On September 27, California Governor Jerry Brown signed a new privacy law that has significant repercussions for nearly every business in the United States that operates a commercial website or online service and collects “personally identifiable information” (which means, under the law, “individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name; (2) A home or other physical address, including street name and name of a city or town; (3) An e-mail address; (4) A telephone number; (5) A social security number; or (6) Any other identifier that permits the physical or online contacting of a specific individual.”)  The new law goes into effect on January 1, 2014.

Under California’s existing Online Privacy Protection Act, a Web site or online service that collects PII about California residents already has the obligation to post a privacy policy, identify its effective date and describe how users are notified about changes to the policy, as well as identify the categories of PII that are collected and with whom such PII is shared.

Now, the new law—which passed both houses of the California Legislature unanimously —requires that all such Web sites must disclose how they “respond to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party Web sites or online services”, if such information is collected. The new law prescribes that operators can comply with this disclosure requirement by “providing a clear and conspicuous hyperlink” contained in the privacy policy that links to a description “of any protocol the operator follows that offers the consumer” the choice to opt-out of internet tracking.

The legislative analysis of the law reveals that its purpose is to “increase consumer awareness of the practice of online tracking by websites and online services, such as mobile apps [and] will allow consumers to learn from a website’s privacy policy whether or not that website honors a Do Not Track signal [which] will allow the consumer to make an informed decision about their use of the website or service.”

The analysis noted the rapid rise in online tracking of users’ web-surfing behavior as well as the California Attorney General’s observation that although “all the major browser companies have offered Do Not Track browser headers” that, if selected, can “signal to websites an individual’s choice not to be tracked, [t]here is, however, no legal requirement for sites to honor the headers.” Thus, because Web sites have been free to disregard such Do Not Track selections by consumers, they would not know whether or not their selection is honored unless the Web site provides them with such notice. The new law will mandate providing users with the requisite notice.

In addition to the above “do not track” notice obligations, the law also requires website and online service operators “to disclose whether other parties” collect PII regarding a consumer’s “online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”

In light of the new obligations, it is imperative that any organization that collects PII concerning California residents (whether or not that organization is based in California) assess its current Web site privacy policies to ensure that they are compliant with California’s new laws requiring additional disclosures.