Recently, new laws have changed the requirements for what needs to be included in a privacy policy.A website or application’s privacy policy contains language that tells the user what data is being collected and what the developer does with it. Recently, new laws have changed the requirements for what needs to be included in a privacy policy. In September 2013, the California legislature passed AB 370, which imposes new privacy policy requirements on commercial web sites or online service providers that collect “personally identifiable information through the Internet about consumers residing in California who use or visit its commercial Web site or online service.” Now, this description includes just about every commercial web site or online service that is open to the public, since unless you block out California IP address, they are going to be able to access it.
Existing requirements:
Prior to AB 370, California required that privacy policies included the following information:
- The kinds of information gathered by the website,
- how the information may be shared with other parties;
- how updates of the privacy policy will be related to the user;
- a description of any existing process the user can use to review and make changes to their stored information;
- the effective date of the policy.
Boilerplate privacy policies (which many sites use) that speak in general terms are not effective, since the law requires specificity about the particular practices used by that site.
The new requirements under AB 370:
Failure to comply with these requirements could result in litigation and fines from the California Attorney General’s office, and should be taken seriously.Effective Jan. 1, 2014, two new requirements have been added to California’s privacy policy regimen. First is the requirement that commercial sites and services disclose how the site responds to requests to not track or collect a user’s personal information. This includes, but isn’t limited to, browser-based “do not track” signals, and covers both tracking by the originating site and other third-party sites. Second is the requirement that the privacy policy detail whether third parties may collect the user’s personal information through the site. Failure to comply with these requirements could result in litigation and fines from the California Attorney General’s office, and should be taken seriously.
Best practices:
The best practice for a site or service available on the Internet to any location is usually to comply with the most demanding requirements, which seems to be California at the moment. For sites that are directed or have actual knowledge of use by those under 13 years of age, an entirely separate body of law and requirements is necessary (a post on new COPPA regulations is forthcoming, so stay tuned). A review of posted web site privacy policies and the procedures dealing with users’ personal information, are recommended to ensure continued compliance with state law. Contact an attorney to set one up. For further reference, the full text of the statute may be found here.