The California AG’s New Guide on CalOPPA – A Summary for Privacy Pros
As we have previously discussed, CalOPPA requires website operators to disclose (1) how they respond to Do Not Track (DNT) signals from browsers and other mechanism that express the DNT preference, and (2) whether third parties use or may use the site to track (i.e., collect personally identifiable information about) individual California residents “over time and across third party websites.” Since the disclosure requirements became law, however, there has been considerable confusion among companies on how exactly to comply, and some maintain that despite W3C efforts, there continues to be no industry-wide accepted definition of what it means to “respond” to DNT signals. As a result, the AGO engaged in an outreach process, bringing stakeholders together to provide comments on draft recommendations over a period of several months, finally culminating in the AGO publishing the final Guide earlier this week.
The Guide is just that – a guide – rather than a set of binding requirements. However, the recommendations in the Guide do seem to present a road map for how companies might steer clear of an AGO enforcement action in this area. As a result, privacy professionals may want to consider matching up the following key recommendations from the Guide with existing privacy policies, to confirm that they align or to consider whether it is necessary and appropriate to make adjustments:
Scope of the Policy: Explain the scope of the policy, such as whether it covers online or offline content, as well as other entities such as subsidiaries.
Availability: Make the policy “conspicuous” which means:
- for websites, put a link on every page that collects personally identifiable information (PII).
- for mobile apps that collect PII, put link at point of download, and from within the app – for example: put a link accessible from the “about” or “information” or “settings” page.
Do Not Track:
- Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures”.
- Do you treat users whose browsers express the DNT signal differently from those without one?
- Do you collect PII about browsing activities over time and third party sites if you receive the DNT signal? If so, describe uses of the PII.
- If you choose to link to an online program rather than describe your own response, provide the link with a general description of what the program does.
Third Party Tracking:
- Disclose whether third parties are or may be collecting PII.
- When drafting the disclosure consider:
- Are only approved third parties collecting PII?
- How would you verify that authorized third parties are not bringing unauthorized parties to your site to collect PII?
- Can you ensure that authorized third party trackers comply with your DNT policy? If not, explain this.
- Confirm with the people who run your online sites and services that your practices match what you say in your policy.
Data Use and Sharing:
Explain your uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
Describe what PII you collect from users, how you use it and how long you retain it.
Choice and Access:
- Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
- Respect choice and implement preferences in a reasonable period of time.
- Consider offering the opportunity to review and correct PII.
Effective Date: Publish one, use good version control, and consider how to notify users of your changes.
Accountability: Tell users how to contact you with questions, consider offering toll-free number in addition to an email or postal address; train call center teams to respond to privacy concerns.