Under California’s Online Privacy Protection Act (OPPA) of 2003,[1] California law requires commercial websites or online services that obtain personally identifiable information about California consumers to conspicuously post their privacy policies.  “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual.[2]  Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states.  Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.  Negligent and material violations are sufficient to trigger liability.[3] 

California’s AB 370, which became effective on January 1, adds additional consumer protections concerning the tracking of online behavior.  Online tracking permits advertisers to see and record what websites users view, what they click on, how long they view certain pages, and similar information.  The idea behind this tracking is, in large part, to determine what the user is interested in so that advertisers can deliver more relevant ads to the user and hopefully generate more sales.  Other types of tracking include some advertisers’ ability to view this kind of information when users move from one business’s site to other sites.  Advertisers may be able to aggregate this information in order to create an even more detailed and accurate picture of what a user is interested in seeing.

In response to such tracking of online behavior, the Federal Trade Commission has, in the past, recommended (but not enacted) regulations to facilitate a “do not track” mechanism by which consumers can opt out of this type of behavioral analysis.  The FTC initiative on “do not track” rules appears to be dead for now.  Accordingly, California, as is common with other data and privacy initiatives, has stepped in to legislate where the federal government has left what appears to be a gap. 

In addition, web browser software permits users to create settings to signal to websites that users do not want to be tracked.  Common web browser software, such as Microsoft Internet Explorer, Apple Safari, Google Chrome, and Mozilla Firefox have “do not track” settings that a user can use to indicate a preference not to be tracked.  It remains to be seen whether or not a large percentage of websites honors these settings or not.

AB 370, codified at Business and Professions Code Section 22575(b)(5)-(b)(7), addresses the “do not track” idea by stating that online service providers must disclose in their privacy policies how they respond to “do not track” signals or other mechanisms, such as those described above.  This requirement applies, however, only if the service provider collects personally identifiable information.[4]  Interestingly, the statute does not require service providers to honor “do not track” requests.  Thus, a service provider could comply with the statute simply by saying that it will not honor such requests.  Such a policy may not be good for public relations, but it is compliant.

The statute also requires the service provider to disclose whether or not other parties may collect personally identifiable information over time and across different websites.[5]  This provision concerns third party ad services that track user behavior over time when accessing multiple websites, and not just the service provider’s own website.  As mentioned above, a service provider may hire such third party ad services to gain even more insight into a user’s preferences, not only for the user’s use of the service provider’s site, but also other sites.

Finally, the statute gives online service providers a safe harbor for complying with the requirement to disclose their policies about responding to “do not track” requests.  “An operator may satisfy” this requirement “by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description” of the service provider’s response to a user’s “do not track” setting.[6]

Accordingly, operators of websites collecting personally identifiable information should reexamine their online behavioral practices and make sure their privacy policies account for “do not track” consumer preferences and the collection of tracking information by third party advertising services.  Even website operators outside of California must comply, if they collect personally identifiable information about California residents.[7]  Unless a website has a technical mechanism to prevent the collection of personally identifiable information about California residents, while collecting it about others, which is impractical and highly unlikely, any website of an operator located outside of California will also have to comply.  Also important is the fact that California’s Attorney General takes the position that mobile applications collecting personally identifiable information are covered by OPPA.  Therefore, businesses cannot circumvent the law simply by using a mobile application for their activities instead of a website.

Stephen S. Wu

(650) 917-8045

Partner, Cooke Kobrick & Wu LLP



[1] Cal. Bus. & Prof. Code §§ 22575-22579.

[2] Id. § 22577(a).

[3] Id. § 22576.

[4] Id. § 22575(b)(5).

[5] Id. § 22575(b)(6).

[6] Id. § 22575(b)(7).

[7] See id. § 22577(c) (including within the definition of a website “operator” “any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes”).