Earlier this week the California Attorney General published “Make Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy,” a series of recommendations that organizations may consider as they revise their privacy policies in response to the 2013 amendment to CalOPPA. While CalOPPA has been in effect since 2003, the 2013 amendment, which took effect on January 1, 2014, added somewhat controversial amendments requiring operators of websites and other online services, such as mobile applications, to disclose how they respond to “Do-Not-Track” (“DNT”) signals and describe whether other parties may collect personally identifiable information – see AG’s press release.
The DNT provisions created confusion for the industry because CalOPPA does not define DNT and there is no industry recognized definition of DNT or a DNT signal. In fact, the World Wide Web Consortium (W3C) spent two years trying to develop standards and meaning to DNT signals, but could not reach an agreement. To add further confusion, by the end of 2013, all of the major browser companies have implemented their own DNT signals which can be implemented by consumers.
Seeking clarification and guidance, the business community reached out to the California Attorney General. To its credit, over the past several months, the AG’s office consulted with numerous stakeholders from the business sector, academia and privacy advocates and developed four key DNT recommendations:
-
Make it easy for a consumer to find the section of your policy that relates to online tracking.
Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
-
Describe how you respond to a browser’s DNT signal or to another such mechanism.
Describing your response in your privacy policy statement is preferable to simply providing a link to a related “program or protocol” because it provides greater transparency to consumers.
-
Alternatively, provide a link in your privacy policy statement to a program that offers consumers a choice about online tracking.
Provide the link in addition to identifying the program with a brief, general description of what it does.
-
Disclose the presence of other parties that collect personally identifiable information on your site or service, if any are present.
State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service. Confirm your tracking practices with those responsible for your site or service’s operations to ensure that your practices correspond to what you say in your policy.
These recommendations provide helpful guidance when drafting privacy policies; however, they are just that – guidance. The AG expressly acknowledges that the recommendations “are not regulations, mandates, or legal opinions. Rather, they are part of an effort to encourage the development of privacy best practices.”
Center for Democracy & Technology Consumer Privacy Director Justin Brookman, who has also worked extensively with the W3C, noted it’s unclear even whether a company must describe how it handles a DNT signal or simply provide a link to a choice program. He said, “It seems the attorney general doesn’t find current practices to be good enough,” and that the AG is “trying to encourage folks to be more explicit in the body of the policy but aren’t yet prepared to say that just a link is legally insufficient.”
Indeed, virtually no site respects “do not track” requests coming from web browsers. The only major company that honors such signals is Twitter. And it seems quite unlikely that failing to follow the California AG’s DNT recommendations would result in an inquiry or enforcement action. At most, companies could expect to get a warning notice from the AG’s office with 30 days to fix any deficiencies in their privacy policy. Jeff Rabkin, special assistant attorney general on technology and privacy matters for the California AG confirmed as much when he said that Ms. Harris’s office would review companies’ privacy policies and work with them to make sure they followed the new law. Those who don’t comply will receive 30-day warnings before facing potential litigation from the state.
In addition to the DNT recommendations, the AG’s report provides additional guidance “intended to encourage companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format.” The AG’s document also consolidates recommendations from two of the AG’s previous privacy publications (Privacy on the Go: Recommendations for the Mobile Ecosystem and Cybersecurity in the Golden State.