Clifford S. Davidson
 

Litigation eAlert: All Websites Collecting Information From California Residents Must Comply With New Online Privacy Law

October 2013

Clifford S. Davidson
503.243.1653

On September 27, 2013, Governor Brown of California approved a law that will require any business collecting personally identifiable information through the Internet to add to its privacy policy a description of how the website responds to do-not-track settings in users' browsers:

(b) The privacy policy ... shall do all of the following:

[...]

5.     Disclose how the operator responds to Web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party Web sites or online services, if the operator engages in that collection.

6.     Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different Web sites when a consumer uses the operator's Web site or service.

7.     An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

These additional rules apply to any website that collects information from California residents -- even if that website pertains to a business in Oregon, Washington or anywhere else outside California. The amendment will be reflected in Business and Professions Code § 22575. A copy of the full text of the California law (as amended) requiring online privacy policies is available here.

Businesses may wish to consult legal counsel to ensure that their privacy policies are up-to-date, in light of both this amendment and other recent changes to the laws of California and other states. Remember: a website need only be accessible to residents of a particular state in order for that state's privacy laws to apply. It thus typically is a good idea for a company to comply with the laws of the strictest state -- in this case, California -- even if that company does not specifically target business to that state.

Clifford S. Davidson is an attorney at Sussman Shank LLP in Portland, Oregon. He is co-author of the state law chapter of the treatise Proskauer on Privacy.

Related Practice Areas

Litigation

Return to Articles