California’s Do Not Track disclosure law is perhaps the first of numerous state laws imposing similar privacy policy requirements, lawyers told us this week. The law, AB-370, is the “initial step in the discussion,” said Vedder Price intellectual property lawyer Michael Waters. But the discussion could lead to a confusing, and possibly unconstitutional, patchwork of legislation if imitator laws pop up in other states, several lawyers said. Ultimately, the discussion might extend to the FTC since California’s law “does not dictate that companies have to follow the DNT signal,” Waters said. “It just says they have to notify users of how they’re going to respond to that signal. In the long run, I don’t know if that’s going to be sufficient for the FTC.”

 

As of Jan. 1, all websites or mobile apps accessible to California residents must explain in a privacy policy whether the site or app will honor a user’s DNT request (WID Jan 2 p1). Because the law’s language applies to nearly every U.S. website or app, AB-370 is essentially a national law, said Jim Halpert, who co-chairs the global privacy practice at law firm DLA Piper and helped negotiate the law’s language. “I hope that this is the only state that legislates on this because there are sharp constitutional restrictions on states imposing conflicting website notice requirements,” he said. “Other states have not joined the party. It would be problematic if they did.”

 

“You’re probably going to see some legislation” in other states, said Vedder Price lawyer Bruce Radke, who chairs the firm’s Records Management, eDiscovery and Data Privacy Group. Radke likened it to the proliferation of state data breach notification laws. In 2002, California was the first state to pass such a law. In the decade since, nearly every other state has followed, he said. “In some respects, [data breach notification laws] had origins in California and then filtered across the nation,” he said. “I think it is very possible you may see a situation similar to the breach notification laws.” California has continued to update its data breach notification laws over the past decade. Most recently, the law’s definition of “personal information” was expanded, a change that went into effect Wednesday, Radke said.

 

“People watch California and say, ‘Ooh, me too,’” said Fox Rothschild privacy lawyer Mark McCreary, who has helped clients comply with AB-370. “I think there is some danger there,” but “it doesn’t cause me a great deal of concern,” he said. The law, as it’s written, is fairly easy to comply with, he said, since it does not require websites to honor a DNT request. To do so might violate the U.S. Constitution’s Commerce Clause (http://bit.ly/JwS5q1), which restricts a state’s ability to regulate interstate commerce, McCreary said. For the advertising industry and many e-commerce businesses, he said, track- ing generates revenue. States have been loathe to impede that revenue through legislation: “We’ve seen nobody — nor do I think we will because of our Commerce Clause — say ‘you cannot track somebody,’” McCreary said.

 

But the FTC will continue to help develop best practices for treating DNT requests, Halpert said. The commission has “been vocal about best practices” and those “will continue to evolve” in 2014, he said. The FTC published a best practices guide for businesses and lawmakers for protecting consumer privacy in 2012 (http://1.usa.gov/1cPhLc0). And in the coming weeks, the commission is expected to release a report on data broker business practices (WID Nov 18 p7). A mobile device tracking seminar is also scheduled for February (WID Dec 3 p8) (http://1.usa.gov/1ari9JV). But the commission might go further in 2014, Radke said.  “I think what you may see is the FTC looking at Do Not Track and possibly exercising their unfair trade practices if we have some issue with Do Not Track practices.”

 

Legal action could also come from plaintiffs’ attorneys using AB-370 to go after noncompliant websites, said Carl Szabo, policy counsel for e-commerce trade association NetChoice. The plaintiff’s bar can bring suit for $2,500 per violation of the law, according to the California Business and Professions Code (http://bit.ly/1bCopy5). Waters said “the plaintiff’s bar has been very active in the privacy area” and he has “no doubt there may be some attempts to bring class action or individual suits against companies that don’t comply.” Halpert agreed, saying DNT disclosure “is an area that is a point of interest among the plaintiff’s bar and the portion of the Internet population that is really concerned about privacy.” This could unfairly target small businesses, Szabo said. “AB-370 unleashes plaintiff’s attorneys aggressively seeking statutory damages from small websites not yet in compliance.”

 

It’s unlikely federal lawmakers will weigh in on the issue, lawyers said. “I strongly doubt” there will be federal DNT legislation in 2014, Halpert said. “I don’t think so,” McCreary agreed. “Federal law right now is such a mess,” he said. The White House said it would deliver a proposal for consumer privacy legislation in 2013, but privacy and industry advocates haven’t heard anything in months about the proposal’s status (WID Dec 2 p1). In the absence of federal action, industry and privacy groups have continued to push forward with attempts to clarify exactly what a DNT request means and how websites should honor such a request (WID Dec 27 p1). California’s law is just another part of that debate. “This is not going to be the end of the Do Not Track discussion,” Waters said. — Cory Bennett (cbennett@warren-news.com)

 

“Reproduced by permission of Warren Communications News, Inc., 800-771-9202, www.warren-news.com.”