Keywords: Americas; Privacy & Security; Business & Technology Sourcing.

The amendment to the California Online Privacy Protection Act (CalOPPA) that established the state's "do not track" disclosure requirements became effective on January 1, 2014. It requires web site privacy policies to include certain do not track disclosures. However, because do not track is not a finalized standard, and it is unclear what even qualifies as a do not track signal under CalOPPA, compliance has been a challenge.

In an effort to resolve this uncertainty, the California Attorney General recently released a guide titled Making Your Privacy Practices Public (the Guide). The Guide provides long-awaited guidance on how to comply with the CalOPPA do not track requirements, among other recommendations. The following is a summary of some of the recommendations that go beyond what is actually required by CalOPPA.

Online Tracking and Do Not Track

  • CalOPPA only requires that the tracking disclosures introduced by the amendment (i.e., regarding do not track responses and third-party tracking) be included somewhere in the privacy policy. However, the Guide recommends that these disclosures be clearly identified with their own header, such as "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."
  • If a web site follows a consumer tracking choice program or protocol, CalOPPA permits an alternate way to comply with the do not track disclosure requirement by including a link to a description of that program or protocol within the privacy policy. However, the Guide recommends that, in addition to the link, the privacy policy also provide either a description of the web site's response to do not track signals or a brief, general description of the applicable program or protocol and what it does.
  • The do not track disclosure should describe whether the website treats consumers whose browsers send a do not track signal differently from those that do not. The disclosure should also describe whether the web site still tracks users, even if it receives a do not track signal and, if so, how that information is then used.

Availability

  • In addition to the CalOPPA requirement to "conspicuously post" a privacy policy, a web site should also include a link to the privacy policy on every web page where personal information is collected.
  • For online services, such as mobile applications, the privacy policy should also be posted or linked to on the application's platform page, so that users can review the privacy policy before downloading the application, as well as from within the application.

Readability

  • While CalOPPA does not have any requirements regarding readability, the Guide recommends that a privacy policy should be formatted in a way that makes it readable, especially on smaller screens such as mobile devices. One such format is a layered format that highlights the most relevant privacy issues.

Data Collection, Use and Sharing

  • The Guide recommends that a privacy policy go beyond CalOPPA's requirement of merely identifying general categories of personal information that a web site collects, by being reasonably specific about the kinds of personal information being collected and identifying the retention period for each. In addition, a privacy policy should generally describe how a web site collects personal information, including specifying if any information is collected from other sources (e.g., offline or from third parties) or through technologies such as cookies or web beacons.
  • If a web site collects any personal information from children under the age of 13, the Guide cautions that the Children's Online Privacy Protection Act (COPPA) has additional obligations for the web site operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.
  • With regard to sharing, the Guide clarifies that when a privacy policy describes the different types of third parties with which the web site operator shares personal information, affiliates and marketing partners should be mentioned if applicable, and links to the privacy policies of those third parties should be included.
  • Lastly, if a web site uses personal information beyond what is necessary for fulfilling a transaction or providing an online service, the privacy policy should explain this.

Individual Choice and Access

  • The Guide recommends that a privacy policy describe any choices an individual may have regarding the collection, use and sharing of his or her personal information (in addition to the review and correction of such information), if a web site operator maintains such a process.
  • In addition, if an individual requests to review or correct his or her personal information, then the web site operator should first ensure that the individual's identity is properly verified and any access rights are authenticated.

Security Safeguards

  • While CalOPPA does not require that a privacy policy explain the web site's security safeguards, the Guide recommends that a privacy policy explain how the web site protects its users' information from unauthorized or illegal access. It is important that the security statements do not misrepresent or "over-promise" the web site's actual security, as the US Federal Trade Commission (FTC) has been taking action against companies that do not live up to their security promises.

While much of the Guide is voluntary, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.

Originally published 28 May 2014

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2014. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.