- A description of the categories of PII that the operator collects, as well as the categories of third parties with whom such PII may be shared;
- A description of the process maintained by the operator that allows an end user to review and request changes to any of his or her PII that is collected;
Additional Disclosures Required by AB370
In addition to the disclosures set forth above, AB370 introduces the following disclosure obligations for operators:
- To the extent that an operator engages in the collection of PII about an individual’s online activities over time and across third party websites or online services, such operator must disclose how it responds to web browser “do not track” (“DNT”) signals or other mechanisms that provide consumers with the ability to exercise choice regarding the collection of such PII; and
- An operator must disclose whether third parties may collect PII about an individual over time and across different websites when an individual uses the operator’s website or online service.
What it Means for You
The State of California has previously taken the position that operators that fail to comply with the requirements of CalOPPA will be issued a warning, coupled with a 30-day cure period in which to comply. Those operators failing to comply with such requirements within such 30-day period will be deemed in violation and may be fined heavily under California’s Unfair Competition Law.
Compliance with these new disclosure requirements poses significant challenges to operators. Despite the efforts of industry groups such as the World Wide Web Consortium’s Tracking Protection Working Group, no clear industry standard has yet to be established in order to guide operators in their identification of and response to DNT signals or other mechanisms now regulated under CalOPPA. Additionally, the lack of standard protocols transcends further to the actual technology. For example, although web browsers have now generally implemented DNT functionality for end users, these features vary from browser to browser, further complicating operators’ compliance efforts.
The DigitalHHR team has received numerous inquires regarding the implications of AB370 and continues to monitor the latest developments surrounding this constantly evolving discussion. Despite the uncertainty, operators of websites and online services should review their privacy practices and policies immediately in order to assess whether revisions are necessary in order to comply with AB370. If you have any questions, please feel free to reach out to us.