It’s been a good day for consumers in California. Governor Brown signed SB-46 into law, expanding business’s data breach notification obligations to consumers whose online account data has been breached. He also signed AB-370 into law. The law requires a site operator to disclose how it responds to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information and the collection of their activity across sites.
The bill also requires the operator to disclose whether other parties may collect personally identifiable information when a consumer uses the operator’s site or service.
AB-370 amends Section 22575 of the Business and Professions Code by adding the following three requirements:
(5) Disclose how the operator responds to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party Web sites or online services, if the operator engages in that collection.
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
(7) An operator may satisfy the requirement of paragraph (5) by providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.