California AG Offers Best Practices for Do Not Track Disclosures; Crucial Compliance Questions Left Unanswered

by Morrison & Foerster LLP - Social Media
Contact

California Attorney General Kamala Harris released a long-awaited report entitled Making Your Privacy Practices Public (Report) on May 21, 2014. The Report recommends “best practices” for compliance with the California Online Privacy Protection Act (CalOPPA). It was originally intended to answer critical questions about exactly what website, online service, and mobile application operators (collectively, “site operators”) must do to comply with CalOPPA’s new do not track (DNT) disclosure obligations, which took effect on January 1, 2014. It does not accomplish that goal. Unfortunately, the Report leaves important questions unanswered and raises new questions.

The Report explains that “its recommendations . . . which in some places offer greater privacy protection than required by existing law, are not regulations, mandates or legal opinions.” It fails, however, to clarify what the law actually requires, and we expect that trade associations will continue to seek guidance on important compliance issues. In the meantime, site operators may wish to comply with at least some of the Report’s recommendations to the extent possible because such “recommendations” tend to harden into regulatory “expectations” over time.

DISCLOSURE OF CROSS-SITE TRACKING AND RESPONSES TO DNT CHOICE MECHANISMS

In order to assess the Report’s recommendations, it is important to first understand CalOPPA’s DNT disclosure obligations. As amended by AB 370, the law requires a site operator to make disclosures with respect to:

  1. Its collection of personally identifiable information (PII) about its users’ activities over time and across third-party sites or online services, if it engages in such cross-site tracking. (We note that the California Attorney General appears to broadly define PII to include not only names, physical addresses, email addresses, phone numbers and social security numbers, but also device identifiers and geo-location data.)
  2. Any “other party’s” tracking of the site operator’s users over time and across third-party sites or services.

The law applies to cross-site tracking for any purpose, including, for example, analytics and advertising.

We discuss each of these obligations, as well as questions that the Report raises with respect to them, in turn as follows.

A. Disclosures relating to a site operator’s own cross-site tracking.

The law requires that a site operator disclose how it responds to browser DNT signals or other tracking choice mechanisms, if it engages in cross-site tracking. As the Report notes, “[t]he new provisions do not . . . depend on a standard for how an operator should respond to a DNT browser signal or to any mechanism that automatically communicates a consumer’s choice not to be tracked.” The law requires only disclosure, not substantive practices, and it can be breached by a failure to disclose, or to disclose accurately, the required information.

What does this mean in practice and in light of the Report? And what questions does the Report raise?

  • If a site operator engages in cross-site tracking, it must disclose how it responds to either browser DNT signals or another tracking choice mechanism.
    • If a site operator engages in cross-site tracking and honors DNT signals, it should explain precisely what it does in response to a DNT:1 header. Note that it may be a mistake to represent simply that a site operator “honors” DNT signals, as that representation could be interpreted to mean more than the operator’s actions warrant.For example, there is not yet consensus among stakeholders across the spectrum of industry, academics, and advocates on whether honoring an opt-out means that the site operator ceases the online tracking or merely ceases using the information collected through such tracking.
    • If a site operator engages in cross-site tracking and honors some other means for users to express choice with respect to the tracking, it should say so. The law permits a site operator to satisfy the DNT disclosure requirement by “providing a clear and conspicuous hyperlink in the operator’s privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.” The Report makes it clear that a site operator may disclose either how it responds to a browser’s DNT signal or link to another program or protocol that provides choice. The Report notes, however, that “[d]escribing your response in your privacy policy statement is preferable to simply providing a link to a related ‘program or protocol’ . . . because it provides greater transparency to consumers.” It also recommends that site operators “[p]rovide the link in addition to identifying the program with a brief, general description of what it does.” While following these recommendations would promote transparency, both go beyond the law’s requirement of providing a link.

The Report further recommends that a site operator consider whether “the page to which you link contain[s] a clear statement about the program’s effects on the consumer . . . [and] what a consumer must do to exercise the choice offered by the program.”

This begs a couple of questions about linking to third-party choice programs:

  1. Must the link bring users directly to the program’s opt-out page, or is a link to the program’s website sufficient? The Report does not make this clear and, again, may go beyond the law, which requires only a link to “an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.”
  2. The Report is silent as to which, if any, external choice programs are adequate. In our judgment, industry self-regulatory programs such as those run by the Digital Advertising Alliance (DAA) and Network Advertising Initiative (NAI) should meet the law’s requirements. But this is unsettled, and the AG has expressed concerns about whether either program meets the definition. We expect the NAI and DAA will seek further clarification on this point.
  • If a site operator engages in cross-site tracking but does not honor browser DNT signals or any other choice mechanism, it should say that it does not honor browser DNT signals. With respect to such site operators, the Report recommends that “[i]f you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, describe your uses of the information.” While such a disclosure may be prudent—as a failure to make it could conceivably be deemed a material omission and thus deceptive under Federal Trade Commission law where such use may be unexpected by an ordinary user under the circumstances—the disclosure is not required by CalOPPA.

