With respect to individual choice and access, the guidelines recommend that operators provide a clear description of the choices a consumer has regarding the collection, use and sharing of his or her personal information, and how they can exercise those choices. Operators are urged to offer users the opportunity to access, review and correct their personal information. When doing so, operators should properly authenticate any access right by verifying the user's identity before providing this sensitive personal information.
With respect to data use and sharing, operators are encouraged to explain to consumers (i) the use of personally identifiable information, (ii) practices regarding sharing of personally identifiable information, (ii) the link to the privacy policies of third parties with whom information is shared, and (iv) the retention period for each type or category of personally identifiable information that is collected. At a minimum, the guidelines recommend that the operator list the different types or categories of companies with which the operator shares the customer's personal information.
Although the California guidelines do not bind operators or developers, the guidelines provide important insight on the concerns of the regulators and how to comply with the state's broad-reaching do-not-track legislation. We recommend that website, online service and mobile app operators review their data collection practices and online or mobile privacy policies to ensure that they comply with the guidelines as set forth by the California Attorney General. Companies should also take these guidelines into consideration in the future, when developing and rolling out additional online products that include online tracking software.