California Attorney General Kamala Harris today released guidelines to help websites comply with a state law that went into effect on January 1, 2014, pertaining to online tracking disclosures.

The law, which amended the California Online Privacy Protection Act (“CalOPPA”) and which we previously blogged about here, requires website operators to disclose (1) how they respond to “do-not-track” signals or "other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information," and (2) whether they allow other parties to collect personally identifiable information when a consumer uses the operator's service.  Under the law, an operator may satisfy the first disclosure requirement by providing in its privacy policy a conspicuous link to a description of a program or protocol that offers consumers a choice regarding the collection of their personally identifiable information.

Many web browsers provide users with a “Do Not Track” preference tool, which can send a signal to websites informing them that the user does not wish to be tracked.  In recent years, regulators, lawmakers, and consumer groups have attempted to require websites to honor these browser-based “Do Not Track” signals, but neither regulatory agencies nor Congress have enacted such requirements; and, to date, industry groups have been unable to agree on a uniform Do Not Track standard.

California, for its part, has been unique in that it enacted a law that went into effect on January 1, 2014, that requires websites to, among other things, explain whether and how they respond to Do Not Track requests.  But because the law itself does not provide many details about how website operators can comply with this requirements, Attorney General Harris today released guidelines that contained the following recommendations for compliance with this requirement: 

• Description of Online Tracking Policies:  Clearly identify the section of the privacy policy that discloses online tracking and Do Not Track policies.  Suggested headers include “How we Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”  Harris writes that website operators should consider the following questions while drafting the description of the website’s response to browser-based Do Not Track signals:

• Are consumers treated differently if their browsers send Do Not Track signals?

• If the website receives a Do Not Track signal from a browser, does the website still collect personally identifiable information about a consumer’s browsing activities over time and across third-party sites and services?  If so, describe the use of this information.

• Link to Online Tracking Opt-Out Program:  If the privacy policy does not describe how the website responds to Do Not Track signals, the policy should contain a link to a program that offers choice about online tracking.  This guidance is particularly noteworthy, because it suggests that Harris’s office considers it sufficient to rely on hyperlinks to a self-regulatory organization’s opt-out pages.  If website operators rely on links, Harris writes that they should consider the following questions:

• Does the website comply with the program? (Harris says the answer should be “yes,” and this should be stated in the privacy policy.)

• Does the page to which the site links contain a “clear statement about the program’s effect on the consumer, i.e., whether participation results in stopping the collection of a consumer’s personally identifiable information across web sites or services over time?”

• Does the page make clear how a consumer can exercise the choice about online tracking?

• Disclosure of Third Parties that Track Online Behavior:  The website should state whether other parties are or may be tracking visitors to the website or service.  Harris writes that website operators should consider the following questions when making this disclosure:

• Is the personally identifiable information only available to approved third parties?

• How would the website operator verify that unauthorized third parties are not collecting personally identifiable information?

• Can the website operator ensure that third parties comply with the site’s Do Not Track policy? 

Harris’s guidelines, though not binding, provide concrete instructions for website operators to comply with the law.  As a practical matter, websites that previously implemented on their own the requirements that went into effect on January 1, 2014, already may be in compliance.  Harris enforces CalOPPA, and has made it clear that she will file lawsuit against companies that do not comply with the statute.  In 2012, Harris sued Delta Airlines for failing to provide a privacy policy on its mobile app, but that lawsuit was dismissed on federal preemption grounds.

Jeff Rabkin, California’s special assistant attorney general on technology and privacy matters, told the New York Times that if Harris’s office determines that a website does not comply with the new law, the site will have 30 days to become compliant.