Header graphic for print
TMT Law Watch Business, legal, and policy developments affecting the telecom, media, and technology sector.

California Attorney General Offers Online and Mobile ‘Do Not Track’ Privacy Policy Recommendations

Posted in Other Topics

 By Jonathan D. Jaffe and Jeremy M. McLaughlin

California Attorney General Kamala Harris recently issued guidance to help companies provide more “meaningful” privacy policies. Entitled “Making Your Privacy Practices Public,” the recommendations consolidate previously issued guidance and provide new information regarding online tracking and Do Not Track signals. As the guidance document indicates, the recommendations “are not regulations, mandates or legal opinions” and offer greater protections than those required under existing law. Clearly, though, they reflect the attorney general’s preferences and what she believes are privacy best practices.

The recommendations were prompted by amendments to the California Online Privacy Protection Act of 2003. CalOPPA requires any company that collects personally identifiable information from California consumers through a commercial website or a mobile application to post a conspicuous privacy policy. The policy must include: (1) the categories of PII collected and the categories of third parties with whom such information is shared; (2) information on how, if possible, a consumer can review and request changes to the PII being collected; (3) information on how consumers will be notified of material changes to the policy; and (4) the policy’s effective date.

CalOPPA does not prohibit online tracking or prescribe the manner in which an operator should respond to a DNT signal. Rather, it requires two additional disclosures to be in a company’s privacy policy. First, if a company collects PII about a consumer’s online activities over time and across third-party websites, the privacy policy must either (a) provide information on how the website operator responds to a browser’s DNT signal or (b) provide a conspicuous link to a protocol that offers consumers a choice about online tracking and a description of the protocol’s effects. Second, an operator must disclose in its privacy policy whether third parties may collect PII when a consumer uses the operator’s site.

Among other things, the recommendations provide guidance on complying with the DNT provisions of CalOPPA. For example, the Attorney General prefers that an operator opts for choice (a) rather than (b) ─ that is, explain in the privacy policy (rather than a link to a protocol) how the operator responds to a DNT signal. In that description, the company should state whether it treats consumers who use DNT mechanisms differently than those who do not, and how the treatment is different. In addition, the operator should inform consumers whether it continues to collect PII after a DNT signal is received and, if so, how it uses that information. The recommendations also touch on other ways to improve privacy policy transparency for consumers, including the use of certain labels and improved readability.

The California Attorney General’s office has been at the forefront of enforcing privacy laws, including filing suit against Delta Airlines for alleged CalOPPA violations. Moreover, the White House and the FTC have indicated interest in this area. Because enforcement of privacy laws ─ including Do Not Track laws ─ is a sure bet, businesses should consider adopting these best practices, if for no other reason than to divert regulatory scrutiny.