Kamala Harris, the California Attorney General, recently released guidance for complying with California's new Do Not Track requirements which took effect January 1, 2014.
The Do Not Track requirements were contained in an amendment to California's Online Privacy Protection Act (CalOPPA) and they require operators of commercial websites and online services to disclose:
(1) how the operator responds to Internet browser Do Not Track (DNT) signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in that collection; and
(2) whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.
Although CalOPPA does not define "online service," the Attorney General has stated that a mobile application is one type of online service.
1. Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example, "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."
Questions to consider in describing your response:
Do you treat consumers whose browsers send a DNT signal differently from those without one?
Do you collect personally identifiable information about a consumer's browsing activities over time and across third-party web sites or online services if you receive a DNT signal?
If you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, how do you use the information you obtain?
Questions to consider in providing a link to a program:
Do you comply with the program?
Does the page to which you link contain a clear statement about the program's effects on the consumer, i.e., whether participation results in stopping the collection of a consumer's personally identifiable information across web sites or online services over time?
Does the page to which you link make it clear what a consumer must do to exercise the choice offered by the program?
4. State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service.
In developing your statement on other parties, consider the following issues:
Are only approved third parties on your site or service collecting personally identifiable information from consumers who use or visit it?
How would you verify that authorized third parties are not bringing unauthorized parties to your site or service to collect personally identifiable information?
Can you ensure that authorized third-party trackers comply with your Do Not Track policy? If not, disclose how they might diverge from your policy.
5. Confirm your tracking practices with those responsible for your site's or service's operations to ensure that your practices correspond to what you say in your policy.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.