The amendment to the California Online Privacy Protection Act (CalOPPA) that established the state’s “do not track” disclosure requirements became effective on January 1, 2014. It requires web site privacy policies to include certain do not track disclosures. However, because do not track is not a finalized standard, and it is unclear what even qualifies as a do not track signal under CalOPPA, compliance has been a challenge.
In an effort to resolve this uncertainty, the California Attorney General recently released a guide titled Making Your Privacy Practices Public (the Guide). The Guide provides long-awaited guidance on how to comply with the CalOPPA do not track requirements, among other recommendations. The following is a summary of some of the recommendations that go beyond what is actually required by CalOPPA.
Online Tracking and Do Not Track
- The do not track disclosure should describe whether the website treats consumers whose browsers send a do not track signal differently from those that do not. The disclosure should also describe whether the web site still tracks users, even if it receives a do not track signal and, if so, how that information is then used.
Data Collection, Use and Sharing
- If a web site collects any personal information from children under the age of 13, the Guide cautions that the Children’s Online Privacy Protection Act (COPPA) has additional obligations for the web site operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.
Individual Choice and Access
- In addition, if an individual requests to review or correct his or her personal information, then the web site operator should first ensure that the individual’s identity is properly verified and any access rights are authenticated.
While much of the Guide is voluntary, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.