Complying With New Privacy Laws on Your Company’s Website
California’s new online privacy laws, which went into effect on January 1, 2014, are affecting companies and organizations far away from “the Golden State.”
Basically, if your company has a website, then these changes affect you.
Known as AB-370, this “Do Not Track” law applies to websites and companies outside of California because it covers the use of websites by citizens of that state. So if someone from California is using your site, then AB-370 is something that you need to be compliant with.
What I Have Learned About AB-370
Since this law was brought to my attention, I have read quite a bit about it and a few things have become clear to me. First off, there is still a lot of uncertainty about this privacy law and how exactly websites are supposed to comply with it. Most of the articles I found on the subject explained the law and the reasons behind it, but very few gave any real insight into what we need to do on our own sites to be compliant with these changes (I will offer my suggestions later in this article).
The second thing I learned during my research is that, while California may be leading the way with these online privacy laws, other states will surely follow. Whether you have visitors from California or not, this isn’t something you can ignore. No matter where you are, changes to online privacy law will affect you sooner or later.
What Is “Do Not Track”?
Do Not Track allows users, through their web browser, to let websites know that they do not wish to be “tracked” by that site. It prevents targeted content, including advertisements, to be sent to that user based on the information gathered.
The funny thing here is that this new law does not actually require websites to honor this “Do Not Track” request – no law exists that requires sites to follow this protocol. All this new law does is require websites to clearly state how they handle Do Not Track signals. If your site ignores them, and it is safe to say that the vast majority of sites do ignore these signals since they are fairly new, then all you have to do is make this clear in your website’s Privacy Statement and you are compliant with AB-370.
If you do respond to Do Not Track signals, you need to provide information on how you do so.
What About Google Analytics?
If your website is gathering information about how visitors interact with your site, then you are likely using Google Analytics to do so. So how does this industry standard tool factor into these new privacy laws? As far as I can tell, it doesn’t.
AB-370 is concerned with “personally identifiable information”. I read this as information that would allow a user to be contacted either online or offline – basically through an email address, phone number, or mailing address. Google Analytics gathers none of these items. As Google states in their Adapted Privacy Impact Assessment, “Google Analytics collects information anonymously. It reports website trends without identifying individual visitors.”
While I could not find anything that clearly stated that this service complies with AB-370, the information I could find has me convinced that, on its own, Google Analytics does not gather the type of information that AB-370 is focused on.
Here’s What You Should Do Now
I Am Not a Lawyer
A quick disclaimer – I am not a lawyer, nor do I play one on TV. The suggestions in this article are my interpretation of the changes in privacy law. If your website is gathering information using tools other than Google Analytics or online forms willingly completed by visitors, or if you have deeper concerns about the privacy practices at your company, then I suggest you speak with your lawyer.
The following article was very helpful during my research of AB-370. I provide this link for readers who may want to dive a little deeper into this information.