If you operate a web site that accepts personal information from California residents, you may be aware that California’s amended CalOPPA law has added a “do not track” requirement this month. California’s legislators have added to the already-weak law a new, value-less clause that gives the appearance that the law does something that it does not actually do.
Up until this month, CalOPPA required that website operators post their privacy policy conspicuously, and if the operators actually permitted individuals to review and correct their personal information on the site, the privacy policy must also provide instructions for users for submitting their review requests. So website operators do not actually have to provide special privacy protections for individuals, they just need to say what they do.
The new “do not track” provision is similarly weak. It requires site operators to state in their privacy policy how their site will deal with “do not track” requests that end-user browsers send to the website. A policy that states, “We ignore do-not-track browser requests” complies with the new law as it is written.
The United States has a long way to go in developing privacy protections when compared to the protections found in Europe, Asia, Africa, Australia, South America and even our neighbors in Canada and Mexico. Outside of the United States, the concept of privacy and protection of personal information is considered a human right. Pogroms and genocide are relatively recent and tangible threats outside of the United States so privacy laws have taken hold there. In contrast, within the U.S., personal information is a valuable commodity that creates a business interest in removing from individuals the control of our identities.
And this is why US privacy laws are so weak. Legislatures are resistant to passing laws that tell business what to do. And when business finds something to be very lucrative, like trading on our personal information, there is a lot of moneyed interest in leaving that business alone.
But rather than trying to solve this problem in a single blog post, let’s instead make explicit what website operators must do to comply with this updated California law. We’ll address how to take charge of security and privacy in a later blog.
According to the updated CalOPPA law, if your website gathers personal information from residents of California, then your site must have a privacy policy that:
1. Identifies the “categories” of personal information that your site gathers, the categories of third parties who will receive that information from you, and whether your information may be shared among multiple sites.
2. Describes the process, if you have one, that a person must go through in order to review and request changes to the personal information (PI) that the site stores about them.
3. States the effective date of the policy.
4. States how your website will respond to “do not track” messages it receives from your browser (which is a feature that browsers now commonly provide).
5. Is conspicuous to website users.
Yes, this new privacy law is very weak, and I am doubtful of the protections this will provide consumers. But for website operators, it is very simple to implement. In a later blog post, I’ll address what would provide for better, achievable laws that could at the same time remain business-friendly. Do you think the privacy laws are weak or sufficient? What recommendations do you have to balance privacy without hindering business?