Many companies operating commercial websites and online services will likely need to update their privacy policies soon to comply with new requirements in California. After passing the Assembly and the Senate in a series of unanimous votes, A.B. 370 is now before the Governor for signature, which is expected soon.

If signed, A.B. 370 will amend the California Online Privacy Protection Act to require companies to include information about how they respond to “do not track” signals, as well as other new information about their collection and use of personally identifiable information. Companies who collect personally identifiable information online will need to review and revise their privacy policies to ensure information is included about:

  • What categories of personally identifiable information are collected;
  • The third parties with whom that information may be shared;
  • Whether there is a process and, if so, what the process is to review and request changes to personally identifiable information that is collected;
  • How consumers are notified of a material change to the privacy policy;
  • The effective date of the privacy policy;
  • How the company responds to “do not track” signals or other mechanisms that provide consumers the ability to exercise choice over the collection of personally identifiable information about their online activities over time and across third-party websites or online services, if the company collects such information; and
  • Whether third parties may collect personally identifiable information about a consumer’s online activities over time and across different websites when a consumer uses the company’s website.

As the bill is likely to be enacted shortly and given the breadth of new information required to be included in covered privacy policies, companies who do collect personally identifiable information should begin reviewing their data collection practices and their privacy policies so they are prepared to make the changes when required by the bill. Companies are, however, given thirty days after notice of noncompliance to post their privacy policy before they will be in violation of the law.