However, it seems to be a stretch that a business that, for example, is headquartered in New Jersey with customers in New York, Pennsylvania, and Connecticut would have enough contacts to be subject to California law, especially if California tries to enforce a fine against that company. But the assistant attorney general’s statement tends to disagree with this legal theory.
However, this is an argument about economics. California is a gigantic economy and many companies want to have customers in California. California, like many other governments, also needs money and money from fines helps to offset any deficits.
What does California say about collecting data and privacy policies? Let’s take a quick look at some policies that differ from other jurisdictions.
Under California’s “Shine the Light” law, California residents who provide personal information in obtaining products or services for personal, family, or household use are entitled to request and obtain from the business that operates the website once a calendar year information about the customer information we shared, if any, with other businesses for their own direct marketing uses. If applicable, this information would include the categories of customer information and the names and addresses of those businesses with which the business that operates the website has shared customer information for the immediately prior calendar year (e.g., requests made in 2013 will receive information regarding 2012 sharing activities).
There are also new requirements as of January 1, 2014.
- California law does not require companies to apply a response to do-not-track signals, it only requires them to disclose what the response is, and what that response looks like if they are in fact honoring the do-not-track request. Here’s the nutshell:
- If your website does not react to the do-not-track signals, then state that fact in your policy
- If your website does honor those requests, then you need to outline in more detail what exactly that means and how it affects users
- An affected company must disclose to users whether third parties may collect personally identifiable information about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.