Even if a website’s data collection and sharing practices have not changed, laws and regulations do.  And a website’s privacy policy must keep pace.

In particular, certain recent changes mean that most company privacy policies may no longer meet legal requirements.  For example, under recent amendments to the California Online Privacy Protection Act, commercial websites with California users – in practice, all such sites in the U.S. — now must disclose how they, and any third-parties that provide services to that site, respond to “do not track” signals from browsers.  Another new provision requires websites to disclose whether third parties collect “personally identifiable information” (itself a term whose definition evolves) on the operator’s website over time and across other sites, which enables the practice known as behavioral targeting.

In addition, California also recently enacted a “eraser” law that will empower registered users under the age of 18 (note that this is a higher age that the “under 13” standard set by the federal Children’s Online Privacy Protection Act) of a site “predominantly comprised of minors” to direct websites to remove, or request the removal of, content that the youth has posted.  This introduction of the European “right to be forgotten” will take effect on January 1, 2015, so companies should beginning planning how they will come into compliance.

While reviewing the effect of these new laws on a company’s privacy policy, it might also be desirable to review the website’s compliance with other California laws of somewhat older vintage, including the “Shine the Light” law and the data breach notification law (which itself recently was amended to apply to more data).  Both of these laws encourage businesses to have plans in place to address the situations required by the law, which may enable businesses to avoid more costly steps in the event the laws are triggered.

Related Posts: