For more information, please contact:
Tel: + 1 312 861 3077
Tel: + 1 312 861 8228
Cookie Regulation not just a European Issue: Regulator Issues Guidance on California's Online Privacy Protection and its Recent Do Not Track Amendments
California’s Attorney General issued much-awaited guidance following recent Do Not Track amendments to the California Online Privacy Protection Act of 2003 ("CalOPPA”). The December 2013 amendments require website operators, which track consumers over time and across third-party sites through cookies, web beacons and other tracking technologies, to disclose whether they respond to browser Do Not Track signals and whether they allow third parties to collect personally identifiable information on their websites. Alternatively, these website operators may direct consumers to programs that offer consumers choices regarding tracking. The guidance issued in a report called “Making Your Privacy Practices Public” (the “Report”) was intended to clarify these new requirements and provide practical recommendations for complying. It also sets forth guidance with respect to CalOPPA’s general requirements for privacy notices and California’s requirements with respect to data sharing with third parties.
Perhaps the key statement coming out of the Report is the confirmation that the California Attorney General does not consider there is any legal requirement for sites to honor Do Not Track signals, but rather the obligation is one of notice and transparency for how the site responds to such signals. It also makes clear that website operators have the option of either disclosing their Do Not Track policy or referring to an opt-out program that provides consumers choice about how they are tracked online.
Despite its general clarity and comprehensiveness, the Report does not answer some of the more difficult questions arising under CalOPPA, including: (i) what are the “other mechanisms,” beyond browser Do Not Track signals, for which the site operators must provide a description of their response in their privacy policies, (ii) whether sites will be provided with grace periods to manage any changes that the browsers make in the configuration of Do Not Track mechanisms beyond the law’s 30-day notice period, and (iii) whether there are any safe harbors that website operators can adopt to confirm that they are complying with their legal obligations under CalOPPA.
The Report also includes some elements that would go well beyond the requirements of the law at this stage and may be difficult to implement, including recommendations to provide links to the privacy policies of third parties with whom the website shared personally identifiable information, and obligations to specify the retention period for each type or category of personally identifiable information collected.
In addition, the Report’s executive summary highlights the following recommendations for website privacy notices in general:
· Readability: Use plain, straightforward language. Avoid technical
or legal jargon. • Use a format that makes the policy readable, such as a layered format.
· Online Tracking/Do Not Track: Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example: “How We Respond to Do Not Track Signals,” “Online Tracking” or “California Do Not Track Disclosures.” • Describe how you respond to a browser’s Do Not Track signal or to other such mechanisms. This is more transparent than linking to a “choice program.” • State whether other parties are or may be collecting personally identifiable information of consumers while they are on your site or service.
· Data Use and Sharing: Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service. • Whenever possible, provide a link to the privacy policies of third parties with whom you share personally identifiable information.
· Individual Choice and Access: Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
· Accountability: Tell your customers whom they can contact with questions or concerns about your privacy policies and practices.
Taking these different points together, from a policy trend perspective, the Report confirms that we are entering a brave new era of privacy regulation in the United States that adds a layer of granularity to the required disclosures for website and mobile app operators. This demonstrates some convergence with the European Union Cookie Directive despite important differences, such as the European Union’s heavier regulatory burden of user consent whereas California presents a notice/transparency requirement. Given the borderless nature of the internet, these global regulatory developments are going to require all website and mobile app operators to maintain a much greater degree of control over the first and third party cookies and tracking features on their websites.