Greta Garbo, as Grusinskaya in Grand Hotel, was famous for saying: “I want to be alone, I just want to be alone.” On Friday September 27, 2013, Governor Jerry Brown signed A.B. 370, which requires an operator of a website or online services that collects “personally identifiable information” to disclose how it responds to “do not track” signals. Companies operating commercial websites and online services will likely need to update their privacy policies to comply with new requirements in California as the result of the amendment of the California Online Privacy Protection Act (“CalOPPA”).

When the law comes into effect on January 1, 2014, companies will be required to include online information about how they respond to “do not track” signals, as well as other new information about their collection and use of personally identifiable information. More specifically, companies will need to disclose:

  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and
  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

Companies who collect personally identifiable information should review their data collection practices and their privacy policies so they are able to make any necessary changes required by the bill. Under the existing law, companies are, however, given thirty days after receipt of a notice of noncompliance to post their privacy policy before they will be in violation of the law.

Attorney General Kamala Harris supported the new law and recently has taken action to enforce CalOPPA, including creating a Privacy Enforcement and Protection Unit within the California State Department of Justice and notifying mobile application companies of the applicability of CalOPPA and potential noncompliance with CalOPPA. In December 2012, Attorney General Harris brought an action against Delta Airlines alleging that it had violated CalOPPA and the California Unfair competition Law by failing to “conspicuously post a privacy policy in its Fly Delta app.” The action was dismissed on May 9, 2013. In support of its motion, Delta had argued that the Airline Deregulation Act of 1978 preempted CalOPPA’s application to the Fly Delta app, which provides airline related “services” as defined by the ADA. While many questions remain with regard to CalOPPA and whether the California State Attorney General has authority to pursue CalOPPA claims against non-California operators and whether mobile apps qualify as websites and online services within the meaning of CalOPPA, this case made clear that the California Attorney General’s office interprets CalOPPA to apply to mobile apps. and that it will take legal enforcement action to enforce its interpretation of CalOPPA.