Both houses of the California legislature have unanimously approved AB 370, a Do Not Track initiative that is backed by Attorney General Harris. If Governor Brown signs the bill, it will be the first Do Not Track law worldwide. So, what would it do? More and less than a casual reader might expect.
The California Online Privacy Protection Act
To understand AB 370, you have to understand the California Online Privacy Protection Act (“CalOPPA”). The law was enacted in 2003, with the primary aim of requiring privacy policies on consumer websites. For the most part, CalOPPA has succeeded: Popular websites have largely come into compliance. Applications of the law have been generally unambiguous and uncontroversial.1
Unfortunately, CalOPPA shows its age. First, the law’s requirements are cabined to categories of personally identifiable information, a legal convenience that has been outmoded by advances in computer science. Research has time and again shown that information may be trivially identifiable, even though it doesn’t include obvious identifying information like a name or address. Second, CalOPPA’s phrasing makes sense for a conventional website where a user opens an account. But what about the ecosystem of third-party websites that users have never heard of and never log into? These limitations may prove fatal to AB 370’s legislative policy.
Do Not Track Transparency
AB 370 aims to bring transparency to online tracking. The notion is that if a company is in the business of tracking users, it’ll have to disclose how it treats the Do Not Track setting in popular browsers.2 Good idea, but not so good legislative drafting.
AB 370 bolts Do Not Track onto CalOPPA. The trouble is, CalOPPA and Do Not Track come from different eras. CalOPPA is written in the language of personally identifiable information and first-party websites. Do Not Track is designed to address re-identifiable information and third-party websites.
The result is a serious statutory interpretation question.3 Trackers have a number of possible grounds for claiming they are exempt from CalOPPA and AB 370, such as:
- Because we’re third parties, consumers don’t “use or visit” our services.
- The information that we collect is not “about” an “individual consumer,” but rather, related to a browser or device.
- Our data isn’t “personally identifiable information,” it’s just browsing activity and web protocol logs.4
- To the extent there is any personally identifiable information that flows to us, we don’t “collect” it because we don’t actually use it for our business.
- Similarly, any personally identifiable information that we possess exists in logs that aren’t “maintained . . . in an accessible form.”
So, are third-party web and mobile trackers actually covered by the bill? Unclear.
A tracker’s obligations under AB 370 are also ambiguous. If a service is covered, it has to explain how it “responds to Web browser ‘do not track signals’ or other mechanisms” for consumer choice. What about Do Not Track implementations that aren’t in a conventional “Web browser,” such as Firefox OS? If a tracker offers a self-regulatory mechanism for consumer choice, does the “or” exempt it from describing its treatment of Do Not Track? Again, unclear.
In sum, trackers appear to have non-frivolous legal arguments that they fall outside CalOPPA and AB 370. And if they are covered, they have non-frivolous legal arguments that existing self-regulatory practices are enough.
Do Not Track Substance
Proponents of AB 370 emphasize that it is a Do Not Track transparency bill, not a substantive Do Not Track bill. That’s true in one sense: the bill doesn’t compel any business to support Do Not Track. It’s not true in another sense, though: the bill sneaks in a definition of Do Not Track.5
For over two years, privacy advocates and technology companies have haggled over how to define Do Not Track in the World Wide Web Consortium. (I recently resigned from the group owing to its stagnation.) AB 370 sidesteps those efforts and applies its own definition: a business is covered if it collects information about “online activities over time and across third-party . . . online services.” The definition is vague, to be sure, and would need clarification through policy statements, enforcement, and adjudication. But, crucially, the definition is a matter of California law. It does not depend on the W3C’s efforts.
AB 370 reflects political savvy by the Attorney General and her team. The bill advances Do Not Track in a way that is difficult to oppose—who’s against transparency?—and it lays a foundation for future CalOPPA and Do Not Track initiatives. Moreover, though the bill’s drafting opens it to interpretive challenges, the AG is well-positioned to respond: She would be seeking a legislative quick fix to restore the law’s intent, not an unprecedented foray into contested Do Not Track territory.
A close reading of AB 370 may also explain tame industry resistance. Remarkably, legislative reports reflect limited formal opposition. If trade groups and leading companies believe they can effectively nullify the bill’s impact in the courts, they may feel lesser impetus to expend political capital on obstruction in the legislature. If accurate, this view would reflect a strategic forecasting disconnect between the Attorney General and commercial stakeholders.
Enough about motives and strategy. This much is certain: If AB 370 becomes law, stay tuned for future tussles over what the legislation means and how it might be revised or expanded. Do Not Track in California is just getting started.
This bill is sponsored by the California Attorney General’s Office. I previously collaborated with Cal DOJ on online privacy issues, but not this particular bill.
I am not a lawyer. This is not legal advice.
1. There has been one substantial controversy about CalOPPA’s coverage formula. In February 2012, Attorney General Harris announced that she interprets “online service” to encompass mobile apps. The major mobile platforms acquiesced, and the interpretation has not been challenged in court.
Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
This mandate does not, however, require identifying particular practices or third parties. The likely effect will be boilerplate notices of limited utility, to the effect of: “Some third parties may track our users.” The provision may also be open to a CDA 230 preemption argument.
3. This post focuses on statutory interpretation challenges to AB 370. The bill may be vulnerable to other attacks, such as federal statutory preemption or unconstitutionality. According to legislative reports, critics of AB 370 have emphasized narrow statutory interpretation in their discussion of the bill.
Any other identifier that permits the physical or online contacting of a specific individual.
A Senate Judiciary report suggests that this provision is broad enough to encompass tracking. (Strangely, the discussion appears to conflate the scope of “personally identifiable information” with the scope of “collection.”)
“[Critics] offer an interpretation of the definition of “personally identifiable information” that only includes information actively or knowingly provided by a Web user, which, by implication, would not include the passive collection of information via online tracking addressed in this bill. Such an interpretation of existing law needlessly restricts the definition of “personally identifiable information” to the active (and by implication voluntary or consensual) transmission of information, overlooking the fact that subsection (a)(6) of the definition sweeps in “[a]ny other identifier that permits the physical or online contacting of a specific individual,” including information passively collected from an individual.
The Attorney General also indicates in a mobile privacy report that “personally identifiable information” includes unique identifiers used in tracking.