On May 21, 2014, the California Attorney General released best practices recommendations for businesses required to comply with changes to the state's privacy laws by notifying consumers about their “do not track” (“DNT”) policies and procedures.
Specifically, the guidance advises businesses on how to draft privacy policies that reflect California’s privacy laws and permit consumers to make informed decisions by, without limitation, including information regarding DNT procedures and whether third parties are able to collect information about a website's users.
Key recommendations for businesses collecting personally identifiable information (“PII”) about consumers include:
- Prominently label the section of privacy policies regarding online tracking (e.g., “California Do Not Track Disclosures”);
- Describe the manner of response to a browser's DNT signal or similar mechanisms within privacy policies instead of providing a link to another website;
- State whether third parties are or may be collecting PII;
- Explain uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or application;
- Describe what PII is collected from users, how they use it and how long they retain it;
- Describe the choices a consumer has regarding the collection, use and sharing of his or her PII; and
- Use plain language
The guidance was developed in response to A.B. 370, which became effective Jan. 1. In short, the law requires operators of mobile applications, websites and online services that collect PII to explain their DNT policies and procedures. Note that the law does not require website operators to honor DNT requests, but requires websites to inform consumers if data is disclosed to third parties.
Many companies may have updated their privacy policies since A.B. 370 took effect. Those that have not should consider doing so immediately. While not a binding regulation or legal opinion, the guidance will almost certainly be relevant with respect to future enforcement actions against companies without privacy policies or with inadequate privacy policies.
Website operators that follow these recommendations will most likely both meet and exceed minimum legal requirements.
Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information in this article without seeking the advice of an attorney.