On May 21, 2014, the California Attorney General, Kamala D. Harris, issued her long-awaited guidance for complying with the California Online Privacy Protection Act (“CalOPPA”). “Making Your Privacy Practices Public,” which can be found here, provides specific recommendations on how businesses are to comply with CalOPPA’s requirements to disclose and comply with a company-drafted privacy policy.

As we have written about in the past, CalOPPA is the California privacy statute that requires any company that collects personally identifiable information from a California resident online, whether via a commercial website or a mobile application, to draft and comply with a privacy policy that conforms with the guidelines provided in it. More recently, CalOPPA was amended to include information on how the website operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

The attorney general’s recommendations likely delineate the minimum requirements necessary for a valid privacy policy under CalOPPA. The recommendations are summarized below (by focus area):

  • Explain the SCOPE of Policy
    • Explain whether the privacy policy covers just online data collection and use, or both online and offline
    • Clearly indicate which entities, such as subsidiaries or affiliates, the privacy policy covers
  • Make the Policy AVAILABLE
    • Make the policy conspicuously available:
      • If a Website, use a conspicuous link on the homepage containing the word “privacy”; put the “privacy” link on every web page collecting personal information; format the policy so it can be printed as a separate document
      • If a Mobile application, post or link the policy on application’s platform page so users can review prior to download; and include a link to the policy from within the mobile application
  • Make the Policy READABLE
    • Use plain, straightforward language. Avoid technical or legal jargon. Use graphics and icons, where appropriate.
    • Consider providing your policy in languages other than English
    • Use a format that makes the policy readable, such as a layered format
      • One favored format is to supplement a lengthy, comprehensive privacy policy with simpler, shorter privacy notices to alert consumers of potentially unexpected data practices (i.e., contextual privacy notices)
  • Disclose your DATA COLLECTION
    • Describe how you collect PII on users or visitors – (a) using which technologies (i.e., cookies, web beacons); and (b) from any other sources
  • Disclose your ONLINE TRACKING / DO NOT TRACK (“DNT”) Response
    • Clearly label for the consumer your policy regarding online tracking, e.g., “How We Respond to Do Not Track Signals” or “California Do Not Track Disclosures”
    • Describe how you respond to a Do Not Track signal within your privacy policy, and not by providing a link to another website, e.g.:
      • Do you treat consumers whose browsers send a DNT signal differently from those without one?
      • After the DNT signal, do you still collect a consumer’s PII over time or across third-party websites?
        • If so, what are the uses of the consumer’s PII?
    • If you decide not to describe your response to a DNT signal or another mechanism:
      • Provide a clear and conspicuous link to a program that offers consumers a choice about online tracking
      • Identify the program with a brief, general description of what it is
      • Acknowledge that you comply with the program
      • Make sure that the linked page contains a clear statement about the program’s effects on the consumer, i.e., whether participation results in stopping the collection of PII across websites on online services over time
      • Make sure that the linked page makes clear what the consumer must do to exercise the choice offered by the program
    • Disclose whether third parties are or may be collecting the PII of consumers while they are on your site or service
      • Consider whether only approved third parties are collecting PII on your site
      • Consider how you would verify that authorized third parties are not bringing unauthorized parties to your site
      • Can you ensure that authorized third-party trackers comply with your DNT policy?
  • Disclose your DATA USE and DATA SHARING
    • Describe – (a) what PII you collect from users; (b) how you use it; and (c) how long you retain that information
      • List the categories of personal information collected from users and visitors, and the retention period for each category
      • List the categories of companies with which you share customer personal information
    • Explain any uses of PII not related to fulfilling a customer transaction, or other basic function of an online service
    • If possible, provide a link to the privacy policies of third parties with whom you share PII
  • Allow for INDIVIDUAL CHOICE and ACCESS
    • Describe the consumer’s choices related to the collection, use, and sharing of his or her personal information
      • Abide with the consumer’s choices and ensure that they are always honored
      • Implement the choices within a reasonable time period
    • Consider offering your customers the opportunity to review and correct personal information. If you do so:
      • Explain how one can review the information
      • Properly verify identity and authenticate any access to the information
      • Control and document customer changes or corrections to personal information through audit logs or transaction histories
  • Describe your SECURITY SAFEGUARDS
    • Include a general description of security measures used to safeguard PII (held by you and/or third parties)
  • Include EFFECTIVE DATE
    • Ensure that privacy policy is uniform throughout the organization
    • Explain how you will notify customers about material changes to your privacy policy
    • Do not use changes to the privacy policy on your website as the exclusive means of notifying customers of material changes in your uses or sharing of personal information
  • Allow for ACCOUNTABILITY
    • Provide contact information for questions or concerns about your privacy policies and practices. At minimum, include a title and email or postal address of company official who will respond to privacy questions/concerns. Consider offering a toll-free number.
    • Train customer service telephone staff to respond to inquiries about privacy

In releasing these guidelines, Attorney General Kamala Harris continues to be a highly aggressive figure in the area of online privacy. Her office has made it a top priority to ensure these new online privacy laws are enforced. The California attorney general's office has already shown its commitment in enforcing CalOPPA in its lawsuit against Delta Airlines for violation of this statute.

While some of these Guidelines may be aspirational, the issuance of this advice is a good reminder to review your privacy policy against all relevant law and best practice standards.