California Attorney General Kamala Harris issued guidance for companies seeking to comply with the state’s recently updated California Online Privacy Protection Act.

Last year, the state legislature amended CalOPPA to add two new requirements. As of January 1, 2014, Web site operators must disclose to consumers “how the operator responds to web browsers’ Do Not Track signals” and “whether other parties may collect personally identifiable information about an individual consumer’s online activities.”

Harris’s office released “Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” which she called “a tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”

In a nutshell, companies should “craft privacy policy statements that address significant data collection and use practices, use plain language and are presented in a readable format,” according to the guide.

More specifically, the AG suggested that operators should “prominently label” the privacy policy’s section regarding online tracking, and should include headers such as “California Do Not Track Disclosures.” A description of how the site responds to a browser’s Do Not Track signal or similar mechanisms should be included in the privacy policy – and not via a link to another website.

Every privacy policy should describe what personally identifiable information is collected (or, at a minimum, the categories collected), how it is used, including whether it will be shared with third parties, if applicable, and how long it is retained. The AG also recommended that consumers be given a choice regarding the collection, use, and sharing of his or her personal information.

If third parties are collecting personally identifiable information, either definitely or even possibly, the privacy policy should say so, the guidance stated. Use of such information “beyond what is necessary for fulfilling a customer transaction or the basic functionality of the website or app” should also be explained.

As an overall recommendation, “plain, straightforward language that avoids legal jargon” should be used by companies in “a format that makes the policy readable.” A layered format, with the use of graphics or icons in lieu of text was suggested. The effective date of the privacy policy should be provided with an explanation of how consumers will be notified about material changes. And “Tell your customers whom they can contact with questions or concerns about your privacy policies and practices,” the AG advised.

To read the AG’s guide, click here

Why it matters: California continues to be a leader in enacting measures to protect consumers’ online privacy. An attorney in the AG’s office told The New York Times that the office was willing to review companies’ policies and work with them to ensure compliance. For those who fail to achieve compliance, the AG will send a letter offering a 30-day warning before the office considers litigation. Industry members praised the guidance, with the Digital Advertising Alliance noting that the group’s existing privacy framework “fully aligns” with the AG’s guide.