California Attorney General Kamala Harris recently released guidance, Making Your Privacy Practice Public, to help companies comply with the California Online Privacy Protection Act's (CalOPPA) "Do Not Track" (DNT) disclosure requirements which took effect on January 1, 2014. CalOPPA requires online privacy policies to disclose whether the company tracks and collects personally identifiable information (PII) (which includes names, contact information, unique identifiers, and passively collected information such as device identifiers and geolocation data) about California residents' online activities over time and across third-party websites or services, including via mobile apps, and whether or not the company recognizes DNT mechanisms that have been designed to prevent such tracking.
State whether consumers who use DNT mechanisms are treated differently than consumers who do not, and how the treatment is different (e.g., "Your experience may be degraded . . . ")
Disclose whether PII is collected when a DNT signal is received
Describe how that information is used if PII is collected when a DNT signal is present
In addition to describing a company's own DNT privacy policies, CalOPPA also requires companies to disclose whether third parties, such as advertising networks that track consumers over time and across websites, are present on the company’s website or service. The guidance poses useful questions to determine whether third-party trackers present on a company's website are authorized to be there and adhere to the company's DNT policy.
The Attorney General's Privacy Enforcement and Protection Unit will begin reviewing companies' privacy policies for compliance and work with companies to help them comply with the DNT disclosure requirements. Companies found to be in noncompliance will have 30 days to comply with CalOPPA before being subject to an enforcement action. Failure to comply with CalOPPA can result in civil penalties of up to $2,500 per violation.
Companies should remember that even if they are not physically present in California, CalOPPA applies if the company collects PII from California residents. In addition, although this alert focuses on the required DNT disclosures, the Attorney General’s guidance offers additional recommendations regarding online privacy policies.