The California Do Not Track law that was scheduled to take effect Wednesday only requires a slight change to website and mobile app privacy policies, but it could be the opening salvo in a long debate over how online tracking is regulated, lawyers and industry advocates told us in interviews this week. The law, AB-370, mandates any website or mobile app that’s accessible to California residents — essentially all U.S. websites — must state in its privacy policy whether it honors a user’s DNT request. But it doesn’t require websites to do so, just to state whether it will or won’t, said Fox Rothschild privacy lawyer Mark McCreary, who has helped clients comply with the law.

 

“I consider this law somewhat of a narrow issue and it’s very easy to comply with,” McCreary said. Most of McCreary’s clients have altered their privacy policies to say they’re not going to honor DNT requests, he said. “It doesn’t surprise me. You see that often from businesses when they don’t really know what to make of the new laws and what it could mean in the future.”

 

Ambiguities remain about the law’s language on third-party data collection, said several lawyers. If a website has a third-party advertiser, the site is required to also disclose that third party’s privacy policy. “We’re finding more often than not that our clients will refer to those individual marketing network’s privacy policies, which gets a little bit cumbersome to circle back and forth,” McCreary said. “It gets confusing for the consumer, in my opinion.” Jim Halpert, who co- chairs the global privacy practice at law firm DLA Piper, agreed: “This is not the clearest statute in the world; it was heavily negotiated.”

 

Halpert helped draft the law, representing privacy and security coalitions that included 21 major tech and media companies, he said. “The reason why we accepted that language was that one can comply with it by saying that third parties may collect information from our website,” Halpert said.  “That is a disclosure that is prudent to make today anyway, given the class action [lawsuit] activity over third-party tracking.”  But companies still “need guidance as to how to comply with” AB 370, Halpert added.

 

Much of that guidance will fall to the California attorney general’s office, lawyers said.  In early December, the office held meetings to discuss questions about third-party disclosures, said Vedder Price lawyer Bruce Radke, who chairs the firm’s Records Management, eDiscovery and Data Privacy Group.  “We’ve been told some best practices are going to come out in January of [2014],” Radke said.  Halpert confirmed the late January timeline.  California has been at the forefront of Internet privacy legislation in several areas, lawyers said.  The state’s data breach notification laws, in effect since 2003, also were to expand Wednesday to include more types of information under the definition of “personal information,” Radke said.  And in August, the Legislature passed a bill — signed into law in September — that limits what types of advertisements can be shown to minors online and mandating an “eraser button” for children who post content online (WID Aug 15 p3).  The law takes effect in 2015.  To help provide guidance on these and other privacy laws, the office launched a Privacy Enforcement and Protection Unit in 2012 within its eCrime division (http://oag.ca.gov/privacy).

 

As state officials and lawyers hash out the details, “the real concern is for those smaller web- sites not aware or unclear about the new requirements,” said Carl Szabo, policy counsel for e- commerce trade association NetChoice.  He said the law leaves small businesses vulnerable to fines that they might not even be aware of.  McCreary said even websites that are aware of the changes are concerned that it could hurt business.  “From my clients’ perspective, it is not very pro- business,” he said.  “It’s very valuable to see where someone came from or if they didn’t have a sale, where they then went” on the Web.  The law could have an effect on a company’s ability to gather that information, McCreary said. — Cory Bennett (cbennett@warren-news.com)

 

“Reproduced by permission of Warren Communications News, Inc., 800-771-9202, www.warren-news.com.”