Privacy Advisor

How Should I Respond to California’s Do-Not-Track Requirements?

Here are five steps to inform your action plan

November 26, 2013


By Brian Hengesbaugh, CIPP/US, and Amy de La Lama

The current privacy regulatory environment can be characterized as a "perfect storm" of more data, more regulation and more enforcement. A microcosm of the confluence of these trends is illustrated in the recent Do-Not-Track amendments to the California Online Privacy Protection Act (CalOPPA). The law requires the operator of a website or online service to display a privacy policy that meets certain content requirements. It has been in effect for about 10 years and obliges a privacy policy to disclose the categories of personally identifiable information (PII) collected through the site, the categories of third-party persons or entities with whom the operator may share that PII and other content. Operators have generally been able to meet these obligations without too much difficulty.

The amendments to CalOPPA introduce two new content obligations for the site operator to:

  • Disclose how the operator responds to web browser’s Do-Not-Track signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of PII about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in such collection, and
  • Disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.

CalOPPA further specifies that an operator may satisfy the first requirement above by providing "a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice." CalOPPA does not mandate that such choice mechanisms must be established or followed but rather requires transparency (notice) about how the site responds to such signals. Personally identifiable information is defined to include name, physical address, e-mail, telephone, Social Security number, another identifier that permits the physical or online contacting of a specific individual and other information that the site collects online from the user and maintains in personally identifiable form in combination with an identifier described above. The amended version of CalOPPA becomes effective on January 1.

CalOPPA Amendments Pose Implementation Challenges

The CalOPPA amendments pose implementation challenges on several levels. First, from a straight definitional standpoint, it may be difficult for sites to determine what actually qualifies as a “Do-Not-Track signal” or similar mechanism that is covered by CalOPPA. An international working group of web experts under the World Wide Web Consortium (W3C) has been working for two years to define what "Do Not Track" means and how it should work, but that work is not done and may not be completed anytime soon. The most recent W3C Working Draft from September 2013 identifies numerous open issues on scope, definitions of "tracking," "collection" and other terms, exemptions for fraud detection and security defense. These are critical issues that need to be resolved to provide sites and others with clarity on commonly accepted definitions and standards.

Second, the Internet ecosystem is complex and rapidly evolving, such that thoughtful disclosures in privacy policies have the potential to be inaccurate for certain browsers or outdated over time. Browsers have come under considerable pressure in recent years from the Federal Trade Commission, European data protection authorities, state attorneys general and other authorities to build in Do-Not-Track mechanisms for users. Major browsers now include such functionality, but the implementations are different. Some set a default that tracking is OK unless the user chooses to configure the browser to send Do-Not-Track signals to the requesting site. Others have established Do-Not-Track as the default setting, such that unless a user must affirmatively opt in to tracking, the browser will send Do-Not-Track signals. And, a few browsers are already revising their original approaches to Do-Not-Track and establishing "selective Do Not Track" as the default and making other modifications. This changing landscape poses significant challenges for site operators to maintain accurate and legally sufficient practices and privacy policy disclosures over time.

Perhaps the most challenging issues relate to consumer expectations. What does a consumer expect when they configure their browser to Do Not Track, and how do site operators draft their disclosures to either meet or dispel such expectations? Does the consumer think that means the site itself will no longer collect any PII at all, or that certain PII collection or use—for advertising, for example—will cease? Or, would the consumer think that means that the site itself will continue with PII collection and use but will not allow any third-party ad network to capture PII or use it for advertising? What about the site operator's capture of PII on operator-hosted applications on social media platforms or third-party sites and the combination of such data with PII captured through the site? Consumers will invariably have wide-ranging and diverging expectations, particularly in the absence agreed and widely publicized W3C or other standards. Disclosures with regard to Do-Not-Track signals and similar mechanisms will need to be carefully drafted to try to provide enough transparency to manage such expectations.

Five Key Questions

In the midst of this uncertainty, and in the absence of a clear legal obligation for sites to follow Do-Not-Track signals, studies suggest that many sites currently do not follow browser’s Do-Not-Track signals. CalOPPA may push some operators to reconsider those positions and explain how they respond to Do-Not-Track signals and other mechanisms.

To prepare for these CalOPPA amendments, every site operator should ask five key questions about the site's practices and approach to these issues.  

1) What methods does the site implement to track users? The site operator should confirm what tracking the site employs and what PII or other data those methods capture. Much of the attention with Do Not Track has focused on traditional HTTP cookies, but examples of other technologies include web beacons, clear GIFs, log files, userData stores, document object model storage, and Flash cookies and other locally shared objects (LSOs). Special attention should be applied to user controls over these methods to make sure that promises are accurate. For example, LSOs generally persist even if a user clears cookies from the browser and therefore may require different controls and disclosures.

2) Does the site combine tracking data with PII gathered across other sites? The site operator should consider whether it combines any tracking data with other PII, including data capture about users through its own hosted applications on social media or other third-party sites, widgets, mobile applications, data shared by affiliated sites or data captured from other online sources. CalOPPA's disclosure requirements for the site's own tracking are limited to certain circumstances involving PII collection over time and across third party sites, but if the site's practices are to develop a profile of its users based on its own first-party tracking as well as the users' activities on other sites, it should consider how it might respond to Do-Not-Track signals and whether there are any CalOPPA disclosure obligations.

3) Does the site allow ad networks to set cookies or collect data? The site operator should confirm whether it allows ad networks to collect data. In theory, CalOPPA only requires a disclosure about such third parties if the ad networks collect PII. Such definition should not be triggered if the ad networks merely set a cookie that captures preferences tied to the user's device without linking the data to names or other CalOPPA identifiers. In practice, however, the site may not know with certainty whether the ad networks combine device data with PII or otherwise collect PII. The site may therefore wish to consider identifying these parties in its privacy policy. The site should consider only using ad networks that participate in the Digital Advertising Alliance or other programs that maintain robust standards for providing users with opt-out and other mechanisms to control the use of their data for behavioral advertising purposes.

4) Does the site allow social media platforms or other third parties to host plug-ins or widgets on the site (e.g., share buttons) or otherwise collect data? The site operator should confirm whether it allows social media platforms to host share or like buttons that collect data and the specifics of those collections. Although this does not appear to be the focus of the legislation based on the legislative history, the site operator should consider identifying these parties in its privacy policy and providing disclaimers that the social media platform's data collection and handling practices are defined by that platform and not by the site. In addition, the site operator should also consider whether any other third-party data collections may attract application of CalOPPA, such as any third-party analytics that may track users over time and across multiple sites.

5) How will the site balance the competing factors to arrive at a suitable CalOPPA disclosure? The challenge will be bringing together these various threads to arrive at a suitable CalOPPA disclosure. Sites that only set cookies and use tracking for internal purposes without any sharing or combining of PII from other sources and without any third-party data collection on the site should not have any new CalOPPA disclosure obligations. Sites that plan to follow Do-Not-Track signals will need to confirm alignment of practices with browser settings, maintain that alignment over time in light of changing settings and practices, address interoperability issues across browsers and confirm alignment and updates to their privacy policy disclosures. Some sites may choose to make good faith efforts to describe their practices in the privacy policy and otherwise disclaim any responsibility for responding to other web browser signals.

In all of this, there are risks on both sides. Failure to make the required CalOPPA disclosures can, after a 30-day notice period, give rise to actions by the California Attorney General for $2,500 per violation and other consequences, as well as potential plaintiffs’ actions under unfair competition theories. On the other hand, unqualified statements about not responding to Do-Not-Track signals could give rise to plaintiffs’ actions for exceeding authorized access to computers, trespass and other theories.

As with many privacy issues, it will ultimately require a balanced risk assessment, taking into account the site's activities and risk tolerance.

Brian Hengesbaugh, CIPP/US, is a principal with Baker & McKenzie in Chicago and a member of the firm's Global Privacy Steering Committee. He focuses on domestic and global data protection and privacy, data security, online, mobile, social media, and e-commerce issues.

Amy de La Lama is Of Counsel in the Chicago office of Baker & McKenzie. She focuses on global and domestic data protection and privacy, including on cross-border, mobile and health privacy issues.