May 29, 2020

May 29, 2020

Subscribe to Latest Legal News and Analysis

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

California Online Tracking Disclosure Bill Heads to Governor for Signature

Many companies operating commercial websites and online services will likely need to update their privacy policies soon to comply with new requirements in California. After passing the Assembly and the Senate in a series of unanimous votes, A.B. 370 is now before the Governor for signature, which is expected soon.

If signed, A.B. 370 will amend the California Online Privacy Protection Act to require companies to include information about how they respond to “do not track” signals, as well as other new information about their collection and use of personally identifiable information. Companies who collect personally identifiable information online will need to review and revise their privacy policies to ensure information is included about:

  • What categories of personally identifiable information are collected;

  • The third parties with whom that information may be shared;

  • Whether there is a process and, if so, what the process is to review and request changes to personally identifiable information that is collected;

  • How consumers are notified of a material change to the privacy policy;

  • The effective date of the privacy policy;

  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and

  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

As the bill is likely to be enacted shortly and given the breadth of new information required to be included in covered privacy policies, companies who do collect personally identifiable information should begin reviewing their data collection practices and their privacy policies so they are prepared to make the changes when required by the bill. Companies are, however, given thirty days after notice of noncompliance to post their privacy policy before they will be in violation of the law.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...