At the end of September 2013, California’s governor, Jerry Brown, signed into law a series of bills that will significantly alter California’s privacy landscape, and are likely to affect, as well, the remainder of the United States. Among these bills, California’s Assembly Bill AB 370, sponsored by the California State Attorney General, becomes effective as of January 1, 2014.
Assembly Bill AB 370 amends the California Online Privacy Protection Act (CalOPPA), codified as Cal. Bus. & Prof. Code §§22575-22579, which, since 2004 has required each operator of a commercial website, mobile application or other online service that collects personal information of California residents (“Online Service”) to post a privacy statement and provide specified information in that privacy statement. The provisions added by AB 370, to be codified as Cal Bus. & Prof. Code §22575(b)(5) to (b)(7), require additional disclosures. As a result, most privacy notices posted on Online Services directed at California residents will have to be revised.
Under the current version of CalOPPA, an Online Service must conspicuously display a privacy statement that discloses:
- The categories of personally identifiable information that the operator collects;
- The categories of third-parties with whom the operator may share that personally identifiable information;
- The process, if any, that the operator maintains for an individual to review and request changes to the information so collected;
- The effective date of the privacy statement.
AB 370 increases the currently existing mandate under CalOPPA to require, in addition, the disclosure of:
- How the Online Service responds to a browser’s do-not-track signal regarding the collection of information about online activities over time and across third party online services; and
- Whether third parties may collect information about online activities over time and across different online services.
Clarity and Definitions Missing
On its face, AB 370 seems simple. Actually, its pithy provisions are especially difficult to interpret because of a lack of definitions. As written, the three additional sections are very broad. Despite extensive dialog between the digital marketing industry and the legislators, AB 370 ends up failing to address the specific issue of online behavioral advertising (OBA), a concern to many, while imposing on companies a set of confusing new rules.
AB 370 does not require companies to provide consumers with the ability to exercise choice regarding the collection of information about their online activities for advertising or other commercial purpose. Instead, it asks companies to indicate whether and how they respond to a “do not track” signal, but fails to specify what this “do not track” signal is. As a result, it is likely to burry the real issue of OBA amongst unnecessary disclosures that are likely to burden companies and clutter privacy notices without accomplishing the original goal of consumer protection.
The California State Attorney General is developing a set of “best practices” on how to respond to CalOPPA as amended, to be published in mid to late January. However, according to representatives of its office (with whom we met in early December) who are working on the document, this document will only identify “best practices”, which are likely to go beyond the actual requirements of the law, but will not clarify the meaning or scope of AB 370. The office of the California State Attorney General pointed that their role is not to interpret the law but to provide guidance to entities subject to the law. Unfortunately, since the document will only be published by mid to late January 2014, companies are left guessing what these “best practices” might be, and will not know clearly what they are expected to do or to disclose. A confidential, working draft of the Best Practices document has been released for comments, but its content may not be shared publicly.
Subsection (b)(5) Do Not Track Disclosure
The entire “do not track” section of AB 370 is only a few lines long and does not include any definitions other than those already existing in the original CalOPPA. Specifically, new Cal Bus. & Prof. Code §22575(b)(5) requires Online Services to disclose:
“how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third party Web sites or online services, if the operator engages in that collection.”
It is not clear what “do not track” or “other mechanisms that provide consumers the ability to exercise choice” is intended to mean or cover. This lack of definition is especially important because there have been otherwise extensive efforts to develop a definition of “do not track” or “tracking preference exception”, and that definition is still in development.
Indeed, for the past two years, the Tracking Protection Working Group of the World Wide Web Consortium (W3C) – the international organization that established international standards such as XML or HTML – has been convening regular meetings to which notable global organizations, such as Apple, Microsoft, Mozilla, Nielsen, Yahoo, and the Digital Advertising Association have been participating. In early November 2013, however, W3C announced its inability to establish a standard definition of “do not track” or “Tracking Preference Exception” (in W3C lingo). As a result, there is not yet a commonly accepted definition of “do not track”.
Without a proper definition of “do not track”, it is difficult to interpret California’s AB 370. For example, does “targeting” cover specific targeting (e.g. “interested in a new car”) or only general profile categories (e.g.,” interested in cars”)? Is “tracking” limited to the use of information in connection with online behavioral advertising, or does it also include the tracking technologies that are used for other purposes, that are less privacy intrusive, such as analytics or fraud detection?
Other crucial definitions are missing, as well, such as that of “other parties.” Does “other parties” include affiliates and subsidiaries in addition to service providers and business partners? Is a subsidiary an “other party”, such that, for example, eBay cannot share its information with PayPal, or Zappos with Amazon?
Representatives of the California State Attorney General’s office in meetings held in December 2013 indicated that, in their view, the term “tracking” is intended to include all forms of tracking – while concurrently stating that they have no authority to interpret the new law, and can only suggest best practices.
An interpretation of AB 370 in this manner – i.e. including, without discrimination all forms of tracking, such as tracking for fraud detection or analytics purposes - would unnecessarily complicate the disclosure required by AB 370. It would require longer, more complex disclosures, which would lengthen privacy statements, making them more difficult to comprehend for the average consumer. The recent implementation of the “Cookie Laws” in Europe provides an example of the confusion, wasted time, and lengthy disclosures that can result when a law is too broad, and companies scramble to interpret it. Let us hope that the same confusion does not result from the implementation of AB 370 on this side of the ocean.
Subsection (b)(7) - Safe Harbor
New Cal Bus. & Prof. Code §22575(b)(7) creates a safe harbor or an alternative to Subsection (b)(5). New subsection (b)(7) provides that the operator of an Online Service may satisfy the requirement above by providing a clear and conspicuous hyperlink in its privacy statement to “a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice” (i.e., the ability to make a choice regarding the collection of personally identifiable information about the individual’s online activities over time or across third party Web sites or online services).
In other words, Subsection (b)(7) offers Online Services the ability not to disclose whether they respond to a - yet-to-be-defined - “do not track” signal by providing users of their service a method for opting-out of the tracking.
At this point, Subsection (b)(7) might be the most elegant and practicable alternative for companies, but it may require extensive programming and development of new application to address in a user friendly manner the numerous choices that might to be made available to users. Indeed, user friendly designs and interfaces will likely be needed so that an Online Service can shape its interaction with a user to allow the user to make granular choices while the Online Service retains the ability to conduct the collection and analysis that it needs to remain profitable and continue to receive the necessary level of traffic to generate revenues.
Subsection (b)(6) - Third Party Tracking Disclosure
The other change brought by the enactment of AB 370 focuses on third party tracking mechanisms. So far, privacy statements posted on Online Services have generally disclosed the existence of cookies or other tracking technologies such as tags, but many have failed to clearly disclose the existence or effect of third parties tracking. When they do make these disclosures, some of these statements indicate that the use of third party tracking technologies is subject to third parties privacy policies over which the Online Service has no control.
Starting on January 1, 2014, Online Services must also disclose in their privacy notices:
“Whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different websites when a consumer uses the operator’s Web site or service”
This provision, to be added to the existing law as Cal Bus. & Prof. Code §22575(b)(6), is unnecessarily broad, does not distinguish between website analytics and behavioral advertising, and in the absence of proper guidance from the legislator or the enforcers, is likely to give rise to litigation.
Interestingly, or unfortunately, this additional provision regarding third-party tracking technologies is not balanced by a safe harbor provision as is the case for the “do-not-track” disclosure under new Subsection (b)(5). Thus, the disclosure is required whether or not the Online Service offers users information about opting-out of the collection of information by third parties.
Under Subsection (b)(6), Online Services must only disclose the existence of third parties tracking tools. They are not required to describe the purpose for which the third parties may use the collected information, i.e., whether these uses are limited to those disclosed in the privacy statement of the Online Service itself, or whether other uses might be possible under the separate privacy policies of these third parties.
It will be up to companies to decide the extent of the disclosures or explanation they want to provide about the scope of the activities of the third parties that they invite or allow to collect information on their Online Service. It remains to be seen whether companies will opt for a generic sentence such as “third parties may be conducting activities over time and across different websites”, or will provide more specific, user-friendly disclosures.
What Personal Information is at Stake?
The disclosures required above apply to the collection of “personally identifiable information”, a term that is defined in CalOPPA, Cal bus. & Prof. Code §22577(a) to include (1) first and last name; (2) physical address; (3) e-mail address; (4) telephone number; (5) social security number; (6) Any other identifier that permits the physical or online contacting of a specific individual; and (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above.
While the first part of the definition – subsections (a)(1) to (5) - is clear and specific, the second part – subsections (a)(6) and (7) is a catchall provision that could be interpreted broadly. So far, the extent of these subsections has not been fully tested. There is little information about the meaning and scope of the term “identifier that permits the physical or online contacting of a specific individual.” In an era where most devices are personal to a user, and each instance of use is labeled with cookies, tags, IP addresses, and in many cases, location, Subsection (a)(6) might be interpreted very broadly. Does the ability to post advertisements on a user’s screen based on cookies that identify that specific user – without knowing the user’s actual identity – fit within the scope of the new provision? In the new AB 370 era, we should expect the plaintiff’s bar to argue that it does.
The passage of AB 370 reopens the door to the interpretation of the definition of “personally identifiable information” under CalOPPA. Unfortunately, the definition has not been sufficiently tested previously, and it may have aged as technology has evolved significantly in the ten years that have elapsed since CalOPPA’s enactment in 2004. An unintended consequence of the passage of CalOPPA might be the expansion of CalOPPA’s definition of “personally identifiable information” to a concept that be closer to the definition of “personal data” under the data protection laws of the European Union Member States.
California’s AB 370 does not prohibit tracking. It only requires that operators of Online Services disclose how they respond to a do-not-track signal, and whether third party service providers have the ability to collect personal information from individuals during their visit of that Online Service and follow that individual over time and on other Online Services. The new law has been criticized for its lack of clarity, and it is our hope that the California State Attorney General will provide practical guidance on how to implement this new requirement. In the meantime, the new provisions fail to define what is intended by “do not track,” or to clarify the type of “personally identifiable information” that is to be protected.
While the new requirement under AB 370 focuses only on the “mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information,” it fails to recognize the many forms and the different uses of tracking, some of which are beneficial to the users. AB 370 is also based on a pre-existing definition of “personally identifiable information” that is broad and not yet fully tested, which may create further confusion.
At this point, we are left with provisions that are difficult to interpret, lack definition, and are so broad that they have the potential of causing significant harm to companies and burden users with unnecessary disclosures that might be hard to decipher. It is likely that the meaning and scope of the AB 370 amendments to CalOPPA will remain uncertain until courts are called upon to interpret the new provisions.