Attorney General's Office Issues "Do Not Track" Disclosure Guidelines
The California Attorney General's Office recently issued a set of guidelines, titled "Making Your Privacy Practices Public" ("Guidelines"), designed to help companies develop "meaningful" privacy policies that provide transparency, accountability, and choice for online users. The Guidelines build on prior publications by the California Attorney General and consolidate and update existing recommendations. The Guidelines also specifically add new recommendations concerning adoption of so-called "Do Not Track" or "DNT" mechanisms.
When California enacted the California Online Privacy Protection Act ("CalOPPA") in 2004, it was the first state in the United States to require providers of websites and online services used by California residents to conspicuously post privacy policies. Such providers are required to detail the personally identifiable information ("PII") they collect, the categories of third parties with whom they share such PII, and the process the consumer can use to review and make changes to stored PII, as well as to ensure that their privacy policies include effective dates and descriptions of subsequent changes. Importantly, although the introduction to the Guidelines acknowledges that they advocate greater privacy protection than required by existing law (e.g., CalOPPA), the recommendations may eventually become enforceable obligations as any published privacy policy will be enforceable against the company, such as for example on consumer protection grounds.
Accordingly, it is important for companies to consider the recommendations, as well as existing law, when developing or revising privacy policies applicable to websites and online services used by California residents. The Guidelines, like CalOPPA, apply to all operators of commercial websites and online services that collect PII about Californians, regardless of where those operators are located (i.e., even if outside the United States).
Familiar Advice
Through the Guidelines, the California Attorney General continues to advocate for transparency, accountability, and choice for the benefit of consumers, to enhance trust in the provider and increase customer satisfaction. Not surprisingly, the Guidelines focus on familiar concepts such as data minimization, just in time notice, and layering. In this regard, the Guidelines highlight recommendations that have been part of existing guidance from the California Attorney General, the FTC, and other regulators, including:
- Readability: using plain, straightforward language and avoiding technical or legal jargon.
- Data Sharing and Use: explaining uses of PII beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the online service, and providing a link whenever possible to the applicable privacy policies of third parties with whom PII is shared.
- Individual Choice and Access: describing the choices a consumer has regarding the collection, use, and sharing of PII.
- Accountability: including the provider's contact details in the privacy policy.
These aspects of the Guidelines provide a useful summary of relevant considerations for companies drafting or amending a privacy policy, and they are worthy of review.
New Do Not Track Guidance
The Guidelines provide advice on DNT mechanisms, which has been a hot topic of significant interest in the United States and abroad. Recently, the FTC, the White House, and the California Legislature, among others, have expressed heightened interest in addressing consumer tracking and profiling practices and related privacy concerns arising from DNT. The recommended DNT mechanisms automatically communicate a consumer's choice about the collection of PII over time and across third-party websites or online services. However, as noted by the Guidelines, there are presently no legal requirements prohibiting online tracking or requiring any particular response to a DNT browser signal or any other mechanism that automatically communicates a consumer's choice not to be tracked. In 2013, however, California became the first state to require disclosure of the company's response to such signals, as well as the potential for third-party tracking on its website.[1]
The recommendations on DNT mechanisms focus on readability and advocate the use of understandable language, descriptive headers, and appropriate placement. The Guidelines also provide the following DNT-specific recommendations on how a company should describe its response to DNT signals (as required by California law and advocated by other regulators):
- Accurately describe whether customers whose browsers send a DNT signal are treated differently from those without a signal; and
- Understand the collection of PII about a consumer's browsing activities over time and across third-party websites or services after receiving a DNT signal, and describe the uses of that information, if applicable.
With respect to disclosing the presence of third parties conducting online tracking on the operator's website or service, the Guidelines recommend that the company should:
- Allow only approved third parties on its website or service to collect PII from consumers who use or visit it;
- Determine how it would verify that authorized third parties are not bringing unauthorized parties to the website or service to collect PII; and
- Employ appropriate mechanisms to ensure that authorized third-party trackers comply with its DNT policy and, if not, disclose how they might diverge from the company's policy.
Continuing Challenges
As noted by the Guidelines, although transparency, accountability, and choice are widely accepted principles in theory, their implementation remains subject to considerable debate. Indeed, the responses of companies to DNT have varied, and many companies have yet to respond to California's new DNT disclosure requirements. Some companies maintain that they do not respond to DNT signals because they do not track their customers over time or across third-party websites to provide targeted advertising. Other companies provide more detail about their tracking activities and those of third parties on their websites.
Failure to disclose or underdisclosure in violation of California's requirements on DNT raises various risks. The California Attorney General's Office is expected to continue to review companies' privacy policies and issue 30-day warnings to noncompliant companies.[2] Companies can also face fines of up to $2,500 per violation of California law, with each download of a noncompliant mobile app constituting a single violation.
Conversely, companies that do not honor DNT signals and make this disclosure in an unqualified manner could face consumer backlash.
When drafting DNT disclosures, as with privacy policies more generally, companies must proceed in a manner that strikes the right balance between these two competing alternative outcomes. The Guidelines focus on transparency, accountability, and choice, and they provide some guidance on high-level issues that companies should consider. By including recommendations that go beyond what is strictly required under California law, particularly with regard to the recommendations on disclosure of tracking across third-party websites or online services, the Guidelines leave room for each company to place itself appropriately on the privacy spectrum.
For the latest privacy and cybersecurity legal developments, see the May 2014 Jones Day Privacy and Cybersecurity Update.
Lawyer Contacts
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com
Katherine S. Ritchey
San Francisco
+1.415.875.5728
ksritchey@jonesday.com
Gregory P. Silberman
Silicon Valley
+1.650.739.3954
gpsilberman@jonesday.com
Jay Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com
Michael G. Morgan
Los Angeles
+1.213.243.2432
mgmorgan@jonesday.com
Ka-On Li, an associate in the Silicon Valley Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
[1] See AB-370 Consumers: internet privacy; "California Legislature Active on Privacy and Data Protection," Jones Day Alert, September 2013.
[2] This is consistent with the recent statement by Jeff Rabkin, Special Assistant Attorney General for Law and Technology, that the Attorney General's Office will review companies' privacy policies, work with companies to ensure they follow the new aspects of California law on DNT, issue 30-day warnings to companies that do not comply, and ultimately consider litigation. See Vindu Goel, "California Urges Websites to Disclose Online Tracking," May 21, 2014, The New York Times.