Complying With New Privacy Laws on Your Company’s Website

Our Providence address:
999 Main Street, Suite 715
Pawtucket, RI 02860
Our Boston address:
800 South Street, Suite 300
Waltham, MA 02453

Complying With New Privacy Laws on Your Company’s Website

Added on: 01.17.14, by Jeremy Girard

California’s new online privacy laws, which went into effect on January 1, 2014, are affecting companies and organizations far away from “the Golden State.” Basically, if your company has a website, then these changes affect you.

Known as AB-370, this “Do Not Track” law applies to websites and companies outside of California because it covers the use of websites by citizens of that state. So if someone from California is using your site, then AB-370 is something that you need to be compliant with.

What I Have Learned About AB-370

Since this law was brought to my attention, I have read quite a bit about it and a few things have become clear to me. First off, there is still a lot of uncertainty about this privacy law and how exactly websites are supposed to comply with it. Most of the articles I found on the subject explained the law and the reasons behind it, but very few gave any real insight into what we need to do on our own sites to be compliant with these changes (I will offer my suggestions later in this article).

The second thing I learned during my research is that, while California may be leading the way with these online privacy laws, other states will surely follow. Whether you have visitors from California or not, this isn’t something you can ignore. No matter where you are, changes to online privacy law will affect you sooner or later.

What Is “Do Not Track”?

Do Not Track allows users, through their web browser, to let websites know that they do not wish to be “tracked” by that site. It prevents targeted content, including advertisements, to be sent to that user based on the information gathered.

The funny thing here is that this new law does not actually require websites to honor this “Do Not Track” request – no law exists that requires sites to follow this protocol. All this new law does is require websites to clearly state how they handle Do Not Track signals. If your site ignores them, and it is safe to say that the vast majority of sites do ignore these signals since they are fairly new, then all you have to do is make this clear in your website’s Privacy Statement and you are compliant with AB-370.

If you do respond to Do Not Track signals, you need to provide information on how you do so.

What About Google Analytics?

If your website is gathering information about how visitors interact with your site, then you are likely using Google Analytics to do so.  So how does this industry standard tool factor into these new privacy laws? As far as I can tell, it doesn’t.

AB-370 is concerned with  “personally identifiable information”. I read this as information that would allow a user to be contacted either online or offline – basically through an email address, phone number, or mailing address. Google Analytics gathers none of these items. As Google states on their privacy page for this service, “Google Analytics collects information anonymously. It reports website trends without identifying individual visitors.”

While I could not find anything that clearly stated that this service complies with AB-370, the information I could find has me convinced that, on its own, Google Analytics does not gather the type of information that AB-370 is focused on.

Here’s What You Should Do Now

To become compliant with California's new privacy laws, you need to make some changes to your website’s Privacy Policy.

  1. As I mentioned earlier, stating on your site that you ignore Do Not Track signals is all you need to do to be compliant with AB-370. Assume this is the case and add this statement to your Privacy Policy. 
  2. If you are using Google Analytics, you should also state that in your Privacy Policy. Actually, this is part of the user agreement for having Google Analytics on your site, so it should be there anyway.
  3. While AB-370 doesn’t seem to contain any requirements about information that website visitors willingly give you, like when they fill out a form of some kind on your site, you should be transparent and address this in your Privacy Policy as well. If you collect information from visitors through web forms, state in your policy what happens to that information (is it emailed to someone, placed in a database, etc.) and what you do with it. While most visitors may assume that you are, indeed, gathering and storing that information to improve your website or to better market to your audience, it doesn’t hurt to be clear about your actions on your site to protect your business.
  4. Finally, if you have any questions about what is appropriate for your site's Privacy Policy, feel free to contact Envision and we will be happy to help you determine what the right solution is for your site.

To see an example of these suggestions in action, you can take a look at our own Privacy Policy to see how we have handled it on our site.

I Am Not a Lawyer

A quick disclaimer – I am not a lawyer, nor do I play one on TV. The suggestions in this article are my interpretation of the changes in privacy law. If your website is gathering information using tools other than Google Analytics or online forms willingly completed by visitors, or if you have deeper concerns about the privacy practices at your company, then I suggest you speak with your lawyer.

Additional Reading

The following articles were very helpful during my research of AB-370. I provide these links for readers who may want to dive a little deeper into this information.

View All Blog Articles