Do Not Track California Privacy Law Changes Effective Today
iubenda.comAm I the only one who thinks "Do-Not-Track" is a snake-oil-grade security and what this header reliably does is only adding a single more bit to uniquely identify the visitor?
I tend to agree.
Some marketters just have really weird ideas about what they should be allowed to do. Or even what i should be allowed to stop them doing.
Spam is obviously evil to most people, until they decide to spam for their particular product.
SEO has had some strongly negative effects on the www. I'm sort of thinking of starting a movement like "contrast revolution" or "viewable in any browser". My banners would be "zero SEO performed here".
shrug
I think the primary tactic for white-hat SEO these days is, "Create good content people want to read." Hard to get too upset about that.
I think most ad/marketing companies are perfectly willing to stop tracking people who specifically request not to be tracked -- provided there aren't too many people making that request. Witness the opt-out cookies (http://www.aboutads.info/choices/) which are a kludgey hack, but have been supported by the industry for ages and, as far as I know, work as described.
The issue is whether or not that DNT box is checked by default. As we all know, most people don't change default settings.
Basically, commercial online services (which includes mobile apps) need to add a sentence/paragraph about how they are handling the Do Not Track header requests. This is a California OPPA amendment starting today.
We/iubenda is giving away a special discount to those affected in California, which most of you may be.
Honest question: How does one send a Do Not Track header request to a mobile app? One does not interact with a mobile app via HTTP (although the app may use HTTP internally) and can therefore not send HTTP headers...
Or, is it in your opinion, a law written by someone who does not have sufficient technical understanding to find the correct wording, and now the law applies erroneously applies to mobile apps?
I'm wondering about how 'club card' tracking is affected by this. If I use a club card at the hardware store, and it has a corresponding website that allows me to manage the card's account, is the tracking law going to apply to purchases I do in store as well?
So practically speaking, this California law will have a national effect.
Since it is near impossible to determine if a visitor is a California resident or not, sites/apps will just implement the necessary notices and features to comply with DNT for everyone.
California has ~12% of the US population and a slightly larger share of the national economy. Its laws have long had national effects. In fact, as the 12th largest economy in the world, I think you could safely say its laws have international effects.
I would think that this law has no enforcement outside of California for websites that are outside of California. As a non-California resident operating a website not in California, I am not subject California law. This is the same basis used for not collecting out of state sale tax.
I didn't mean the DNT law will be enforced nationally. I meant the effect will be national since a site will just implement the necessary changes once for all its visitors.
Think again. If you serve customers in California, you can most certainly have to deal with California law: http://en.wikipedia.org/wiki/Minimum_contacts
Is a CA visitor to my non-CA website considered a "customer"?
Insofar as you offer some kind of commercial service (I don't know what your website is about), sure. The idea of minimum contacts is to give the public a way of seeking legal redress within their own state; otherwise all firms would set up in some business-friendly state like Delaware and the only way to sue them would be in Delaware court.
Of course, this is potentially very expensive, since you could have to deal with up to 51 legal regimes (50 states + federal court, if we omit places like Puerto Rico and so on). That's why firms often aim for compliance with the strictest regulatory regime in widespread use, so as to minimize the legal risks. As pointed out elsewhere in the thread, this is why the CA template is likely to eventually become law in other states. Hence the phrase 'as California goes, so goes the nation' - CA policy often ends up as national policy 20-30 years down the line.
I believe that if a user is in California, they will be able to bring a civil suit under California law against you/ your company.
Now we just need a law to require use of the Evil bit in packets. I'm sure it will be as equally effective as the Do Not Track header.
Does this apply even if you do not have a physical presence in California?
It applies, but California has effectively zero enforcement capability if you're operating out of say, Rhode Island.
The only outside scenario is if you get really large, and become a juicy target for the state to go after (and or eg you're large and doing something particularly aggressive in violation). The state simply could never afford the massive enforcement costs to go after every web site owner on earth external to California, so they'll obviously only target the big prizes.
Yes, the law applies to any "operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service."
http://leginfo.legislature.ca.gov/faces/codes_displaySection...
(That website hasn't been updated yet to reflect the changes made by this new law.)
The underlying logic is the following "An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site". Basically what states/legislations are doing is protecting their citizens, therefore reversing that logic. So in theory I'd say yes.
I'm not too familiar with the extent of California's "long arm" with respect to websites, but CA tends to take the position that most any contact with the state gives CA jurisdiction (I'm probably a bit broad here). So, a website that collects info from CA residents could be seen as conducting business in the state and would be subject to this law. Physical presence is usually not a requirement.
Anyone has as an example of text that should be added?
I've suggested in the post that something along the lines "we do not react to Do Not Track signals" may be a start. It's hard to tell what will be a standard down the road. If you do honor those signals though, a more thorough description will be in order.
Also note that (6) sets out slightly stricter standards regarding disclosure:
(6) Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.
If you support it: "We support the Do Not Track browser setting. Do Not Track (or DNT) is a preference you can set in your browser to let the websites you visit know that you do not want them collecting certain information about you."
Wow I didn't know the law even talks about Do-Not-Track. It's a distraction posing as a solution. The time spent talking about Do-Not-Track could be spent on useful things such as contributing to torbrowser.
Hm I think most would agree with a statement like this. On the other hand I think it's important for privacy laws to be in place. We all know how regulations are lagging years behind, so theoretically, this is just the beginning.
In the meantime it's important to comply with it with the simplest means possible imo. That's what we're trying to help with.
It's even more important to not introduce privacy laws that are misleading and give a false sense of security, thus averting public from the core problem.
If you can be tracked you will be tracked, eventually but almost inevitably. The law could be used to provide some remedy for damages caused by tracking, but it should be introduced only after core problem with tracking (browsers willingly tag users for indefinite time with invisible tokens, in an quite stealthy manner) is solved.
Hard to argue with that @drdaeman. Let's say in an ideal world I'd agree with every last thing you said. Again, it sure isn't perfect, it may be a start. Worse than no developments at all? We're doing our job at iubenda to help developers/website operators to keep up with the developments that are out there right now.