Pillsbury Winthrop Shaw Pittman

California AG issues new privacy policy and ‘do not track’ compliance guidelines, announces proactive enforcement

By Andrew D Lanphere, Catherine D Meyer, Roxane A Polidora and Jacob R Sorensen

The California Attorney General (AG) recently released a series of guidelines to assist with compliance with the California Online Privacy Protection Act of 2003 (CalOPPA), which was amended to require new data collection and ‘do not track’ disclosures. These guidelines offer assistance regarding the form and content of operators’ privacy policies. The AG has stated she will actively enforce operators’ compliance with CalOPPA, including through litigation. Operators of websites and online services that are used or visited by California residents should ensure as soon as possible that their privacy policies comply with the AG’s guidelines.

CalOPPA, Cal. Bus. & Prof. Code §§ 22575–22579, has since 2003 required ‘operators’ of commercial websites and online services that collect ‘personally identifiable information’ of California residents to conspicuously post their privacy policies. An operator violates CalOPPA if its privacy policy fails to comply with the statute’s disclosure requirements either (1) knowingly and wilfully or (2) negligently and materially. Cal. Bus. & Prof. Code § 22576. The AG has previously filed suit for CalOPPA violations seeking injunctive relief and civil penalties under Bus. & Prof. Code § 17200, on the theory that the improper privacy policy constituted an unlawful business practice.

As of 1 January 2014, CalOPPA requires that privacy policies additionally describe (1) how the operator responds to ‘do not track’ browser signals (DNT signals) or ‘other mechanisms’ that give a consumer the ability to indicate the consumer does not want his or her personally identifiable information collected and tracked; and (2) the possible presence of other parties conducting online tracking on the operator’s website or online services. Cal. Bus. & Prof. Code § 22575(b)(5)–(6). In lieu of the first requirement to describe how the operator responds to DNT signals, the operator can provide a ‘clear and conspicuous’ link in the privacy policy to a ‘program or protocol’ that offers consumers a choice about online tracking, along with a description of the program or protocol and the effects it has on participating consumers. Cal. Bus. & Prof. Code § 22575(b)(7)…

Click on the link below to read the rest of the Pillsbury briefing.

Sign in or Register to continue reading this article

Sign in


It's quick, easy and free!

It takes just 5 minutes to register. Answer a few simple questions and once completed you’ll have instant access.

Register now

Why register to The Lawyer


Industry insight

In-depth, expert analysis into the stories behind the headlines from our leading team of journalists.


Market intelligence

Identify the major players and business opportunities within a particular region through our series of free, special reports.


Email newsletters

Receive your pick of The Lawyer's daily and weekly email newsletters, tailored by practice area, region and job function.

More relevant to you

To continue providing the best analysis, insight and news across the legal market we are collecting some information about who you are, what you do and where you work to improve The Lawyer and make it more relevant to you.


Tower 42, Level 23
25 Old Broad Street