Earlier this week, California Attorney General (“AG”) Kamala Harris issued guidance to help companies comply with the recently-amended California Online Privacy Protection Act of 2003 (“CalOPPA”), Cal. Bus. & Prof. Code § 22575, including the law’s requirement that operators of commercial websites and online services (“operators”) disclose how they respond to “do not track” (or “DNT”) signals.
Background on CalOPPA
As we have written, CalOPPA requires operators to post their privacy policies conspicuously and to specify what information must be contained in those policies, including the categories of personally identifying information (“PII”) they collect and the third parties with whom they share that information. The amendment – which took effect on January 1, 2014 – further mandates that operators disclose how they respond to “do not track” signals or similar mechanisms that provide consumers choices regarding the collection of PII about their online activities over time and across third-party sites. In addition, operators’ privacy policies must now disclose whether any third parties can collect PII when a consumer uses the operator’s website or service. Notably, however, the law does not require operators to honor do-not-track requests or to prohibit third party tracking.
Through the release of a guidance document entitled Making Your Privacy Practices Public (the “Guidance”), the California AG seeks to encourage companies to create privacy policies that “address significant data collection and use practices, use plain language, and are presented in a readable format.” The Guidance recognizes that the recommendations contained therein may exceed the protection required by existing law, notes it is not promulgating new regulations and emphasizes that its goal is to encourage “best practices.”
The Guidance offers recommendations on several key topics:
- Online Tracking
- AG Harris advises companies to clearly identify the section of their privacy policies regarding online tracking using headers such as “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
- Although CalOPPA permits companies to describe how they respond to DNT signals by providing a “clear and conspicuous” link in their privacy policies to an online location describing the program or protocol they follow to offer the consumer that choice, the Guidance recommends that companies describe their response directly in their privacy policies.
- To comply with the requirement that they disclose the presence of other parties that collect PII on their site or service, operators should consider (i) whether only approved third parties are collecting PII; (ii) how they can verify that authorized third parties are not bringing unauthorized third parties to their site or service to collect PII; and (iii) whether they can ensure that authorized third-party trackers comply with the operator’s own DNT policy.
- Data Use & Sharing
- Operators should explain their uses of PII “beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.”
- The Guidance also provides that, “[w]henever possible,” operators should “provide a link to the privacy policies of third parties with whom they share” PII.
- Privacy policies should also specify the retention period for each type or category of PII collected.
- Individual Choice & Access
- Operators should describe consumers’ choices regarding the collection, use and sharing of his or her personal information, including by implementing their preferences within a reasonable period of time.
- The Guidance suggests that companies use “plain, straightforward language” and that they consider providing their policies in other languages.
- A user-friendly format, such as a layered format, should be used to make the policy readable.
- Security Safeguards
- Operators should also explain how they protect customers’ personal information from unauthorized or illegal access, modification, use or destruction by, inter alia, providing a general description of the measures they use to control the information security practices of the third parties with whom they share customer personal information.
As the Guidance notes, “the borderless world of online commerce extend[s] the impact of this law to other jurisdictions.” Because CalOPPA applies to any operator that collects PII “about individual consumers residing in California,” most online businesses should evaluate whether their privacy policies meet its requirements in order to avoid potential fines of up to $2,500 per violation.
Companies seeking to implement nationwide practices may find the Guidance particularly useful in light of the absence of a federal tracking law. Despite calls for greater transparency in data collection and use by the Federal Trade Commission and the White House and years of negotiations between internet companies and privacy advocates, no nationwide “do not track” tool exists.