• by Wendy Davis , Staff Writer @wendyndavis, September 30, 2013

A new California law could ratchet up the pressure on Web companies to rethink their approach to do-not-track requests.

The measure, AB 370, was passed unanimously last month and signed into law late last week.  The bill amends a 10-year-old California privacy law by requiring some Web companies to state how they respond to do-not-track requests, including ones sent by browser-based headers.

Every major browser developer now offers do-not-track headers, which theoretically enable consumers to say they don't want to be trailed around the Web by ad companies; those companies use information about the sites people visit in order to determine which ads to send them.

But very few companies are honoring the signals. Instead, the ad industry generally says that consumers who don't want to receive targeted ads should opt out through a link, such as the one available at AboutAds.info. The industry also says it's waiting for the standards group World Wide Web Consortium to decide how to interpret the signals; that group has spent the last two years debating the issue.

Given the fact that so many companies ignore do-not-track signals, this law could pose a public relations problem for many industry players. After all, few companies are going to want to explicitly state in their privacy policies that they disregard consumers' requests for privacy.

But the version of the law that was enacted in California has significant wiggle room. That's because the law appears to apply only to Web companies that collect “personally identifiable information” -- defined as names, addresses, email addresses, phone numbers, social security numbers, or “any other identifier that permits the physical or online contacting of a specific individual.”

An earlier version of the bill would have also defined personally identifiable information as unique identifiers -- like cookies. But that language was taken out of the final version of the law.

The new privacy law also requires publishers to disclose whether third parties collect personally identifiable data from the publishers' sites. Complying with that portion of the law could present a big challenge to some publishers, given that many appear to be unaware of all of the various intermediaries that collect data on behalf of ad networks and advertisers.

Attorney Gary Kibel, a partner at Davis & Gilbert, tells MediaPost that many publishers will now need to reach out to the ad networks and other companies in order to figure out exactly what data those companies are collecting. “Without a doubt, that's a big challenge,” he says. But, he adds, publishers really should have a handle on this kind of information. “It's not the worst thing in the world to say to a publisher, 'You must know what's happening on your site,'” he says.