California Attorney General Provides Guidance for Complying with New Do Not Track Requirements

Kamala Harris, the California Attorney General, recently released guidance for complying with California's new Do Not Track requirements which took effect January 1, 2014.

The Do Not Track requirements were contained in an amendment to California's Online Privacy Protection Act (CalOPPA) and they require operators of commercial websites and online services to disclose:

(1) how the operator responds to Internet browser Do Not Track (DNT) signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in that collection; and

(2) whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.

An operator may satisfy the requirement of paragraph (1) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Although CalOPPA does not define "online service," the Attorney General has stated that a mobile application is one type of online service.

The guidance for how to comply with the new Do Not Track requirements is contained in Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy. Some of the recommendations provide consumers greater privacy protections than those required by California law. The guidance includes the following recommendations:

1. Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example, "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."

2. Describe how you respond to a browser's Do Not Track signal or to other such mechanisms. Describing your response in your privacy policy statement is preferable to simply providing a link to a "choice program" because it provides greater transparency to consumers.

Questions to consider in describing your response:

  • Do you treat consumers whose browsers send a DNT signal differently from those without one?
  • Do you collect personally identifiable information about a consumer's browsing activities over time and across third-party web sites or online services if you receive a DNT signal?
  • If you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, how do you use the information you obtain?

3. If you decide not to describe your response to a DNT signal or to another mechanism, provide a clear and conspicuous link in your privacy policy statement to a program that offers consumers a choice about online tracking. Provide a general description of what the program does.

Questions to consider in providing a link to a program:

  • Do you comply with the program?
  • Does the page to which you link contain a clear statement about the program's effects on the consumer, i.e., whether participation results in stopping the collection of a consumer's personally identifiable information across web sites or online services over time?
  • Does the page to which you link make it clear what a consumer must do to exercise the choice offered by the program?

4. State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service.

In developing your statement on other parties, consider the following issues:

  • Are only approved third parties on your site or service collecting personally identifiable information from consumers who use or visit it?
  • How would you verify that authorized third parties are not bringing unauthorized parties to your site or service to collect personally identifiable information?
  • Can you ensure that authorized third-party trackers comply with your Do Not Track policy? If not, disclose how they might diverge from your policy.

5. Confirm your tracking practices with those responsible for your site's or service's operations to ensure that your practices correspond to what you say in your policy.

The Attorney General's office stated that it will review companies' privacy policies and will work with them to make sure they follow the new law. Pursuant to CalOPPA, an operator has 30 days in which to post or correct a privacy policy after being notified by the Attorney General's office. Failure to comply with the new requirements could result in fines of $2,500 per violation.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.



DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Loeb & Loeb LLP | Attorney Advertising

Written by:


Loeb & Loeb LLP on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.