By Drew Wisniewski and Jennifer Archie

On September 3, 2013, California Assembly Bill 370 (“A.B. 370”), an amendment to the California Online Privacy Protection Act (“CalOPPA”), was enrolled and sent to Governor Jerry Brown for his signature.  A.B. 370, which was sponsored by Attorney General Kamala Harris, requires an operator of a Web site or online service that collects “personally identifiable information” to disclose how it responds to “do not track” signals.  Under the California Constitution, the Governor has 12 days following presentment to veto or sign the bill before it automatically becomes law. 

CalOPPA, codified at Cal. Bus. & Prof. Code § 22575 et seq., currently requires “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” to “conspicuously post” a privacy policy on its Web site, or in the case of an online service, make it “reasonably accessible” to consumers of the online service.  The privacy policy must “[i]dentify the categories of personally identifiable information that the operator collects” and the “categories of third-party persons or entities” with whom the operator may share the information. 

A.B. 370, if enacted, would require the operator to additionally disclose “how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.”  The operator may satisfy this requirement by providing a “clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”  Additionally, A.B. 370 requires the operator to disclose “whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

In August, A.B. 370 passed the Senate and Assembly with unanimous support.   The amendment was introduced by Assembly Member Al Muratsuchi, a Democrat, and was sponsored by Attorney General Harris, who has been aggressively pursuing new privacy laws and enforcement actions after announcing the creation of the Privacy Enforcement and Protection Unit in the Department of Justice last year.  The unit focus on protecting consumer and individual privacy through prosecution of state and federal privacy laws.  In addition to the Attorney General, the amendment was supported by the California Public Interest Research Group, Consumer Watchdog, and Microsoft Corporation.  Some privacy advocacy groups, such as Consumer Watchdog, pointed out that this is only a disclosure requirement and not a Do Not Track requirement. 

Under CalOPPA, an operator has 30 days to comply after receiving notice of noncompliance with the posting and disclosure requirement. Therefore, although A.B. 370 will be effective immediately, a party would not have standing to sue until an operator has received and failed to comply with a notice of noncompliance.  Failure to comply with the CalOPPA requirements or the provisions of the posted privacy policy, if knowing and willful, or negligent and material, is actionable under California’s Unfair Competition Law and may result in penalties of up to $2,500 for each violation.

A.B. 370 was sent to the Governor along with another privacy bill, Senate Bill 568 (“S.B. 568”). S.B. 568 unanimously passed the Senate and House and if signed, would take effect on January 1, 2015.  It would require an operator of a Web site, online service, online application, or mobile application to  permit a minor to remove, or to request and obtain removal of, content or information posted online.  The bill would require that the operator provide notice to a minor that the minor may remove the content or information.  Additionally, the bill would prohibit the operator of any Web site, online service, online application, or mobile application from marketing or advertising products or services to a minor that a minor cannot legally purchase, and collecting a minor’s information.