California Attorney General Provides Guidance on Compliance with Do Not Track

By Richard NewmanMay 26, 2014

On May 21, 2014, the California Attorney General released best practices recommendations for businesses required to comply with changes to the state's privacy laws by notifying consumers about their “do not track” (“DNT”) policies and procedures. 

Specifically, the guidance advises businesses on how to draft privacy policies that reflect California’s privacy laws and permit consumers to make informed decisions by, without limitation, including information regarding DNT procedures and whether third parties are able to collect information about a website's users.

Key recommendations for businesses collecting personally identifiable information (“PII”) about consumers include:

  • Prominently label the section of privacy policies regarding online tracking (e.g., “California Do Not Track Disclosures”);
  • Describe the manner of response to a browser's DNT signal or similar mechanisms within privacy policies instead of providing a link to another website;
  • State whether third parties are or may be collecting PII;
  • Explain uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or application;
  • Describe what PII is collected from users, how they use it and how long they retain it;
  • Describe the choices a consumer has regarding the collection, use and sharing of his or her PII; and
  • Use plain language

The guidance was developed in response to A.B. 370, which became effective Jan. 1.  In short, the law requires operators of mobile applications, websites and online services that collect PII to explain their DNT policies and procedures.  Note that the law does not require website operators to honor DNT requests, but requires websites to inform consumers if data is disclosed to third parties.

Many companies may have updated their privacy policies since A.B. 370 took effect.  Those that have not should consider doing so immediately.  While not a binding regulation or legal opinion, the guidance will almost certainly be relevant with respect to future enforcement actions against companies without privacy policies or with inadequate privacy policies.

Website operators that follow these recommendations will most likely both meet and exceed minimum legal requirements.

Information conveyed in this article is provided for informational purposes only and does not constitute, nor should it be relied upon, as legal advice. No person should act or rely on any information in this article without seeking the advice of an attorney.

Other Stories You Might Like

CFPB Structure Could See Supreme Court Challenge as Enforcement Actions Rise
September 23, 2019, 8:00 am

Recent FTC Settlement Provides Valuable Lead Generation Compliance Reminders
August 30, 2019, 9:00 am

Ninth Circuit Finds that the TCPA Debt Collection Exception Violates the First Amendment
July 11, 2019, 8:00 am

Recent Settlement Makes Calling and Texting More Difficult
February 25, 2019, 8:00 am

Vermont’s Breach Notice Obligations for Data Brokers Take Effect
January 3, 2019, 8:00 am

California Consumer Privacy Act: Getting Your Consumer Data Privacy House in Order Before It’s Too Late
December 17, 2018, 8:00 am

Pulling it All Together: How Recent Legislative, Judicial and Regulatory Developments Have Made Understanding TCPA Compliance More Important than Ever Before
December 13, 2018, 8:00 am

TCPA News for Telemarketers
November 27, 2018, 8:00 am

FCC Seeks Public Comment On TCPA’s Autodialer Definition After Ninth Circuit Decision
October 15, 2018, 8:00 am

The Applicability of Vermont’s Data Broker Law to the Lead Generation Industry
August 1, 2018, 10:00 am

© 2019 Access Intelligence, LLC – All Rights Reserved. ||