In particular, certain recent changes mean that most company privacy policies may no longer meet legal requirements. For example, under recent amendments to the California Online Privacy Protection Act, commercial websites with California users – in practice, all such sites in the U.S. — now must disclose how they, and any third-parties that provide services to that site, respond to “do not track” signals from browsers. Another new provision requires websites to disclose whether third parties collect “personally identifiable information” (itself a term whose definition evolves) on the operator’s website over time and across other sites, which enables the practice known as behavioral targeting.
In addition, California also recently enacted a “eraser” law that will empower registered users under the age of 18 (note that this is a higher age that the “under 13” standard set by the federal Children’s Online Privacy Protection Act) of a site “predominantly comprised of minors” to direct websites to remove, or request the removal of, content that the youth has posted. This introduction of the European “right to be forgotten” will take effect on January 1, 2015, so companies should beginning planning how they will come into compliance.