Are You Going to End Up on California’s Wall of Shame?

September 27, 2013 Courtney Brady

Flag of CaliforniaWithin the technology industry, the notion of privacy is something that is on the forefront of everyone’s mind. Whether it concerns the privacy of our customers’ secure information, or protecting the activity path that a user takes while interacting on a website.

The state of California recently made headlines when both houses of the State Legislature ruled that the state now requires new online disclosures1. At first glance, that statement seems harmless, but upon further review the idea of what the state now has required is sparking a fire amongst web operators.

Effective January 1 2014, California will require all websites to disclose how they “respond to Web browser “do not track” signals that provide consumers the ability to exercise their own choice regarding collecting personally identifiable information (PII) about that same individual consumer’s online activities”, if such information is in fact collected.

*Note – this information includes: (1) first and last name; (2) home or other physical address, including street name and name of city or town; (3) e-mail address; (4) telephone number; (5) social security number; (6) any other identifier that permits the physical or online contacting of a specific individual

The requirements amend the California Online Privacy Protection Act2 and apply to all commercial website operators, including apps, as well as any online service that collects personally identifiable information (PII) about consumers residing in California.

This brings up an interesting point – according to the ruling if you do not comply, California will state publicly that you do not honor their requests – however if you do in fact comply, then you have to provide details about what you do when a “do not track” signal is received from the consumer’s web browser or any other technology that allows consumers to choose what PII is collected. The idea of shaming operators into adopting “do not track” mechanisms is a bit much saying that federal regulators have yet to impose a national standard for such circumstances.

The major issue is that this may require more specific disclosures of what behavior information a website owner collects – more than just generic activity. The bigger picture notes that organizations that collect PII, whether or not these organizations are based in California, must asses their current website privacy policies to ensure they are compliant with California’s new laws. Because the law does not set any “Do Not Track” standards or best practices, it leaves the consumer privacy stance open for debate.

Previously, privacy policy requirements required descriptions of existing privacy protocols – these new requirements require review and deliberation of fundamental privacy issues when confronted with a user that does not want their PII collected across time and platforms.

With California taking the lead on updating their website visitor protocol, it’s safe to say that many states will soon follow in their footsteps. With 447 of the Forbes 500 (US based) list of companies not based in California – this could mean a dramatic change to the way the rest of the country runs their online operations. While the State won’t start “monitoring” their requirements until January – their pre-emptive strike sure gives all other business/website owners more than enough time to start planning for the things they might come across.

Court cases, legal fees, punishments for non-compliers are all things that may be breaking headlines early next year. Who’s to say that being marked as “non-compliers” will hurt businesses. Will this result in other California based organizations taking their business elsewhere for those who do not comply with the regulations to save themselves from further punishment or investigation down the road? It may be too soon to tell.

In comparison, I do think California is on the right track – website owners in the European Union already require all tracking of visitors. Once visitors opt out of the agreement itself, the companies/websites can no longer track them. If they fail to oblige with their rules and regulations they are hit with hefty fines and punishments that can lead to detrimental factors to their business. So in turn, they’ve found it easier just to comply – I feel that the remainder of the United States will have a similar “suck it up” attitude once they realizes the damages are not worth their time, effort, or money.

Are You Going to End Up on California’s Wall of Shame?

(1) http://www.lexology.com/library/detail.aspx?g=3837c9c3-e41f-4990-ad49-ba2fb8a69a88

(2) http://oag.ca.gov/privacy/COPPA

About the Author

Courtney Brady

Courtney Brady is the Director of Marketing at Distil Networks. She comes to Distil Networks from a variety of start-up companies, routed in SaaS and DaaS solutions. Formerly the global communications manager at multiple companies, Courtney is responsible for developing the company’s marketing strategy and branding campaign.

Follow on Twitter More Content by Courtney Brady
Previous Article
Building A Better Mouse Trap: How We Detect and Block Bot Traffic
Building A Better Mouse Trap: How We Detect and Block Bot Traffic

Bots are one of the most vexing technical problems web applications must deal with today. They tax server r...

Next Article
Support Vector Machines and Hadoop: Theory vs. Practice
Support Vector Machines and Hadoop: Theory vs. Practice

Support vector machines form a class of supervised learning models, an alternative to neural networks for p...