California Attorney General Provides Guidance for Complying with New Do Not Track Requirements

Kamala Harris, the California Attorney General, recently released guidance for complying with California's new Do Not Track requirements which took effect January 1, 2014.

The Do Not Track requirements were contained in an amendment to California's Online Privacy Protection Act (CalOPPA) and they require operators of commercial websites and online services to disclose:

(1) how the operator responds to Internet browser Do Not Track (DNT) signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party websites or online services, if the operator engages in that collection; and

(2) whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or service.

An operator may satisfy the requirement of paragraph (1) by providing a clear and conspicuous hyperlink in the operator's privacy policy to an online location containing a description, including the effects, of any program or protocol the operator follows that offers the consumer that choice.

Although CalOPPA does not define "online service," the Attorney General has stated that a mobile application is one type of online service.

The guidance for how to comply with the new Do Not Track requirements is contained in Making Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy. Some of the recommendations provide consumers greater privacy protections than those required by California law. The guidance includes the following recommendations:

1. Make it easy for a consumer to find the section in which you describe your policy regarding online tracking by labeling it, for example, "How We Respond to Do Not Track Signals," "Online Tracking" or "California Do Not Track Disclosures."

2. Describe how you respond to a browser's Do Not Track signal or to other such mechanisms. Describing your response in your privacy policy statement is preferable to simply providing a link to a "choice program" because it provides greater transparency to consumers.

Questions to consider in describing your response:

• Do you treat consumers whose browsers send a DNT signal differently from those without one?

• Do you collect personally identifiable information about a consumer's browsing activities over time and across third-party web sites or online services if you receive a DNT signal?

• If you do continue to collect personally identifiable information about consumers with a DNT signal as they move across other sites or services, how do you use the information you obtain?

3. If you decide not to describe your response to a DNT signal or to another mechanism, provide a clear and conspicuous link in your privacy policy statement to a program that offers consumers a choice about online tracking. Provide a general description of what the program does.

Questions to consider in providing a link to a program:

• Do you comply with the program?
• Does the page to which you link contain a clear statement about the program's effects on the consumer, i.e., whether participation results in stopping the collection of a consumer's personally identifiable information across web sites or online services over time?

• Does the page to which you link make it clear what a consumer must do to exercise the choice offered by the program?

4. State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service.

In developing your statement on other parties, consider the following issues:

• Are only approved third parties on your site or service collecting personally identifiable information from consumers who use or visit it?

• How would you verify that authorized third parties are not bringing unauthorized parties to your site or service to collect personally identifiable information?

• Can you ensure that authorized third-party trackers comply with your Do Not Track policy? If not, disclose how they might diverge from your policy.

5. Confirm your tracking practices with those responsible for your site's or service's operations to ensure that your practices correspond to what you say in your policy.

The Attorney General's office stated that it will review companies' privacy policies and will work with them to make sure they follow the new law. Pursuant to CalOPPA, an operator has 30 days in which to post or correct a privacy policy after being notified by the Attorney General's office. Failure to comply with the new requirements could result in fines of $2,500 per violation.

This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.