California AG Finally Releases Do-Not-Track Recommendations
The DNT provisions created confusion for the industry because CalOPPA does not define DNT and there is no industry recognized definition of DNT or a DNT signal. In fact, the World Wide Web Consortium (W3C) spent two years trying to develop standards and meaning to DNT signals, but could not reach an agreement. To add further confusion, by the end of 2013, all of the major browser companies have implemented their own DNT signals which can be implemented by consumers.
Seeking clarification and guidance, the business community reached out to the California Attorney General. To its credit, over the past several months, the AG’s office consulted with numerous stakeholders from the business sector, academia and privacy advocates and developed four key DNT recommendations:
Make it easy for a consumer to find the section of your policy that relates to online tracking.
Use a header, for example “How We Respond to Do Not Track Signals,” “Online Tracking,” or “California Do Not Track Disclosures.”
Describe how you respond to a browser’s DNT signal or to another such mechanism.
Provide the link in addition to identifying the program with a brief, general description of what it does.
Disclose the presence of other parties that collect personally identifiable information on your site or service, if any are present.
State whether other parties are or may be conducting online tracking of consumers or visitors while they are on your site or service. Confirm your tracking practices with those responsible for your site or service’s operations to ensure that your practices correspond to what you say in your policy.
These recommendations provide helpful guidance when drafting privacy policies; however, they are just that – guidance. The AG expressly acknowledges that the recommendations “are not regulations, mandates, or legal opinions. Rather, they are part of an effort to encourage the development of privacy best practices.”
Center for Democracy & Technology Consumer Privacy Director Justin Brookman, who has also worked extensively with the W3C, noted it’s unclear even whether a company must describe how it handles a DNT signal or simply provide a link to a choice program. He said, “It seems the attorney general doesn’t find current practices to be good enough,” and that the AG is “trying to encourage folks to be more explicit in the body of the policy but aren’t yet prepared to say that just a link is legally insufficient.”