California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures

California Attorney General Releases Privacy Policy Guidance for 'Do Not Track' Disclosures

California Attorney General Kamala Harris recently released guidance, Making Your Privacy Practice Public, to help companies comply with the California Online Privacy Protection Act's (CalOPPA) "Do Not Track" (DNT) disclosure requirements which took effect on January 1, 2014. CalOPPA, 2013 Bill Text CA A.B. 370, [enhanced version available to lexis.com subscribers], Cal Bus & Prof Code § 22575-22579, [enhanced version available to lexis.com subscribers], requires online privacy policies to disclose whether the company tracks and collects personally identifiable information (PII) (which includes names, contact information, unique identifiers, and passively collected information such as device identifiers and geolocation data) about California residents' online activities over time and across third-party websites or services, including via mobile apps, and whether or not the company recognizes DNT mechanisms that have been designed to prevent such tracking.

If a company does engage in such online tracking, then the online privacy policy must either describe how the company responds to a DNT signal, or provide consumers with a clear and conspicuous link to a DNT mechanism to which the company will respond. The law does not prohibit online consumer tracking, but rather seeks to provide consumers with greater transparency through the additional disclosures.

The guidance expresses a preference for companies to utilize the first option to describe their DNT policies to consumers, as it promotes greater transparency than simply providing consumers with a link to a DNT mechanism. When describing if and how a website responds to DNT signals, the privacy policy should:

•   State whether consumers who use DNT mechanisms are treated differently than consumers who do not, and how the treatment is different (e.g., "Your experience may be degraded . . . ")

•   Disclose whether PII is collected when a DNT signal is received

•   Describe how that information is used if PII is collected when a DNT signal is present

In addition to describing a company's own DNT privacy policies, CalOPPA also requires companies to disclose whether third parties, such as advertising networks that track consumers over time and across websites, are present on the company’s website or service. The guidance poses useful questions to determine whether third-party trackers present on a company's website are authorized to be there and adhere to the company's DNT policy.

The Attorney General's Privacy Enforcement and Protection Unit will begin reviewing companies' privacy policies for compliance and work with companies to help them comply with the DNT disclosure requirements. Companies found to be in noncompliance will have 30 days to comply with CalOPPA before being subject to an enforcement action. Failure to comply with CalOPPA can result in civil penalties of up to $2,500 per violation.

Companies should remember that even if they are not physically present in California, CalOPPA applies if the company collects PII from California residents. In addition, although this alert focuses on the required DNT disclosures, the Attorney General’s guidance offers additional recommendations regarding online privacy policies.

Ballard Spahr attorneys regularly advise financial institutions and other companies providing financial services online on compliance with consumer financial services laws, as well as related data security and privacy laws. Our attorneys regularly conduct website and mobile app audits to help clients ensure that they know what third parties are present on their sites and whether the practices of those parties are consistent with their privacy policies.

The firm's Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products as well as its experience with the full range of federal and state consumer credit laws. Members of the Group who are also part of the Privacy and Data Security Group focus on financial privacy by design—evaluating new and existing products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations.

If you have questions about the DNT disclosures or wish to receive information about any of the other privacy policy recommendations, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or kaplinsky@ballardspahr.com, Privacy and Data Security Group Leader Mercedes Kelley Tunstall at 202.661.2221 or tunstallm@ballardspahr.com, Kim Phan at 202.661.2286 or phank@ballardspahr.com, or James N. Duchesne at 202.661.7636 or duchesnej@ballardspahr.com.


Copyright © 2014 by Ballard Spahr LLP.
http://www.ballardspahr.com/
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

For more information about LexisNexis products and solutions connect with us through our corporate site