“You’re probably going to see some legislation” in other states, said Vedder Price lawyer Bruce Radke, who chairs the firm’s Records Management, eDiscovery and Data Privacy Group. Radke likened it to the proliferation of state data breach notification laws. In 2002, California was the first state to pass such a law. In the decade since, nearly every other state has followed, he said. “In some respects, [data breach notification laws] had origins in California and then filtered across the nation,” he said. “I think it is very possible you may see a situation similar to the breach notification laws.” California has continued to update its data breach notification laws over the past decade. Most recently, the law’s definition of “personal information” was expanded, a change that went into effect Wednesday, Radke said.
“People watch California and say, ‘Ooh, me too,’” said Fox Rothschild privacy lawyer Mark McCreary, who has helped clients comply with AB-370. “I think there is some danger there,” but “it doesn’t cause me a great deal of concern,” he said. The law, as it’s written, is fairly easy to comply with, he said, since it does not require websites to honor a DNT request. To do so might violate the U.S. Constitution’s Commerce Clause (http://bit.ly/JwS5q1), which restricts a state’s ability to regulate interstate commerce, McCreary said. For the advertising industry and many e-commerce businesses, he said, track- ing generates revenue. States have been loathe to impede that revenue through legislation: “We’ve seen nobody — nor do I think we will because of our Commerce Clause — say ‘you cannot track somebody,’” McCreary said.
But the FTC will continue to help develop best practices for treating DNT requests, Halpert said. The commission has “been vocal about best practices” and those “will continue to evolve” in 2014, he said. The FTC published a best practices guide for businesses and lawmakers for protecting consumer privacy in 2012 (http://1.usa.gov/1cPhLc0). And in the coming weeks, the commission is expected to release a report on data broker business practices (WID Nov 18 p7). A mobile device tracking seminar is also scheduled for February (WID Dec 3 p8) (http://1.usa.gov/1ari9JV). But the commission might go further in 2014, Radke said. “I think what you may see is the FTC looking at Do Not Track and possibly exercising their unfair trade practices if we have some issue with Do Not Track practices.”
Legal action could also come from plaintiffs’ attorneys using AB-370 to go after noncompliant websites, said Carl Szabo, policy counsel for e-commerce trade association NetChoice. The plaintiff’s bar can bring suit for $2,500 per violation of the law, according to the California Business and Professions Code (http://bit.ly/1bCopy5). Waters said “the plaintiff’s bar has been very active in the privacy area” and he has “no doubt there may be some attempts to bring class action or individual suits against companies that don’t comply.” Halpert agreed, saying DNT disclosure “is an area that is a point of interest among the plaintiff’s bar and the portion of the Internet population that is really concerned about privacy.” This could unfairly target small businesses, Szabo said. “AB-370 unleashes plaintiff’s attorneys aggressively seeking statutory damages from small websites not yet in compliance.”
It’s unlikely federal lawmakers will weigh in on the issue, lawyers said. “I strongly doubt” there will be federal DNT legislation in 2014, Halpert said. “I don’t think so,” McCreary agreed. “Federal law right now is such a mess,” he said. The White House said it would deliver a proposal for consumer privacy legislation in 2013, but privacy and industry advocates haven’t heard anything in months about the proposal’s status (WID Dec 2 p1). In the absence of federal action, industry and privacy groups have continued to push forward with attempts to clarify exactly what a DNT request means and how websites should honor such a request (WID Dec 27 p1). California’s law is just another part of that debate. “This is not going to be the end of the Do Not Track discussion,” Waters said. — Cory Bennett (firstname.lastname@example.org)
“Reproduced by permission of Warren Communications News, Inc., 800-771-9202, www.warren-news.com.”