California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures

California Attorney General Kamala Harris recently released guidance, Making Your Privacy Practice Public, to help companies comply with the California Online Privacy Protection Act's (CalOPPA) "Do Not Track" (DNT) disclosure requirements which took effect on January 1, 2014. CalOPPA requires online privacy policies to disclose whether the company tracks and collects personally identifiable information (PII) (which includes names, contact information, unique identifiers, and passively collected information such as device identifiers and geolocation data) about California residents' online activities over time and across third-party websites or services, including via mobile apps, and whether or not the company recognizes DNT mechanisms that have been designed to prevent such tracking.

If a company does engage in such online tracking, then the online privacy policy must either describe how the company responds to a DNT signal, or provide consumers with a clear and conspicuous link to a DNT mechanism to which the company will respond. The law does not prohibit online consumer tracking, but rather seeks to provide consumers with greater transparency through the additional disclosures.

The guidance expresses a preference for companies to utilize the first option to describe their DNT policies to consumers, as it promotes greater transparency than simply providing consumers with a link to a DNT mechanism. When describing if and how a website responds to DNT signals, the privacy policy should:

  • State whether consumers who use DNT mechanisms are treated differently than consumers who do not, and how the treatment is different (e.g., "Your experience may be degraded . . . ")
  • Disclose whether PII is collected when a DNT signal is received
  • Describe how that information is used if PII is collected when a DNT signal is present

In addition to describing a company's own DNT privacy policies, CalOPPA also requires companies to disclose whether third parties, such as advertising networks that track consumers over time and across websites, are present on the company’s website or service. The guidance poses useful questions to determine whether third-party trackers present on a company's website are authorized to be there and adhere to the company's DNT policy.

The Attorney General's Privacy Enforcement and Protection Unit will begin reviewing companies' privacy policies for compliance and work with companies to help them comply with the DNT disclosure requirements. Companies found to be in noncompliance will have 30 days to comply with CalOPPA before being subject to an enforcement action. Failure to comply with CalOPPA can result in civil penalties of up to $2,500 per violation.

Companies should remember that even if they are not physically present in California, CalOPPA applies if the company collects PII from California residents. In addition, although this alert focuses on the required DNT disclosures, the Attorney General’s guidance offers additional recommendations regarding online privacy policies.

 

 

Topics:  CalOPPA, Disclosure Requirements, Do Not Track, Enforcement, Personally Identifiable Information, Privacy Policy, Websites

Published In: General Business Updates, Communications & Media Updates, Consumer Protection Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »