California Passes Do-Not-Track Law

While the likelihood of a consumer privacy bill coming out of Congress are slim, California recently passed a groundbreaking ruling on consumer privacy legislation.

At the end of August, the California Senate and Assembly unanimously approved an amendment (A.B. 370) to the California Online Privacy Protection Act that requires commercial websites and services that collect personal data to disclose how they respond to “Do Not Track” signals from web browsers.

This amendment was first introduced by California Assemblyman Al Muratsuchi and sponsored by Attorney General Kamala Harris, who is best known for aggressively pursuing consumer privacy enforcement actions. State Governor Jerry Brown is expected to sign the amendment.

What is the AB370?

Although it’s referred to as a Do-Not-Track law, the bill doesn’t actually prohibit tracking, which disappoints most privacy advocates that would prefer laws – both federal and state – mandate Do-Not-Track standards.

According to Alan Friel, partner with Edwards Wildman Palmer, “The bill is a disclosure requirement. An operator would only be in violation if they failed to post practices in their privacy policy.”

The bill states that websites that don’t clearly spell out practices in their privacy policy would be given a warning and 30 days to come into compliance.

However, this bill does stand to change things for websites that track consumer web activity for advertising or other purposes. Friel commented:

“Many websites, mobile apps, ad networks and other online services will need to update their policies. Companies need to make sure privacy statements are accurate and if they are in self-regulatory programs, such as the Digital Advertising Alliance, make sure they are following those practices.”

Specifically, the bill adds new requirements that a privacy policy:

  1. “Disclose how the operator responds to web browser do-not-track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across third-party web or online services, if the operator engages in that collection.
  2. Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different web sites when a consumer sues the operator’s website or service.

The operator is permitted to satisfy the disclosure regarding how the operator responds to Do-Not-Track signals by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

Some Uncertainty

As the law is silent on specific Do-Not-Track standards or practices, the consumer privacy debate is still wide open. However, it does require websites to choose sides – either they will honor or ignore Do-Not-Track browser signals.

The W3C’s tracking protection working group has been spending the past two years attempting to reach a consensus for a Do-Not-Track browser standard. During that time, Microsoft and Mozilla forged ahead with Do-Not-Track browsers. As those solutions were “on” by default, the DAA members have said that they would not honor the browser Do Not Track signal.

California’s Attorney General has commented that the proposed new law would help boost awareness of online behavioral tracking, aiding consumers in making informed decisions about their use of a site or service.


This article provides discussion on Californian amendment (A.B. 370), which modifies the California Online Privacy Protection Act, requiring commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals from web browsers.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US), a privacy professional should be comfortable with topics related to this post, including:

  • State attorneys general (
  • Self-regulatory programs (I.A.d.vii.)
  • Self-regulatory enforcement (I.B.h.)
  • State privacy laws (V.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>