Menu Icon
Menu Icon


New CA “Do Not Track” Policy will Likely Require Revision to Your Digital Privacy Policy

Frank Bridges

Posted by

In late 2013, an amendment (AB-370) was made to the California Online Privacy Protection Act (“CalOPPA”) — specifically to Section 22575(b) of the Business and Professions Code — that affects operators of commercial websites and online services that collect personally identifiable information (PII).

Quoting from the website California Legislative Information:

 “This bill would require an operator to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different Web sites or online services. The bill would require the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s Web site or service.”

AB-370 became effective January 1, 2014. This document was written to assist in understanding what is required for compliance, penalties for noncompliance and an introduction to technologies involved.

Many, but not all, browsers provide users with a Do Not Track (DNT) privacy preference. When “do not track” is activated by a user, their browser sends a DNT signal to the site server. This signal may be utilized by the website operator, and the receipt of browser-data is terminated if the website supports the DNT feature.

For websites that support a DNT signal, currently there is no standard for disabling the tracking. Some websites may disable all tracking. Others may disable only targeted advertising, providing users with generic advertisements instead and continuing to track in order to use the data for other purposes. Yet others may disable tracking by other websites, yet still track how users utilize their own site.

Intouch Solutions believes that any U.S. pharma site or online service with non-restricted access which has tracking implemented through a third party — such as Omniture, WebTrends or DoubleClick — is subject to this regulation.

The National Institute of Standards and Technology (NIST) has a broad definition of PII related to this bill. In addition to the more standard classifications such as name, address, phone number, SSN, etc., NIST has included tracking information like IP addresses or media access control addresses as identifiable information.

To be clear, the CalOPPA AB-370 amendment does not require website operators to comply with DNT signals; rather, it requires the disclosure of whether the website complies with DNT signals or not. Therefore, all privacy policies associated with websites and online services subject to AB-370 should be surveyed for current compliance or identification of elements that are missing or may need modification to achieve compliance.

Foley & Lardner LLP provided the following best practice guidelines when surveying privacy policies for DNT compliance. Examples of privacy policies with features of AB-370 compliance are included on last page of this POV. 

  1. “Identify the tracking mechanisms in place on its websites and online services, including (a) the specific types of personal information collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and whether the operator will honor the user’s choice. The list should include the tracking mechanisms used by the operator itself, as well as any tracking mechanisms placed by third parties, including advertisers and analytics services.
  2.  “In the case of tracking mechanisms employed by third parties, operators should determine whether the mechanism collects personal information about users. Even if the mechanisms do not collect personal information, the operator may want to identify the mechanisms in its privacy policy in case the third party operator combines the tracking data with personal information about users it has collected from another source.
  3. “Identify any other mechanisms that collect personal information from users, including social media plug ins. While the changes to CalOPPA do not necessarily target these kinds of data collection mechanisms, operators should consider disclosing them to users in their privacy policies.
  4. “Incorporate the information identified above into the disclosures of the website’s privacy policy, including the information collected from users in the context of tracking website activity, and how the user can opt-out of the collection of that information and/or receiving targeted advertising based on the tracking information.”

Finally, Intouch recommends clients and their agencies establish a process for ongoing reviews and — as needed — updates to privacy policies as it relates to future website changes that may affect compliance with AB-370.

For examples of privacy policy language that supports DNT, does not support DNT and addresses the issue of third-party links, see the appendix of this document.

While fines for noncompliance with CalOPPA can be up to $2,500 per violation, there is speculation surrounding what constitutes a violation. The California Attorney General issued a letter in Oct. 2012 to mobile application developers that gave some indication of what is considered a violation, stating, “Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.” As specified in the letter and within CalOPPA Sec. 22575(b), operators are given 30 days from notification of noncompliance to post privacy policies that meet the CalOPPA requirements before being considered in violation.

© Intouch Solutions 2014
Author: Frank Bridges, Technology Strategist



CNN does not support DNT.

  •  “At this time sites on the Turner Network do not recognize automated browser signals regarding tracking mechanisms, which may include ‘do not track’ instructions. However, you can change your privacy preferences regarding the use of cookies and similar technologies through your browser. You may set your browser to accept all cookies, block certain cookies, require your consent before a cookie is placed in your browser, or block all cookies. Blocking all cookies will affect your online experience and may prevent you from enjoying the full features offered at Turner Network sites. Please consult the ‘Help’ section of your browser for more information.”

Twitter supports DNT and provides links to both management of ads in the user account and instructions on enabling DNT within a select number of browsers.

  •  “Third-Parties: Twitter uses a variety of third-party services to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These third-party service providers may collect information sent by your browser as part of a web page request, such as cookies or your IP address. Third-party ad partners may share information with us, like a browser cookie ID or cryptographic hash of a common account identifier (such as an email address), to help us measure ad quality and tailor ads. For example, this allows us to display ads about things you may have already shown interest in. If you prefer, you can turn off tailored ads in your privacy settings so that your account is not matched to information shared by ad partners for tailoring ads. Learn more about this setting and your additional Do Not Track browser option here.”

FitBit does not support DNT but does provide information and links to privacy policies and settings pages of third-party partners that do collect PII.

  • “We use search and display advertising so you can find opportunities to purchase Fitbit products and retargeting cookies to present you with Fitbit advertising on other sites based on your interaction on our website. We believe that consumers should exercise choice regarding the collection of personally identifiable information, which is why we disclose the cookies used on our website and provide links to opt-out of those collection practices. Although we would like to honor those browsers that are set with a Do Not Track signal, at the present time we are unable to honor those signals.
    •  AdRoll — The AdRoll Privacy Policy explains how their cookie works and gives you the option to adjust or opt out of this program.
    •  ApNexus — The ApNexus Cookies page provides information about their cookie and gives you the option to opt out of this program.
    • DetaXu — The DetaXu Data Collection for our Platform page explains their privacy practices and gives you the option to opt-out of this program.
    • DoubleClick and DoubleClick Floodlight — This cookie and web beacon is owned by Google. You can adjust Google’s use of cookies by visiting Google's Ads Settings. You may permanently opt-out of the Google DoubleClick cookie.
    •  Genome — This cookie is owned by Yahoo! You can read the Yahoo! privacy policy, customize and opt-out of this program.
    • Google Adwords Conversion — You can adjust the Google Ads Settings and opt-out of this program.”




* All fields are required.

By on

You may also like