·  If a site operator does not engage in cross-site tracking, no disclosure obligation is triggered.

B. Disclosures relating to another party’s cross-site tracking.

CalOPPA requires that a site operator disclose “whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.” The law does not require the operator to make any disclosure regarding such “other party’s” response to a DNT mechanism.

What does this mean in practice and in light of the Report? And what questions does the Report raise?

  • Is a service provider an “other party”? Because neither the law nor the Report clarify the meaning of the term “other party,” it is not completely clear whether it includes a site operator’s service provider or whether, on the other hand, a service provider stands in the site operator’s shoes for purposes of the law. During a December 10, 2013 call with industry representatives, consumer advocates, and other interested parties, a representative of the AG’s office suggested that a service provider is not the same as a site operator but instead should be treated as an “other party” for purposes of the law. This position is consistent with the law’s definition of an “operator,” which appears to exclude service providers. In our judgment, it follows that a site operator does not have to disclose a DNT response or choice mechanism with respect to the cross-site tracking activities of its service providers, but it does have to disclose whether any service provider or other third party is engaged in the cross-site tracking of the site operator’s users. As a practical matter, this distinction may be of no consequence: a site operator that uses a service provider for cross-site tracking (e.g., for analytics or behavioral advertising services) is typically contractually required by the service provider to both disclose the tracking and tell its users how they can opt out of it, such as through the DAA or NAI.
  • The Report recommends that a site operator explain how a third party’s practices may diverge from the site operator’s DNT policy. This recommendation goes beyond the law’s requirements. As discussed above, the law requires only that a site operator disclose whether third parties engage in cross-site tracking. It does not impose any requirement to address the third party’s response to DNT signals or other choice mechanisms. The recommendation, however, raises the question of whether the AG believes there is a duty under the law for a site operator to vet the practices of third-party trackers on its site and to disclose whether such practices diverge from the site operator’s own.

OPPORTUNITY TO CURE?

The Report acknowledges that CalOPPA includes a 30-day notice and cure period for noncompliance, but it does not squarely address whether that 30-day period applies to companies that have posted a privacy policy that fails to include required DNT disclosures but otherwise complies with the law. In a December 2013 call with interested stakeholders, a representative of the AG’s office stated that the 30-day period does not apply in this situation, and this interpretation seems to be supported in the Report, which notes that “[t]he law provides an operator with a 30-day period to post a policy after being notified of failure to do so. An operator subject to the law is in violation for failing to comply with the legal requirements for the policy or with the provisions of its policy either knowingly and willfully or negligently and materially.” The AG’s apparent interpretation is that the notice and cure provision applies only if there is no policy whatsoever, but that if there is any policy—even one that is almost completely compliant—then no notice and cure period is required. As a matter of public policy, this position makes no sense: the operator who did nothing should not be entitled to greater protection than the operator who tried hard and just missed the mark.

ONLINE TRANSPARENCY “BEST PRACTICES”

Finally, the Report recommends other “best practices” aimed at ensuring that a site operator’s privacy policy is transparent to its users. While many of these go beyond the law’s requirements, it is worthwhile to consider them, as “best practices” tend over time to harden into regulatory expectations. They include the recommendations to:

  • Prominently label the section of your policy regarding online tracking. For example: “California Do Not Track Disclosures.”
  • Disclose whether third parties collect PII from your users.
  • Explain your uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
  • Describe what PII you collect from users, how you use it, and how long you retain it.
  • Describe the choices a consumer has regarding the collection, use, and sharing of his or her PII.
  • Use plain, straightforward language that avoids legal jargon, and use a format—such as a layered approach—that makes the policy readable. Use graphics or icons instead of text.

CONCLUSION

When it comes to compliance with the new CalOPPA DNT disclosure requirements, the Report raises more questions than it answers. It acknowledges that its recommendations are not necessarily legal requirements, but, in so doing, fails to clarify what the law itself requires. In light of this uncertainty, a site operator may wish to implement the Report’s recommendations to the extent possible.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP - Social Media | Attorney Advertising

Written by:

Morrison & Foerster LLP - Social Media
Contact
more
less

Morrison & Foerster LLP - Social Media on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.