As we have previously discussed, CalOPPA requires website operators to disclose (1) how they respond to Do Not Track (DNT) signals from browsers and other mechanism that express the DNT preference, and (2) whether third parties use or may use the site to track (i.e., collect personally identifiable information about) individual California residents “over time and across third party websites.” Since the disclosure requirements became law, however, there has been considerable confusion among companies on how exactly to comply, and some maintain that despite W3C efforts, there continues to be no industry-wide accepted definition of what it means to “respond” to DNT signals. As a result, the AGO engaged in an outreach process, bringing stakeholders together to provide comments on draft recommendations over a period of several months, finally culminating in the AGO publishing the final Guide earlier this week.
The Guide is just that – a guide – rather than a set of binding requirements. However, the recommendations in the Guide do seem to present a road map for how companies might steer clear of an AGO enforcement action in this area. As a result, privacy professionals may want to consider matching up the following key recommendations from the Guide with existing privacy policies, to confirm that they align or to consider whether it is necessary and appropriate to make adjustments:
- Scope of the Policy: Explain the scope of the policy, such as whether it covers online or offline content, as well as other entities such as subsidiaries.
- Availability: Make the policy “conspicuous” which means:
- for websites, put a link on every page that collects personally identifiable information (PII).
- for mobile apps that collect PII, put link at point of download, and from within the app – for example: put a link accessible from the “about” or “information” or “settings” page.
- Do Not Track:
- Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures”.
- Do you treat users whose browsers express the DNT signal differently from those without one?
- Do you collect PII about browsing activities over time and third party sites if you receive the DNT signal? If so, describe uses of the PII.
- If you choose to link to an online program rather than describe your own response, provide the link with a general description of what the program does.
- Third Party Tracking:
- Disclose whether third parties are or may be collecting PII.
- When drafting the disclosure [...]