Clarifying California Law on Privacy Policies: California AG Issues New Guidance
By Mary-Elizabeth M. Hadley
Earlier this week, California Attorney General (“AG”) Kamala Harris issued guidance to help companies comply with the recently-amended California Online Privacy Protection Act of 2003 (“CalOPPA”), Cal. Bus. & Prof. Code § 22575, including the law’s requirement that operators of commercial websites and online services (“operators”) disclose how they respond to “do not track” (or “DNT”) signals.
Background on CalOPPA
As we have
Through the release of a guidance document entitled
The Guidance offers recommendations on several key topics:
AG Harris advises companies to clearly identify the section of their privacy policies regarding online tracking using headers such as “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
Although CalOPPA permits companies to describe how they respond to DNT signals by providing a “clear and conspicuous” link in their privacy policies to an online location describing the program or protocol they follow to offer the consumer that choice, the Guidance recommends that companies describe their response directly in their privacy policies.
To comply with the requirement that they disclose the presence of other parties that collect PII on their site or service, operators should consider (i) whether only approved third parties are collecting PII; (ii) how they can verify that authorized third parties are not bringing unauthorized third parties to their site or service to collect PII; and (iii) whether they can ensure that authorized third-party trackers comply with the operator’s own DNT policy.
Data Use & Sharing
Operators should explain their uses of PII “beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service.”
The Guidance also provides that, “[w]henever possible,” operators should “provide a link to the privacy policies of third parties with whom they share” PII.
Privacy policies should also specify the retention period for each type or category of PII collected.
Individual Choice & Access
Operators should describe consumers’ choices regarding the collection, use and sharing of his or her personal information, including by implementing their preferences within a reasonable period of time.
The Guidance suggests that companies use “plain, straightforward language” and that they consider providing their policies in other languages.
A user-friendly format, such as a layered format, should be used to make the policy readable.
* Operators should also explain how they protect customers’ personal information from unauthorized or illegal access, modification, use or destruction by, inter alia, providing a general description of the measures they use to control the information security practices of the third parties with whom they share customer personal information.
As the Guidance notes, “the borderless world of online commerce extend[s] the impact of this law to other jurisdictions.” Because CalOPPA applies to any operator that collects PII “about individual consumers residing in California,” most online businesses should evaluate whether their privacy policies meet its requirements in order to avoid potential fines of up to $2,500 per violation.
Companies seeking to implement nationwide practices may find the Guidance particularly useful in light of the absence of a federal tracking law. Despite calls for greater transparency in data collection and use by the Federal Trade Commission and the White House and years of negotiations between internet companies and privacy advocates, no nationwide “do not track” tool exists.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.