By Lei Shen, CIPP/US
Determining how to comply with California’s “Do Not Track” requirements has been a challenge. The amendment to the California Online Privacy Protection Act (CalOPPA) became effective on January 1 and began requiring privacy policies to include certain Do Not Track (DNT) disclosures. However, there has been some uncertainty as to how to comply. Because DNT is not a finalized standard, it is unclear what even qualifies as a DNT signal under CalOPPA. In addition, different browsers implement their Do Not Track mechanisms differently—some set it as the default setting, while others require the user to configure it—so it’s difficult to determine what the user’s actual expectation is.
In an effort to curb this uncertainty, the California Attorney General (AG) recently released a guide titled Making Your Privacy Practices Public. The guide provides long-awaited guidance on how to comply with the CalOPPA Do Not Track requirements, among other recommendations. The AG, Kamala Harris, stated that the guide is intended to provide a “tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”
While the guide provides recommendations on how to comply with CalOPPA, they are not legally binding. In fact, several of the Guide’s recommendations going beyond the requirements of CalOPPA. This article summarizes the Guide’s recommendations and compares them to CalOPPA’s actual requirements.
Online Tracking and Do Not Track
It also recommends that the disclosure describe whether the website still tracks even if it receives a Do Not Track signal, and if so, how that information is then used.
Data Collection, Use and Sharing
If a website collects any personal information from children under the age of 13, the guide cautions that the Children’s Online Privacy Protection Act (COPPA) has additional obligations for the website operator, including the requirement to obtain verifiable parental consent prior to collecting any information from children.
Individual Choice and Access
In addition, if an individual requests to review or correct his or her personal information, then the website operator should first ensure that the individual’s identity is properly verified and any access rights are authenticated.
Security Safeguards and Accountability
While much of the guide is not mandatory, its recommendations reiterate and align with several of the key recommendations from other similar publications, including those from the FTC, and provide a good basis for companies to use when drafting or revising their privacy policies to provide more transparency to users.