The fog is starting to lift for website operators who have been navigating under murky rules for months. California’s Office of the Attorney General recently published recommendations for meaningful online privacy policy statements, reflecting legislation passed in 2013 regarding “do not track” (DNT) signals. The overriding message for operators is to use clearand simple policies. However, as our firm recently reported, specifications for a uniform DNT Web browser mechanism have yet to surface.

Below is a summary of California’s online privacy policy guidance.

BE CLEAR

With respect to DNT signals:

  • Describe how you respond to DNT signals, and make sure this description matches your practices.
  • Explain how you treat visitors differently, if at all, upon receipt of DNT signals.
  • As an alternative, you can provide a link to a consumer choice program with which you comply.

With respect to other matters:

  • Describe the types of personally identifiable information (PII) you collect from visitors and how you obtain it.
  • Explain how you use and share PII.
  • State whether and for how long you retain PII.
  • Explain how third parties may collect PII on your website and whether you impose any restrictions or obligations on such parties.
  • Provide a general description of your security measures.
  • State the effective date of your policy, and explain how you will notify visitors of significant changes to the policy. According to the recommendations, you should do more than merely changing the policy on your website.
  • Describe the choices that visitors have regarding their information.
  • Provide contact information for any questions or concerns.

KEEP IT SIMPLE

  • Use a header so visitors can easily find the section discussing your response to DNT signals.
  • Use plain language.
  • Make the policy easy to follow and understand.

California has provided helpful guidance, but the final destination has not yet come into view. At this nascent leg of the online privacy voyage, companies should consider wording their privacy policies in a manner that complies with the California legislation but that still remains flexible during the process of finalizing DNT specifications and standards.