Response Magazine Site Response Expo Site Direct Response Market Alliance Site Job Board


   Log in

California Takes the Lead – Again – in Online Privacy

3 Dec, 2013 By: Marc Roth

It is often said that as California does, the rest of the country follows. Nowhere is this truer than in the area of Internet privacy. California was the first state to enact a privacy law requiring commercial website operators to post privacy policies on their websites. Now, given the stalemate between privacy advocates and the online advertising industry on developing an acceptable do-not-track standard, California has once again stepped into the breach by requiring companies to disclose in their privacy policies whether or not they honor consumer preferences not to be tracked as they surf the Internet.

In light of this new law, which goes into effect in January 2014, website operators must review their privacy policies (both the documents and their actual policies) to determine whether and to what extent this new law applies to them and revise their policies accordingly or risk prosecution by the California Attorney General (AG).

As background, in 2003 California enacted the California Online Privacy Protection Act (CalOPPA), which requires operators of commercial websites and online services (including apps) that collect personally identifiable information (PII) about individual consumers residing in California to conspicuously post privacy policies on their websites. Specifically, CalOPPA requires each covered operator to identify the categories of PII that it collects through its website or online service about individual users and visitors of its site or service and the categories of third-party persons or entities with whom the operator may share that information. If the operator allows consumers the ability to review and request changes to their information, the operator must provide a description of that process. Last, the operator must describe the process by which it notifies consumers of material changes to its privacy policy.

Also in 2003, California added a provision to its civil code requiring website operators to inform consumers that provide their PII to the operator whether the company shares such information with third parties for marketing purposes. This law, aptly named “Shine the Light,” requires operators that do not allow consumers to opt out of such sharing to provide the consumer, upon request, with the categories of information that they shared, and the names of the companies with whom they shared such information in the prior year.

Ten years later, frustrated by the failure of various advocacy and industry groups to develop a universally workable do-not-track standard, the California legislature sent to the governor’s desk an amendment to CalOPPA that would require each operator to disclose in its privacy policy whether or not the operator honors a consumer’s browser header or signal instruction to not be tracked by third parties as the consumer visits the operator’s website and other sites. AB 370, which Gov. Jerry Brown signed into law in September, does not obligate an operator to honor the consumer instruction but, rather, only to inform consumers whether it honors the instruction.

This new provision of CalOPPA, which goes into effect next month, only applies: (a) where the operator allows third parties to track consumers on the operator’s site; and (b) across other websites, where a third party collects consumer information either directly on the host operator’s site or through an advertising network.

In the event that the California AG’s office finds that a website operator is not complying with these new requirements, it may send the operator a written notice specifying the noncompliant practice and providing an opportunity to cure within 30 days, as permitted by the law. If the operator fails to cure within that period, the state may sue.

California takes its enforcement powers very seriously. There is little doubt that California will continue to vigorously monitor websites and apps for compliance with CalOPPA and, when necessary, send warning notices. Given California’s progressive stance on privacy matters and demonstrated aggressiveness in enforcing its laws, companies that allow third parties to collect consumers’ personal information on or through their sites or online services are well advised to review their privacy policies and relationships with these third parties.

Marc Roth is a partner in the Advertising, Marketing and Media division of Manatt Phelps & Phillips LLP in New York. He can be reached at

About the Author: Marc Roth

Add Comment