Do Not Track ImageThe use of tracking software by websites is widespread. Advertising companies and social networks use technology such as cookies to track the websites consumers visit and the route they take from one website to another. For instance, tracking technology can tell the difference between whether you got to a website through a Google search or by clicking on a hyperlink in a news article. Companies can then use this information to build a profile on individuals in order to target advertising on different websites that they visit. Advertising companies are then able to discriminate to different consumers based on the profiles the companies build. Additionally, advertising companies are able to make money by selling these valuable profiles to websites.

The use of this type of tracking software is, as probably expected, controversial. Privacy advocates believe this tracking to be an invasion into web users’ privacy and that the companies doing this tracking fail to adequately disclose the full extent to which this tracking is taking place. These advocates are also concerned with the extent of information tracked, which can include highly sensitive and personal data about health issues, location, and finances. On the other hand, advertisers and companies using the data love the technology because it allows companies to target consumers more accurately and allows advertisers to charge more for better data. This data can be particularly valuable for startups looking to increase the number of users and grow their web presence.

As a result of these concerns, privacy advocates have taken some steps to try and remedy these concerns. Software developers have designed software to try and prevent websites from tracking user activity across the web. The technology works by placing a signal on the users computer that tells websites the user does not want to be tracked. This signal is currently ineffective because there is no requirement that advertisers follow the signal. The World Wide Web Consortium (W3C), an organization that sets standards for the web, created a working group composed of privacy activists, advertisers and others, to try and develop a standard approach to “Do Not Track” signals. In September 2013, however, the effort ended in failure when the constituent parties could not agree on an approach and decided to disband.

Despite the failure of the W3C efforts, once again California leads the way in regulating and shaping regulation of online privacy, this time as it applies to “Do Not Track” signals. California has taken an assertive stance in developing regulations concerning online privacy by passing the Online Privacy Protection Act (CalOPPA) and establishing the Office of Privacy Protection as part the California Department of Justice. Given California’s large and tech-savvy population it is incredibly important for startups to keep apprised of and comply with California privacy regulations as they will almost certainly be operating in the state. In October 2013, Governor Jerry Brown signed into law an amendment to CalOPPA that regulates the use of Do Not Track signals by websites operating within the state. The new amendment is applicable to websites that collect “personally identifiable information” which includes things like name, address, email address, telephone number, or other identifiers that allow the website to contact the user and went into effect January 1, 2014. Rather than requiring that websites comply with Do Not Track signals, the law now requires that websites describe in their privacy policy how they react to “Do Not Track” signals, and indicate whether third parties can collect “personally identifiable information”, if they track user activity, in addition to the previous CalOPPA requirements. Websites may also meet the new requirement by posting a “clear and conspicuous hyperlink” to a description of any program that the website uses to manage online tracking and give the consumer the ability to opt-out. As a result, websites are not forced to cease tracking user activity, but simply requires a website to tell the user what they are doing. Websites who do not comply, are subject to a warning from the California Attorney General requiring the operator to comply within thirty-days and also faces the possibility of lawsuits from the state government and private parties.

The new law has come under fire from both sides of the online privacy debate. Some, such as Eric Goldman, a Professor at Santa Clara University School of Law, argue that the law hurts websites and consumers by imposing additional compliance costs on websites, not providing true disclosure because consumers rarely read privacy policies, and failing to cover all tracking technologies. Others, such as Chris Cronin, an information security professional, argue that the law falls short because it is weak and does not require websites to protect user privacy or comply with “Do Not Track” signals. Regardless, given California’s de facto ability to set national privacy standards and the fact that compliance with the new law is simple, it behooves startups to comply with the new recommendations by amending their privacy policies.