A new California law taking effect on January 1, 2014, will require any operator of a website or online service that collects personally identifiable information on state residents to include new do-not-track disclosures in its privacy policy. As businesses revise their website privacy policies to add the new disclosures, they should consider having legal counsel review their policies to ensure that they comply with applicable federal and state laws and reflect current best practices.

Signed into law by California Governor Jerry Brown on September 27, 2013, Assembly Bill No. 370 (AB 370) amends Section 22575 of the state’s Business and Professions Code. Section 22575 requires the operator of a website that collects personally identifiable information on consumers residing in California who use or visit the site to conspicuously post its privacy policy on the site. (The operator of an online service must make its privacy policy available by any reasonable accessible means.)

As amended by AB 370, Section 22575 requires such an operator to include in its privacy policy a description of how the operator responds to do-not-track settings in consumers' browsers. The law describes such settings as “signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party Web sites or online services.” An operator can satisfy the new requirement “by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”

The law also requires an operator to disclose in its privacy policy whether, when a consumer uses the operator’s website or service, other parties can collect personally identifiable information about a consumer's online activities “over time and across different Web sites.”

Ballard Spahr attorneys regularly advise financial institutions and other companies providing financial services online on compliance with consumer financial services laws, as well as related data security and privacy laws. The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws.

Members of the Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new and existing products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

For more information, please contact CFS Group Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com, or John L. Culhane, Jr., at 215.864.8535 or culhane@ballardspahr.com



Copyright © 2013 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.








Related Practices

Consumer Financial Services
Mortgage Banking 
Privacy and Data Security


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >