Keywords: Americas; Privacy & Security; Business & Technology Sourcing.
The amendment to the California Online Privacy Protection Act (CalOPPA) that established the state's "do not track" disclosure requirements became effective on January 1, 2014. It requires web site privacy policies to include certain do not track disclosures. However, because do not track is not a finalized standard, and it is unclear what even qualifies as a do not track signal under CalOPPA, compliance has been a challenge.
In an effort to resolve this uncertainty, the California Attorney General recently released a guide titled Making Your Privacy Practices Public (the Guide). The Guide provides long-awaited guidance on how to comply with the CalOPPA do not track requirements, among other recommendations. The following is a summary of some of the recommendations that go beyond what is actually required by CalOPPA.
Online Tracking and Do Not Track
- The do not track disclosure should describe whether the website treats consumers whose browsers send a do not track signal differently from those that do not. The disclosure should also describe whether the web site still tracks users, even if it receives a do not track signal and, if so, how that information is then used.
Data Collection, Use and Sharing
- If a web site collects any personal information from children under the age of 13, the Guide cautions that the Children's Online Privacy Protection Act (COPPA) has additional obligations for the web site operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.
Individual Choice and Access
- In addition, if an individual requests to review or correct his or her personal information, then the web site operator should first ensure that the individual's identity is properly verified and any access rights are authenticated.
While much of the Guide is voluntary, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.
Originally published 28 May 2014
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2014. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.