If you operate a web site that accepts personal information from California residents, you may be aware that California’s amended CalOPPA law has added a “do not track” requirement this month. California’s legislators have added to the already-weak law a new, value-less clause that gives the appearance that the law does something that it does not actually do.
The United States has a long way to go in developing privacy protections when compared to the protections found in Europe, Asia, Africa, Australia, South America and even our neighbors in Canada and Mexico. Outside of the United States, the concept of privacy and protection of personal information is considered a human right. Pogroms and genocide are relatively recent and tangible threats outside of the United States so privacy laws have taken hold there. In contrast, within the U.S., personal information is a valuable commodity that creates a business interest in removing from individuals the control of our identities.
And this is why US privacy laws are so weak. Legislatures are resistant to passing laws that tell business what to do. And when business finds something to be very lucrative, like trading on our personal information, there is a lot of moneyed interest in leaving that business alone.
But rather than trying to solve this problem in a single blog post, let’s instead make explicit what website operators must do to comply with this updated California law. We’ll address how to take charge of security and privacy in a later blog.
1. Identifies the “categories” of personal information that your site gathers, the categories of third parties who will receive that information from you, and whether your information may be shared among multiple sites.
2. Describes the process, if you have one, that a person must go through in order to review and request changes to the personal information that the site stores about them.
3. States the effective date of the policy.
4. States how your website will respond to “do not track” messages it receives from your browser (which is a feature that browsers now commonly provide).
5. Is conspicuous to website users.
Yes, this new privacy law is very weak, and I am doubtful of the protections this will provide consumers. But for website operators, it is very simple to implement. In a later blog post, I’ll address what would provide for better, achievable laws that could at the same time remain business-friendly. Do you think the privacy laws are weak or sufficient? What recommendations do you have to balance privacy without hindering business?