Privacy & Information Security Law Blog

On May 21, 2014, California Attorney General Kamala D. Harris issued guidance for businesses (“Guidance”) on how to comply with recent updates to the California Online Privacy Protection Act (“CalOPPA”). The recent updates to CalOPPA include requirements that online privacy notices disclose how a site responds to “Do Not Track” signals, and whether third parties may collect personal information about consumers who use the site. In an accompanying press release, the Attorney General stated that the Guidance is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.” The Guidance is not legally binding; it is intended to encourage companies to draft transparent online privacy notices.

The Guidance, Making Your Privacy Practices Public, recommends, among other items, that website operators’ online privacy notices should:

• conspicuously identify the section of the notice that provides information on the site’s response to “Do Not Track” signals;
• state whether third parties are collecting personally identifiable information;
• explain uses of personally identifiable information beyond the uses necessary for fulfilling the basic functionality of the online service;
• provide links to the privacy policies of third parties with whom the website operator shares personally identifiable information; and
• describe the choices a consumer has with respect to the collection, use and distribution of his or her personal information.

The guidance clarifies that describing how a website responds to a “Do Not Track” signal is preferable to merely linking to a “choice program” because a description of the site’s specific response provides greater transparency to consumers. In crafting this section of an online privacy notice, website operators should consider whether they (1) treat a visitor differently if his or her browser relays a “Do Not Track” signal, and (2) collect visitors’ personally identifiable information over time and across third party websites. If website operators provide a link to a “choice program” rather than describing their sites’ particular response to a “Do Not Track” signal, the operators should ensure that (1) they comply with the “choice program,” and (2) the link to the “choice program” describes the program’s effects on the consumer and how the consumer can exercise his or her choice offered by the program.

Read the full version of the guidance.