transmitted in the form of an HTTP header, communicating the consumer’s election not to be tracked. However, the mere activation of a DNT signal does not require the operator of a website or service to suspend its tracking practices as to that individual. In fact, consumers have no control over a website operator’s decision to honor – or not to honor – a DNT signal.

On September 27, 2013, Governor Brown signed into law Assembly Bill No. 370, commonly known as the Do Not Track law. AB 370 amended the California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575-22579 (“CalOPPA”), requiring certain websites and mobile apps to disclose how they respond to DNT signals. Additionally, the amended Section 22575 requires disclosure of whether third parties may collect personally identifiable information (“PII”) in connection with the consumer’s use of the website or online service. Thus, contrary to its nickname, AB 370 is not a law that prevents tracking, but rather a law regulating the transparency of websites and mobile apps in carrying out their tracking practices.

The new Section 22575 does not broaden the class of website operators within CalOPPA’s reach. Like the previous Section 22575, the new law applies only to operators of “commercial” websites or online services that collect PII about California residents who use or visit their website or online service. That means non-commercial website operators are not required to conform their practices to the new law.

AB 370 does not change the fact that CalOPPA’s purported geographical limitations are almost entirely artificial when put into practice. Websites are, by their very nature, widely accessible across borders. Limiting the statute’s scope to websites accessed by California residents should not provide any peace of mind for commercial website operators in other parts of the country. Anyone operating a commercial website that tracks PII or allows third party tracking and that might be accessed by a California resident is now required to adopt a privacy policy that explains how DNT signals are treated.

Developing a new privacy policy may prove challenging, particularly for websites or mobile apps with large, vocal user bases. The transparency required by the amended Section 22575 pressures web-based companies to adopt policies honoring DNT signals. But the Federal Trade Commission has spent the last decade targeting companies in enforcement actions for failing to keep their own privacy promises. The California Attorney General’s failed suit in late 2012 against Delta Airlines for alleged CalOPPA violations also demonstrates the growing threat of enforcement actions arising out of privacy policies. The lesson is clear: be careful what you promise.

Websites and mobile apps are now tasked with making privacy promises that mollify user concerns while avoiding representations that would increase the risk of enforcement actions for failing to uphold a promise to honor DNT signals. Thus, although it is clear that AB 370 increases transparency, it may have the unintended effect of diminishing the promises online companies are willing to make.

Paul Fraidenburgh is an Associate in Buchalter Nemer’s Litigation Practice Group in Orange County. He can be reached at (949) 224-6247 or [email protected].