California and Delaware Pass Privacy Laws That Could Affect Website Owners in All States

James Chiodo, Certified Information Privacy Professional CIPP/US

The Internet’s $2,500 Traffic Ticket.

Is Your Website Privacy Policy and Disclosures Up-to-Date?

California passed law A.B. 370 that will require website owners, blog owners and online service operators to disclose how they respond to web browser “Do Not Track” signals. Companies that have not updated their privacy policy to comply with the change to the law must do so to prevent possible fines and legal action. This law became effective January 1st, 2014.

The current law requires that an owner of a commercial website, blog or online service that collects and stores personally identifiable information (PII) or any other identifier that allows the physical or communication with individual users living in California who visit or use its website, blog or online service, to post its privacy policy in a conspicuous spot on its site and to comply with that privacy policy.

The personally identifiable information includes but is not limited to a person’s name, email address, physical address, phone number or any other identifier that allows communication with an individual.

The New Law A.B. 370

As well as the above requirements, the new law will require online operators to do the following:

  • Disclose how they respond to Web browser “do not track” signals or other mechanisms that provide consumers the ability to exercise choice about the collection of personally identifiable information concerning an individual consumer’s online activities overtime and across third-party websites or online services, if the operator engages in that collection.
  • Disclose whether other parties may collect personally identifiable information about an individual consumer’s online activities overtime and across different websites when a consumer uses the operator’s website or service.
  • Require website owners, blog owners and online operators to disclose when they subscribe to companies that follow users’ actions across various websites, to provide targeted ads (e.g., Google’s Adsense Program, Facebook’s Advertising Program and many others.

What if I am Not in California?

The new California law has a very long arm. This law will apply to any website owner, blog owner and online operator who collect any of the above information, even if they are in ANOTHER STATE. This also applies to mobile devices, including mobile apps.

What if I Don’t Comply With the New Law?

If you do not comply with the California law with a properly drafted privacy policy and disclosure, the California Attorney General can take legal action against you including a fine up to $2,500 per violation.  Also, an individual in California can initiate a class-action lawsuit against you.

Should California decide to enforce the law in a broader sense, a simple IP address could be covered by the new law. Because of this, attorneys are recommending that most websites revise their privacy policies to comply with the law in its broadest sense rather than live with the doubt of uncertainty about whether they are compliant or not.


California is the first state in the United States to pass a do-not-track disclosure law that can potentially affect website owners, blog owners and mobile app providers in all states.

All website owners, blog owners and mobile app developers whose services can be used or accessed by California residents need to review and update their privacy statements to make sure they include the required legal disclosures to comply with the new California law that took effect January 1, 2014. Delaware passed a similar law that went into effect January 1st, 2016.

If you need an attorney-drafted privacy policy to help you keep compliant with California law and federal regulations Click Here 


New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More