What did you do over your summer vacation? Yes, the sad truth is that summer is almost over. You can tell because there wasn’t a single superhero movie that opened at the box office last weekend (no, Smurfs2 does not count) and because the California Senate is preparing to reconvene from its summer recess. If you are a member of the California Senate, my guess would be that you spent your summer break finally reading Gone Girl and thinking about how when you get back to the Capitol, you get to turn your attention to Assembly Bill 370.
A.B. 370 was passed unanimously by the California Assembly in May, and received “do pass” approval from a Senate committee in June. When the Senate returned to Sacramento on Monday, it is one of a handful of bills that may receive a floor vote before the Senate adjourns again in September.
A.B. 370 would amend Section 22575 of California’s Business and Professions Code to require any operator of an online service to disclose in its privacy policy how it responds to “do not track” signals or similar tools and settings. As amended, Section 22575 would also require operators to disclose whether other parties may “collect personally identifiable information about a consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”
One potential issue with A.B. 370 is the lack of a universal standard for Do Not Track. Do Not Track still being hotly debated and service providers like Mozilla have put unique standards in place. This type of uncertainty can create a liability trap for online service providers even if they attempt to comply with the bill’s requirements. On the other hand, with so many users relying on Do Not Track mechanisms (17% of U.S. users, according to Mozilla’s estimates) there has been considerable support, including from California Attorney General Kamala Harris, in favor of making this type of information available to consumers.
Regardless, the concern that should be at the forefront of every online service provider’s mind is whether that provider has a clear understanding of how the various aspects of its online service (including components hosted or serviced by third party service providers) do or do not respond to Do Not Track signals. Understanding precisely what can be collected while a consumer uses a Do Not Track tool will be essential if A.B. 370 becomes state law, but that determination may not be straightforward (and may need to be reassessed on a continuous basis) where third party service providers are involved.
Your Mintz Levin privacy team is happy to discuss any questions you may have about A.B. 370 or chat with you about what you did on your summer vacation (off the clock, of course).