California Attorney General Kamala D. Harris has issued a lengthy guidance entitled “Making Your Privacy Practices Public” setting forth, among other things, recommendations about “do not track” practices and other website privacy issues for operators of commercial websites and online services such as mobile apps that collect personally identifiable information about Californians.

BACKGROUND

The California Online Privacy Protection Act (CalOPPA) was enacted in 2004 and amended last year specifically to address the issue of online tracking – the collection of personally identifiable information (PII) about consumers’ online activities over time and across third-party websites and online services. Among other things, CalOPPA requires privacy policies to be conspicuously posted and followed. Following the 2013 amendments to CalOPPA (click here to read a previous alert on the subject), website operators and online services also must inform consumers about how they respond to Do Not Track (DNT) signals and similar mechanisms. Given the lack of any standards  around DNT, this has created much confusion over what must be  disclosed in a compliant privacy policy. This new guidance focuses more on the process of making the disclosures than the substance of those disclosures.

" DO NOT TRACK” RECOMMENDATIONS

In the new guidance, Attorney General Harris observes that, in her view, the practice of online tracking is “invisible” to consumers because consumers whose browsers send a DNT signal cannot easily determine how a site or service responds to the signal. To resolve that concern, the guidance advocates that operators provide a description of their online tracking practices and of the possible presence of other parties that may be tracking consumers by:

  • Clearly identifying the sections of  the privacy policy in which their policy regarding online tracking or how it responds to consumers’ DNT signals is described. The guidance recommends the use of a header such as, “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
  • Describing the response to a browser’s DNT signal or to these other mechanisms in the privacy policy. It is preferable to describe the site’s policy, as opposed to simply providing a link to a related  “program or protocol,” because it provides greater transparency to consumers.
  • Providing a “clear and conspicuous” link in a privacy policy to a program or protocol that offers consumers a choice about online tracking if an operator decides not to describe a response to a DNT signal or to another mechanism.
  • Disclosing the presence of other parties that collect personally identifiable information on the website or service, if any are present.

OTHER PRIVACY RECOMMENDATIONS

The guidance also contains a number of important privacy-related recommendations in addition tobthe DNT recommendations.  In general, the guidance says, a general privacy policy should provide a “comprehensive overview” of a site’s practice regarding the collection, use, sharing, and protection of personally short sentences; use the active identifiable information. Toward that end, the guidance offers the below recommendations as suggestions  to make a general privacy policy statement “more effective and meaningful than a policy that simply meets minimum legal requirements.”

  • Explain the scope of the privacy policy, such as whether it covers just online data collection and use practices or both online and offline practices, and clearly indicate what entities the privacy policy covers, such as subsidiaries or affiliates.
  • Make the policy recognizable by giving it a descriptive title. In the case of a website, for example, the guidance recommends a conspicuous link on the homepage containing the word “privacy.”  It says that the link should be in larger type than the surrounding text and in contrasting color or symbols that call attention to it. In addition, there should be a conspicuous “privacy” link on every webpage where personal information is collected, and the policy should be formatted so that it can be printed as a separate document. In the case of an online service such as a mobile application, the policy should be posted on or linked to on the application’s platform page so that users can review the policy before downloading the application.
  • Use plain, straightforward language; avoid technical or legal jargon; use sharing, and protection of personally short sentences; use the active use titles and headers to identify key parts of the policy. The guidance also suggests considering having the policy in languages othet than english and using a format that makes the policy readable, including on smaller screens.
  • With respect to data collection,  the guidance suggests describing how PII is collected and describing the kind of PII collected about users and visitors. The guidance also suggests explaining how PII is used and shared.
  • Describe the choices a consumer has regarding the collection, use, and sharing of his or her personal information; consider offering customers the opportunity to review and correct their personal information; and explain how customers can get access to their own personal information if that option is not available.
  • Explain how customers’ personal information is protected from unauthorized  or  illegal  access, modification, use or destruction.
  • Provide a contact for customers with questions or concerns about privacy policies and practices

THE BOTTOM LINE

California and the California Attorney General are influential in Do Not Track (DNT) and online privacy issues. While the new guidance is not new law, its recommendations should be carefully considered by online services. Regulators are increasing their energies on focusing on privacy and data security issues, so following their recommendations should only have a positive effect.