This post was written by Lisa B. Kim, Joshua B. Marker and Katrina M. Kershner.

We previously noted that the California legislature had recently passed and sent to the governor’s desk a number of different data privacy bills this term. This past Friday, California Governor Jerry Brown signed into law one of those bills, AB 370 – legislation that imposes new disclosure requirements on commercial websites and online services that collect personally identifiable information (PII) on users. The legislation, the “Do Not Track” disclosure law, is the first law of its kind in the United States.

The California Online Privacy Protection Act (CalOPPA) had already required any website operator who collects personally identifiable information (PII), to conspicuously post its privacy policy, which must identify the categories of PII collected and the third parties with whom the operator shares the information. The California attorney general has made CalOPPA an enforcement priority. With the passage of AB370, CalOPPA now requires that these commercial websites and online services also disclose in their privacy policies (1) how the site responds to a “Do Not Track” (or similar) signal from a browser, and (2) whether any third party may collect PII over time and across websites when a consumer visits the operator’s site.

As explained in our previous blog, all the major browsers offer “Do Not Track” options, which signal to sites that the individuals do not want their behavior tracked. Honoring the “Do Not Track” signal by refraining from collecting information on the individual is voluntary. The new law does not change this, but it does now require disclosure of whether and to what extent the site honors the “Do Not Track” signal.

The impact of this legislation is significant and will require all companies operating websites or mobile apps that are used by California residents to reevaluate their privacy policies. The DNT bill, in particular, requires every company to have a thorough understanding of technical aspects of its websites, and the third parties it allows to operate on its site, so that it can properly disclose its data collection practices. Further, by forcing companies to affirmatively disclose additional specifics about their information practices, the risk of litigation for noncompliance with the privacy policy is like to increase.