The California Attorney General's Office recently issued a set of guidelines, titled "Making Your Privacy Practices Public" ("Guidelines"), designed to help companies develop "meaningful" privacy policies that provide transparency, accountability, and choice for online users. The Guidelines build on prior publications by the California Attorney General and consolidate and update existing recommendations. The Guidelines also specifically add new recommendations concerning adoption of so-called "Do Not Track" or "DNT" mechanisms.  

When California enacted the California Online Privacy Protection Act ("CalOPPA") in 2004, it was the first state in the United States to require providers of websites and online services used by California residents to conspicuously post privacy policies. Such providers are required to detail the personally identifiable information ("PII") they collect, the categories of third parties with whom they share such PII, and the process the consumer can use to review and make changes to stored PII, as well as to ensure that their privacy policies include effective dates and descriptions of subsequent changes. Importantly, although the introduction to the Guidelines acknowledges that they advocate greater privacy protection than required by existing law (e.g., CalOPPA), the recommendations may eventually become enforceable obligations as any published privacy policy will be enforceable against the company, such as for example on consumer protection grounds. 

Accordingly, it is important for companies to consider the recommendations, as well as existing law, when developing or revising privacy policies applicable to websites and online services used by California residents. The Guidelines, like CalOPPA, apply to all operators of commercial websites and online services that collect PII about Californians, regardless of where those operators are located (i.e., even if outside the United States). 

Familiar Advice

Through the Guidelines, the California Attorney General continues to advocate for transparency, accountability, and choice for the benefit of consumers, to enhance trust in the provider and increase customer satisfaction. Not surprisingly, the Guidelines focus on familiar concepts such as data minimization, just in time notice, and layering. In this regard, the Guidelines highlight recommendations that have been part of existing guidance from the California Attorney General, the FTC, and other regulators, including:  

  • Readability: using plain, straightforward language and avoiding technical or legal jargon.
  • Data Sharing and Use: explaining uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the online service, and providing a link whenever possible to the applicable privacy policies of third parties with whom PII is shared.
  • Individual Choice and Access: describing the choices a consumer has regarding the collection, use, and sharing of PII.
  • Accountability: including the provider's contact details in the privacy policy.  

These aspects of the Guidelines provide a useful summary of relevant considerations for companies drafting or amending a privacy policy, and they are worthy of review.

New Do Not Track Guidance

The Guidelines provide advice on DNT mechanisms, which has been a hot topic of significant interest in the United States and abroad. Recently, the FTC, the White House, and the California Legislature, among others, have expressed heightened interest in addressing consumer tracking and profiling practices and related privacy concerns arising from DNT. The recommended DNT mechanisms automatically communicate a consumer's choice about the collection of PII over time and across third-party websites or online services. However, as noted by the Guidelines, there are presently no legal requirements prohibiting online tracking or requiring any particular response to a DNT browser signal or any other mechanism that automatically communicates a consumer's choice not to be tracked. In 2013, however, California became the first state to require disclosure of the company's response to such signals, as well as the potential for third-party tracking on its website.[1]

The recommendations on DNT mechanisms focus on readability and advocate the use of understandable language, descriptive headers, and appropriate placement. The Guidelines also provide the following DNT-specific recommendations on how a company should describe its response to DNT signals (as required by California law and advocated by other regulators):

  • Accurately describe whether customers whose browsers send a DNT signal are treated differently from those without a signal; and
  • Understand the collection of PII about a consumer's browsing activities over time and across third-party websites or services after receiving a DNT signal, and describe the uses of that information, if applicable. 

With respect to disclosing the presence of third parties conducting online tracking on the operator's website or service, the Guidelines recommend that the company should:  

  • Allow only approved third parties on its website or service to collect PII from consumers who use or visit it;
  • Determine how it would verify that authorized third parties are not bringing unauthorized parties to the website or service to collect PII; and
  • Employ appropriate mechanisms to ensure that authorized third-party trackers comply with its DNT policy and, if not, disclose how they might diverge from the company's policy.

Continuing Challenges 

As noted by the Guidelines, although transparency, accountability, and choice are widely accepted principles in theory, their implementation remains subject to considerable debate. Indeed, the responses of companies to DNT have varied, and many companies have yet to respond to California's new DNT disclosure requirements. Some companies maintain that they do not respond to DNT signals because they do not track their customers over time or across third-party websites to provide targeted advertising. Other companies provide more detail about their tracking activities and those of third parties on their websites. 

Failure to disclose or underdisclosure in violation of California's requirements on DNT raises various risks. The California Attorney General's Office is expected to continue to review companies' privacy policies and issue 30-day warnings to noncompliant companies.[2]Companies can also face fines of up to $2,500 per violation of California law, with each download of a noncompliant mobile app constituting a single violation. 

Conversely, companies that do not honor DNT signals and make this disclosure in an unqualified manner could face consumer backlash. 

When drafting DNT disclosures, as with privacy policies more generally, companies must proceed in a manner that strikes the right balance between these two competing alternative outcomes. The Guidelines focus on transparency, accountability, and choice, and they provide some guidance on high-level issues that companies should consider. By including recommendations that go beyond what is strictly required under California law, particularly with regard to the recommendations on disclosure of tracking across third-party websites or online services, the Guidelines leave room for each company to place itself appropriately on the privacy spectrum.