In late 2013, an amendment (AB-370) was made to the California Online Privacy Protection Act (“CalOPPA”) — specifically to Section 22575(b) of the Business and Professions Code — that affects operators of commercial websites and online services that collect personally identifiable information (PII).
Quoting from the website California Legislative Information:
AB-370 became effective January 1, 2014. This document was written to assist in understanding what is required for compliance, penalties for noncompliance and an introduction to technologies involved.
WHAT ARE “DO NOT TRACK” SIGNALS?
Many, but not all, browsers provide users with a Do Not Track (DNT) privacy preference. When “do not track” is activated by a user, their browser sends a DNT signal to the site server. This signal may be utilized by the website operator, and the receipt of browser-data is terminated if the website supports the DNT feature.
For websites that support a DNT signal, currently there is no standard for disabling the tracking. Some websites may disable all tracking. Others may disable only targeted advertising, providing users with generic advertisements instead and continuing to track in order to use the data for other purposes. Yet others may disable tracking by other websites, yet still track how users utilize their own site.
WHAT THIS MEANS TO PHARMA
Intouch Solutions believes that any U.S. pharma site or online service with non-restricted access which has tracking implemented through a third party — such as Omniture, WebTrends or DoubleClick — is subject to this regulation.
The National Institute of Standards and Technology (NIST) has a broad definition of PII related to this bill. In addition to the more standard classifications such as name, address, phone number, SSN, etc., NIST has included tracking information like IP addresses or media access control addresses as identifiable information.
To be clear, the CalOPPA AB-370 amendment does not require website operators to comply with DNT signals; rather, it requires the disclosure of whether the website complies with DNT signals or not. Therefore, all privacy policies associated with websites and online services subject to AB-370 should be surveyed for current compliance or identification of elements that are missing or may need modification to achieve compliance.
Foley & Lardner LLP provided the following best practice guidelines when surveying privacy policies for DNT compliance. Examples of privacy policies with features of AB-370 compliance are included on last page of this POV.
- “Identify the tracking mechanisms in place on its websites and online services, including (a) the specific types of personal information collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and whether the operator will honor the user’s choice. The list should include the tracking mechanisms used by the operator itself, as well as any tracking mechanisms placed by third parties, including advertisers and analytics services.
- “Identify any other mechanisms that collect personal information from users, including social media plug ins. While the changes to CalOPPA do not necessarily target these kinds of data collection mechanisms, operators should consider disclosing them to users in their privacy policies.
Finally, Intouch recommends clients and their agencies establish a process for ongoing reviews and — as needed — updates to privacy policies as it relates to future website changes that may affect compliance with AB-370.
WHAT HAPPENS IF MY WEBSITE IS NOT IN COMPLIANCE?
While fines for noncompliance with CalOPPA can be up to $2,500 per violation, there is speculation surrounding what constitutes a violation. The California Attorney General issued a letter in Oct. 2012 to mobile application developers that gave some indication of what is considered a violation, stating, “Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.” As specified in the letter and within CalOPPA Sec. 22575(b), operators are given 30 days from notification of noncompliance to post privacy policies that meet the CalOPPA requirements before being considered in violation.
© Intouch Solutions 2014
Author: Frank Bridges, Technology Strategist
- AB-370 Consumers: internet privacy: http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370
- Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance
- Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
DNT NOT SUPPORTED: CNN.COM
CNN does not support DNT.
DNT SUPPORTED: TWITTER.COM
Twitter supports DNT and provides links to both management of ads in the user account and instructions on enabling DNT within a select number of browsers.
- “Third-Parties: Twitter uses a variety of third-party services to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These third-party service providers may collect information sent by your browser as part of a web page request, such as cookies or your IP address. Third-party ad partners may share information with us, like a browser cookie ID or cryptographic hash of a common account identifier (such as an email address), to help us measure ad quality and tailor ads. For example, this allows us to display ads about things you may have already shown interest in. If you prefer, you can turn off tailored ads in your privacy settings so that your account is not matched to information shared by ad partners for tailoring ads. Learn more about this setting and your additional Do Not Track browser option here.”
DNT NOT SUPPORTED/THIRD-PARTY PII LINKS: FITBIT.COM
FitBit does not support DNT but does provide information and links to privacy policies and settings pages of third-party partners that do collect PII.
- “We use search and display advertising so you can find opportunities to purchase Fitbit products and retargeting cookies to present you with Fitbit advertising on other sites based on your interaction on our website. We believe that consumers should exercise choice regarding the collection of personally identifiable information, which is why we disclose the cookies used on our website and provide links to opt-out of those collection practices. Although we would like to honor those browsers that are set with a Do Not Track signal, at the present time we are unable to honor those signals.
- ApNexus — The ApNexus Cookies page provides information about their cookie and gives you the option to opt out of this program.
- DetaXu — The DetaXu Data Collection for our Platform page explains their privacy practices and gives you the option to opt-out of this program.
- Google Adwords Conversion — You can adjust the Google Ads Settings and opt-out of this program.”