Today, California Attorney General Kamala Harris released her long-anticipated guidance on privacy policies for companies collecting information from California residents in a report entitled Making Your Privacy Practices Public (the “Report”). While the Report exceeds existing law in many respects, affected companies should take heed to review the report and be familiar with its contents as it sets forth a blue print for how the CA AG’s office views “best practices” in connection with privacy policy drafting in the areas of “Big Data,” behavioral tracking, data security, and the “readability” of privacy disclosures. Further, the CA AG takes the position that California’s Online Privacy Protection Act (Cal-OPPA) applies to all companies that collect information from California residents – and as such applies to companies operating outside of California.
The key elements of the Report are:
- The Report makes it clear that the plaintiffs’ bar should not attempt to use the CA AG’s guidance as a sword against companies in over 200 behavioral tracking /Do-Not-Track (DNT) putative class actions pending around the country because the Report states that it is offering “…greater privacy protection than required by existing law” and emphasizes that the recommendations contained in the Report “…are not regulations, mandates or legal opinions. Rather, the recommendations are part of an effort to encourage the development of privacy best practices.” Further, the CA AG recognizes that the “new provisions do not prohibit online tracking, nor do they depend on a standard for how an operator should respond to a DNT browser signal or to any mechanism that automatically communicates a consumer’s choice not to be tracked.”
- Last year, California enacted a bill, AB 370, which amended Cal-OPPA to require disclosures in privacy policies of how companies’ websites respond to behavioral tracking or DNT browser settings selected by online users. See, Privacy & Security/Legislative & Public Policy Advisory: California Adopts Do-Not-Track Disclosure Law, Reflecting a Significant New Development in a National Trend to Improve the Transparency of Online and Mobile Privacy Practices for more information about the amendment. Despite AB 370’s amendment to Cal-OPPA regarding DNT disclosures, today’s guidance from the AG clarifies that “[t]here is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal.” To that end, the Report acknowledges that “[a]s of the end of 2013, the W3C Working Group had not agreed upon what an operator or an advertising network should do when they receive a DNT browser header.”
- A company need only make disclosures regarding responses to DNT browser settings or link to an opt-out “…if the operator engages in the collection of personally identifiable information about a consumer’s online activities over time and across third-party web sites or online services.”
- The Report states that “[p]roviding a description of your site or service’s online tracking practices, and of the possible presence of other parties that may be tracking consumers, can help to make this invisible practice more visible.” This statement seems to echo some of the statements contained in the two White House reports on Big Data released on May 1, 2014 entitled: (1) “Big Data: Seizing Opportunities, Preserving Values” and (2) “Big Data and Privacy: A Technological Perspective.” Links to these reports, which expressed concern regarding the alleged lack of transparency in the collection and creation of Big Data, are in our Alston & Bird’s blog post entitled: The White House Releases Report on Big Data. Similar sentiments were expressed in the report issued by the Senate Permanent Subcommittee on Investigations on May 15, 2014 entitled “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy”.
- The Report recommends disclosing the presence of other parties that collect personally identifiable information on a company’s site or service. The CA AG recommends not only that third-party tracking be disclosed as required by Cal. Bus. Professions Code Section 22575(b)(6) (which was newly added by AB 370), but also that companies go above and beyond the law to consider: (a) whether there “[a]re only approved third parties on your site”; (b) “[h]ow would you verify that the authorized third parties are not bringing unauthorized parties to the site”; and (c) “[c]an you ensure that authorized third-party trackers comply with your Do Not Track policy.” This recommendation was contained in earlier drafts of the Report circulated in January 2014 to stakeholders. For more discussion of the earlier drafts, see Alston & Bird’s client alert Privacy & Security/Legislative & Public Policy Advisory: On Eve of New Law Taking Effect, California Attorney General Announces Upcoming Best Practices Guidelines for Do-Not-Track Disclosures.
- The Report furthers the CA AG’s focus on improving the “readability” of privacy notices – namely, short clear privacy notices that are not burdened with legalese. Companies are encouraged to consider using a layered notice format, and “[g]raphics or icons can help users easily recognize privacy practices and settings.” The identical recommendation was previously made last year in the CA AG’s Privacy on the Go report and by the FTC in its mobile privacy guidance. In light of continuing regulatory guidance in this area, Alston & Bird has created a suite of icons and short-form disclosures that are available for licensing by its clients. You can learn more about Alston & Bird’s privacy disclosure icon program by visiting our web site and viewing our video here.